SixXS::Sunset 2017-06-06

Router Cisco 1841 on 6in4 tunnel
[de] Carmen Sandiego on Wednesday, 26 September 2012 13:45:45
I am connected to Kabeldeutschland with a MTU of 1500 and IPv4 only. I got a tunnel from SixXS to connect up to IPv6 to get some first experiences. ! interface Tunnel66 description 6in4 tunnel to SixXS bandwidth 32000 no ip address ipv6 address 2001:4DD0:FF00:F3B::2/64 ipv6 enable ipv6 traffic-filter INBOUND_V6_TRAFFIC in ipv6 inspect cbac-ipv6 out tunnel source FastEthernet0/0 tunnel destination 78.35.24.124 tunnel mode ipv6ip tunnel bandwidth transmit 6000 tunnel bandwidth receive 32000 ! This tunnel is setup to a MTU of 1480 with IPv6 on both ends - SixXS tunnel definition and on my side in router. rt-lang#sh ipv6 int tu 66 Tunnel66 is up, line protocol is up IPv6 is enabled, link-local address is FE80::BCC1:59AD Description: 6in4 tunnel to SixXS Global unicast address(es): 2001:4DD0:FF00:F3B::2, subnet is 2001:4DD0:FF00:F3B::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:2 FF02::1:FFC1:59AD MTU is 1480 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled Input features: Common pak subblock feature ACL Output features: Firewall Inspection Inbound access list INBOUND_V6_TRAFFIC Outbound Inspection Rule cbac-ipv6 ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds Hosts use stateless autoconfig for addresses. The Issue I see is: Throuput of V6 is about 10% of the V4 datarate. Pings with Packetsize of 1480 are properly transported. Some Websites do not load completely (pictures or movies from youtube)- it looks as a problem with the max MTU size on v6 enabled sites, same happens if I try to download files from IPv6 enabled sits (i.e.Google) I fixed an issue with high load of CPU as I found out about CEF is not enable in ipv6 by default - setting is ipv6 cef Any Idea, what is going wrong? Bye, Robert Lang
Router Cisco 1841 on 6in4 tunnel
[ch] Jeroen Massar SixXS Staff on Wednesday, 26 September 2012 14:21:01
bandwidth 32000
tunnel bandwidth transmit 6000
tunnel bandwidth receive 32000
Are you sure that this has the effects you expect it to have?
ipv6 traffic-filter INBOUND_V6_TRAFFIC in
ipv6 inspect cbac-ipv6 out
Input features: Common pak subblock feature ACL
What do these filters contain? Do they maybe block ICMP?
Some Websites do not load completely (pictures or movies from youtube)- it looks as a problem with the max MTU size on v6 enabled sites, same happens if I try to download files from IPv6 enabled sits (i.e.Google)
You might want to try a tracepath6 from a Linux host behind the router to see what it thinks that the path is about.
Router Cisco 1841 on 6in4 tunnel
[de] Carmen Sandiego on Wednesday, 26 September 2012 16:35:15
please notice next in thread :)
Router Cisco 1841 on 6in4 tunnel
[de] Carmen Sandiego on Thursday, 27 September 2012 05:52:47
Hello Jeroen, I had a check of mtu path detection (and much more.) Result is in German - but this is not the point - mtu of 1480 would be supported all the connection path here... so this is not the origin of my problem. Pfad-MTU fr IPv6 (?): OK Ihr Rechner kann fragmentierten IPv6-Verkehr senden und empfangen. Der Pfad zwischen Ihrem Netzwerk und unserem Server untersttzt eine MTU von mindestens 1480 Bytes. Der Pfad zwischen unserem Server und Ihrem Netzwerk hat eine MTU von 1480 Bytes. Der Engpass liegt bei IP-Adresse 2001:4dd0:ff00:f3b::1. Traceroute fr IPv6 (?): OK From a linux Systems racepath6 I get this: LX-NMS-VM:~ # tracepath6 six.heise.de 1?: [LOCALHOST] 0.021ms pmtu 1480 1: 2001:4dd0:ff00:8f3b:8000::1 1.451ms 1: 2001:4dd0:ff00:8f3b:8000::1 1.480ms 2: gw-3900.cgn-01.de.sixxs.net 28.909ms 3: 2001:4dd0:1234:3::42 28.028ms asymm 2 4: core-eup2-ge1-22.netcologne.de 123.901ms asymm 3 5: core-pg1-te4-3.netcologne.de 28.207ms asymm 4 6: rtint3-po5netcologne.de 29.436ms asymm 5 7: gi1-15.c1.d.de.plusline.net 31.308ms asymm 6 8: 2a02:2e0:12:6::1 39.045ms asymm 6 9: te6-1.c13.f.de.plusline.net 30.527ms asymm 7 10: www.six.heise.de 32.974ms reached Resume: pmtu 1480 hops 10 back 57 LX-NMS-VM:~ # This looks very weird to me, but it seems all the path the pmtu is supported and on setup on my side is ok Bye, Robert
Router Cisco 1841 on 6in4 tunnel
[ch] Jeroen Massar SixXS Staff on Thursday, 27 September 2012 06:54:46
This looks very weird to me, but it seems all the path the pmtu is supported and on setup on my side is ok
This shows that if you originate packets that it works. Your firewall rules might still have other ill effects though.
Router Cisco 1841 on 6in4 tunnel
[de] Carmen Sandiego on Wednesday, 26 September 2012 16:34:25
Bandwidth statements are just to get the correct load calculated - there is no more effect on them. CBAC-list is pretty much standard to get stateful firewalling workin - it is to monitor udp and ftp traffic ipv6 inspect name cbac-ipv6 tcp ipv6 inspect name cbac-ipv6 udp ipv6 inspect name cbac-ipv6 icmp ipv6 inspect name cbac-ipv6 ftp ! the IPv6 access-list: ! ipv6 access-list INBOUND_V6_TRAFFIC remark Inbound access rule for IPV6 permit tcp any any established permit udp any eq ntp any eq ntp permit udp any eq domain any eq domain permit tcp any any eq 22 sequence 70 permit udp any any sequence 75 permit icmp any any sequence 80 permit icmp host 2001:4DD0:FF00:F3B::1 host 2001:4DD0:FF00:F3B::2 e cho-request deny ipv6 any any log remark prevent ingress of all addresses except global unicast and multicast deny ipv6 ::/3 any log deny ipv6 8000::/2 any log deny ipv6 C000::/3 any log deny ipv6 E000::/4 any log deny ipv6 F000::/5 any log deny ipv6 F800::/6 any log deny ipv6 FC00::/7 any log deny ipv6 FE00::/8 any log ! I see no problem, what caused this issue... an sh ipv6 interface tunnel 66 also shows it is working with a MTU of 1480
Router Cisco 1841 on 6in4 tunnel
[ch] Jeroen Massar SixXS Staff on Thursday, 27 September 2012 06:57:55
CBAC-list is pretty much standard to get stateful firewalling workin - it is to monitor udp and ftp traffic
And to drop anything that does not match those rules. You might want to disable it for a while and see if that helps the situation and/or do proper logging or checking the counters for the rules.
sequence 75 permit icmp any any
sequence 80 permit icmp host 2001:4DD0:FF00:F3B::1 host 2001:4DD0:FF00:F3B::2 e
cho-request 75 would pass everything already, thus 80 is not needed. Same for some other rules. Check your logs is the only thing there. Next to that the FAQ has an article which might help.
Router Cisco 1841 on 6in4 tunnel
[de] Carmen Sandiego on Friday, 05 October 2012 08:26:18
Hello Jeroen, your are right - I added 75 for testing purposes - it made no difference. Bye, Robert
Router Cisco 1841 on 6in4 tunnel
[gb] Shadow Hawkins on Friday, 28 September 2012 22:44:44
Robert, can you post the output of
show version
? This sounds as if it may be Cisco bug CSCtb10776 which appeared and was fixed somewhere in 12.4T. I had this issue with a 1700-series IOS and had to roll back to 12.4 (solved the problem). I replaced the router with a 867VAE running 15.1(4r)M2 and it doesn't have the bug.
Router Cisco 1841 on 6in4 tunnel
[de] Carmen Sandiego on Friday, 05 October 2012 08:24:06
Hello Nick, thank you for your info! Today I found it in Cisco support forum - it was indeed the bug with IP inspection. Will need to get a newer IOS! I am on c1841-advipservicesk9-mz.124-3e.bin Bye, Robert

Please note Posting is only allowed when you are logged in.
Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker