|
Ticket ID: SIXXS #11106898 Ticket Status: User PoP: nlhaa01 - Leaseweb B.V. (Haarlem)
"Tunnel doesn't ping" yet pings are received and replied on our end.
![[nl]](/s/countries/nl.gif) Carmen Sandiego on Tuesday, 18 February 2014 16:36:50
Dear SixXS,
My handle is INSO1-RIPE. Last friday we started having trouble with our static 6in4 tunnel T18955, which has worked fine for months.
The sixxs.net log shows the tunnel didn't ping for 4 days. The live tunnel status shows the tunnel is up and sending packets but not receiving any.
Our tunnel-endpoint is an Ubuntu 12.04 VM in our DMZ, called 'ipv6gw'. The VM is dedicated to this task. There is a firewall in front of the VM, but it routes all proto-41 traffic to the VM. There is no firewall active on the VM itself. This is done on a Cisco ASA behind the VM.
With Wireshark I can see ICMPv6 Echo Requests arriving from the POP side, and I see Echo Replies being sent out to the POP. However, Echo Requests are the only traffic I see coming in from outside.
# tshark -i sixxs
Capturing on sixxs
1.988130 2001:1af8:fe00:1e::1 -> 2001:1af8:fe00:1e::2 ICMPv6 1028 Echo (ping) request id=0x4242, seq=46547
1.988176 2001:1af8:fe00:1e::2 -> 2001:1af8:fe00:1e::1 ICMPv6 1028 Echo (ping) reply id=0x4242, seq=46547
When I use another external IPv6 host to ping6 our internal tunnel endpoint IP, I also see the requests coming in, and replies being sent, but they never arrive on the outside.
Capturing on sixxs
0.792234 2a01:670:6a53:5f00::2 -> 2001:1af8:fe00:1e::2 ICMPv6 104 Echo (ping) request id=0x1e43, seq=1
0.792292 2001:1af8:fe00:1e::2 -> 2a01:670:6a53:5f00::2 ICMPv6 104 Echo (ping) reply id=0x1e43, seq=1
The VM has the following tunnel interface configured:
root@ipv6gw:~# ip a s sixxs
5: sixxs: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN
link/sit 0.0.0.0 peer 94.75.219.73
inet6 2001:1af8:fe00:1e::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::a0a:d4/64 scope link
valid_lft forever preferred_lft forever
The routing table is:
root@ipv6gw:~# route -6
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
2001:1af8:fe00:1e::/64 :: Un 256 0 1 sixxs
2001:1af8:fe06::/64 :: U 256 0 1 eth1
2001:1af8:fe06::/48 2001:1af8:fe06::2 UG 1024 0 0 eth1
fe80::/64 :: U 256 0 0 eth1
fe80::/64 :: U 256 0 0 eth0
fe80::/64 :: Un 256 0 0 sixxs
::/0 2001:1af8:fe00:1e::1 UG 1024 0 0 sixxs
::/0 :: !n -1 1 11750 lo
::1/128 :: Un 0 1 48 lo
2001:1af8:fe00:1e::/128 :: Un 0 1 0 lo
2001:1af8:fe00:1e::2/128 :: Un 0 1 318 lo
2001:1af8:fe06::/128 :: Un 0 1 0 lo
2001:1af8:fe06::1/128 :: Un 0 1 9 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::a0a:d4/128 :: Un 0 1 0 lo
fe80::250:56ff:fe00:212/128 :: Un 0 1 0 lo
fe80::250:56ff:fe1f:2/128 :: Un 0 1 40 lo
ff00::/8 :: U 256 0 0 eth1
ff00::/8 :: U 256 0 0 eth0
ff00::/8 :: U 256 0 0 sixxs
::/0 :: !n -1 1 11750 lo
The POP's IP pings correctly over v4:
root@ipv6gw:~# ping 94.75.219.73
PING 94.75.219.73 (94.75.219.73) 56(84) bytes of data.
64 bytes from 94.75.219.73: icmp_req=1 ttl=57 time=7.02 ms
64 bytes from 94.75.219.73: icmp_req=2 ttl=57 time=6.95 ms
^C
--- 94.75.219.73 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 6.955/6.988/7.021/0.033 ms
The POP's IP doesn't ping over v6:
root@ipv6gw:~# ping6 2001:1af8:fe00:1e::1
PING 2001:1af8:fe00:1e::1(2001:1af8:fe00:1e::1) 56 data bytes
^C
--- 2001:1af8:fe00:1e::1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4031ms
I'm stumped why no packets are exiting the POP side of the tunnel and would appreciate any advice.
Regards,
Martijn Heemels
"Tunnel doesn't ping" yet pings are received and replied on our end.
Looks a lot like no packets at all are coming from your IP anymore.
# tshark -i sixxs Capturing on sixxs
As clearly stated in the "Reporting Problems" section on the contact page, look at the underlying IPv4 interface where the tunneled packets flow over; the tunnel interface says pretty much squat.
link/sit 0.0.0.0 peer 94.75.219.73
Are you sure the right source IP is used?
I'm stumped why no packets are exiting the POP side of the tunnel and would appreciate any advice.
Actually the PoP is sending packets, you are just not (properly) responding to them.
Notice also that the live tunnel status has;
Packet In : 2014-02-14 17:01:14 (1392397274; 3 days 23:51:58 ago)
Encap.Pkt Send Error : 44, last: 0.208.241.4 2014-02-14 00:14:15 (1392336855; 4 days 16:38:57 ago)
ICMPv4 Errors Received : 50, last: 94.75.219.73 2014-02-14 00:14:15 (1392336855; 4 days 16:38:57 ago)
ICMPv4 Echo Req. Recv. : 17, last: 221.139.107.189 2014-02-14 00:13:58 (1392336838; 4 days 16:39:14 ago)
That 0.208.241.4 is a rather strange IP (not routed or useable), and so is 221.139.107.189 which is in Korea.
Make also sure that your network is BCP-38 compliant.
"Tunnel doesn't ping" yet pings are received and replied on our end.
Carmen Sandiego on Thursday, 06 March 2014 14:10:09
Thanks Jeroen,
After disabling the tunnel for a few days and simply re-enabling it, things started working properly again. Nothing else was done on our side. It's still unclear to me what was actually wrong.
I've now implemented reverse path filtering on our edge-routers. Should've done that properly from the start, of course. Thanks for the reminder.
Feel free to close the ticket.
Regards, Martijn
|
![[ch]](/s/countries/ch.gif)
on Tuesday, 18 February 2014 16:59:24
Posting is only allowed when you are