|
Ticket ID: SIXXS #12035109 Ticket Status: Remote Problem PoP: gblon02 - Goscomb Technologies (London)
Incoming packet loss - possible MTU issue
![[gb]](/s/countries/gb.gif) Shadow Hawkins on Thursday, 24 July 2014 17:08:59
I've recently been having issues with some websites (normally SSL connections) timeing out - https://ssl.comodo.com for example. SYN & ACK packets are ok, but larger packets never arrive as expected. I've also noticed problems with whois, so I've decided to use that data here.
This seems similar to Issue 9469190
I've upped my MTU to 1480 (as an attempt to resolve the problem) on the pfSense box (2.1.2-RELEASE), as well as increasing it on the tunnel page. We have a leased line, so the MTU for our WAN is 1500.
The client computer:
$ uname -a
Linux BaylyJ5 3.11.0-24-generic #42-Ubuntu SMP Fri Jul 4 21:19:31 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
$ whois --version
Version 5.0.26.
cat /etc/issue
Linux Mint 16 Petra \n \l
If the whois result is quite small, then the packets are received.
$ whois 81.144.211.211
16:44:20.496508 IP6 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.50428 > 2001:67c:2e8:22::c100:687.43: Flags [S], seq 2110280876, win 28800, options [mss 1440,sackOK,TS val 368133969 ecr 0,nop,wscale 7], length 0
16:44:20.524135 IP6 2001:67c:2e8:22::c100:687.43 > 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.50428: Flags [S.], seq 1240332740, ack 2110280877, win 14280, options [mss 1440,sackOK,TS val 715991193 ecr 368133969,nop,wscale 7], length 0
16:44:20.524403 IP6 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.50428 > 2001:67c:2e8:22::c100:687.43: Flags [.], ack 1, win 225, options [nop,nop,TS val 368133976 ecr 715991193], length 0
16:44:20.524497 IP6 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.50428 > 2001:67c:2e8:22::c100:687.43: Flags [P.], ack 1, win 225, options [nop,nop,TS val 368133976 ecr 715991193], length 25
16:44:20.551542 IP6 2001:67c:2e8:22::c100:687.43 > 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.50428: Flags [.], ack 26, win 112, options [nop,nop,TS val 715991221 ecr 368133976], length 0
16:44:20.552083 IP6 2001:67c:2e8:22::c100:687.43 > 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.50428: Flags [P.], ack 26, win 112, options [nop,nop,TS val 715991221 ecr 368133976], length 197
16:44:20.552648 IP6 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.50428 > 2001:67c:2e8:22::c100:687.43: Flags [.], ack 198, win 234, options [nop,nop,TS val 368133983 ecr 715991221], length 0
16:44:20.558215 IP6 2001:67c:2e8:22::c100:687.43 > 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.50428: Flags [FP.], seq 198:1546, ack 26, win 112, options [nop,nop,TS val 715991226 ecr 368133976], length 1348
16:44:20.558981 IP6 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.50428 > 2001:67c:2e8:22::c100:687.43: Flags [.], ack 1547, win 256, options [nop,nop,TS val 368133984 ecr 715991226], length 0
16:44:20.559104 IP6 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.50428 > 2001:67c:2e8:22::c100:687.43: Flags [F.], seq 26, ack 1547, win 256, options [nop,nop,TS val 368133984 ecr 715991226], length 0
16:44:20.586153 IP6 2001:67c:2e8:22::c100:687.43 > 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.50428: Flags [.], ack 27, win 112, options [nop,nop,TS val 715991256 ecr 368133984], length 0
However, if the whois record is quite long, it times out (the packets in this case are out of order):
$ whois tipstrade.net
16:52:51.561100 IP6 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.58142 > 2001:503:f189:1060::74.43: Flags [S], seq 4128570047, win 28800, options [mss 1440,sackOK,TS val 368261735 ecr 0,nop,wscale 7], length 0
16:52:51.683034 IP6 2001:503:f189:1060::74.43 > 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.58142: Flags [S.], seq 2704334763, ack 4128570048, win 13280, options [mss 1340,sackOK,TS val 1331805842 ecr 368261735,nop,wscale 7], length 0
16:52:51.683341 IP6 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.58142 > 2001:503:f189:1060::74.43: Flags [.], ack 1, win 225, options [nop,nop,TS val 368261765 ecr 1331805842], length 0
16:52:51.683442 IP6 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.58142 > 2001:503:f189:1060::74.43: Flags [P.], ack 1, win 225, options [nop,nop,TS val 368261765 ecr 1331805842], length 16
16:52:51.804896 IP6 2001:503:f189:1060::74.43 > 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.58142: Flags [.], ack 17, win 104, options [nop,nop,TS val 1331805964 ecr 368261765], length 0
16:52:51.806365 IP6 2001:503:f189:1060::74.43 > 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.58142: Flags [F.], seq 2818, ack 17, win 104, options [nop,nop,TS val 1331805966 ecr 368261765], length 0
16:52:51.806620 IP6 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.58142 > 2001:503:f189:1060::74.43: Flags [.], ack 1, win 225, options [nop,nop,TS val 368261796 ecr 1331805964,nop,nop,sack 1 {2818:2819}], length 0
16:52:51.806761 IP6 2001:503:f189:1060::74.43 > 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.58142: Flags [P.], ack 17, win 104, options [nop,nop,TS val 1331805966 ecr 368261765], length 161
16:52:51.806886 IP6 2001:503:f189:1060::74.43 > 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.58142: Flags [.], ack 17, win 104, options [nop,nop,TS val 1331805966 ecr 368261765], length 1328
16:52:51.807210 IP6 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.58142 > 2001:503:f189:1060::74.43: Flags [.], ack 1, win 225, options [nop,nop,TS val 368261796 ecr 1331805964,nop,nop,sack 1 {2657:2819}], length 0
16:52:51.807291 IP6 2001:503:f189:1060::74.43 > 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.58142: Flags [.], ack 17, win 104, options [nop,nop,TS val 1331805966 ecr 368261765], length 1328
16:52:51.807547 IP6 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.58142 > 2001:503:f189:1060::74.43: Flags [.], ack 1329, win 248, options [nop,nop,TS val 368261796 ecr 1331805966,nop,nop,sack 1 {2657:2819}], length 0
16:52:51.807922 IP6 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.58142 > 2001:503:f189:1060::74.43: Flags [.], ack 2819, win 270, options [nop,nop,TS val 368261797 ecr 1331805966], length 0
16:52:51.808027 IP6 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.58142 > 2001:503:f189:1060::74.43: Flags [F.], seq 17, ack 2819, win 270, options [nop,nop,TS val 368261797 ecr 1331805966], length 0
16:52:51.929073 IP6 2001:503:f189:1060::74.43 > 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.58142: Flags [.], ack 17, win 104, options [nop,nop,TS val 1331806088 ecr 368261796], length 1328
16:52:51.929227 IP6 2001:503:f189:1060::74.43 > 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.58142: Flags [.], ack 17, win 104, options [nop,nop,TS val 1331806088 ecr 368261796], length 1328
16:52:51.929315 IP6 2001:503:f189:1060::74.43 > 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.58142: Flags [.], ack 18, win 104, options [nop,nop,TS val 1331806089 ecr 368261797], length 0
16:52:51.929821 IP6 2a01:348:2c2:100:5246:5dff:fe8f:5c6d.58142 > 2001:503:f189:1060::74.43: Flags [.], ack 2819, win 270, options [nop,nop,TS val 368261827 ecr 1331805966,nop,nop,sack 1 {1:2657}], length 0
Pinging with the maximum packet size:
$ ping -nc 5 -s 1472 facebook.com
PING facebook.com (173.252.110.27) 1472(1500) bytes of data.
1480 bytes from 173.252.110.27: icmp_seq=1 ttl=82 time=97.8 ms
1480 bytes from 173.252.110.27: icmp_seq=2 ttl=82 time=97.6 ms
1480 bytes from 173.252.110.27: icmp_seq=3 ttl=82 time=97.6 ms
1480 bytes from 173.252.110.27: icmp_seq=4 ttl=82 time=97.5 ms
1480 bytes from 173.252.110.27: icmp_seq=5 ttl=82 time=97.5 ms
--- facebook.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 97.579/97.654/97.807/0.083 ms
$ ping6 -nc 5 -s 1432 facebook.com
PING facebook.com(2a03:2880:2110:df07:face:b00c:0:1) 1432 data bytes
1440 bytes from 2a03:2880:2110:df07:face:b00c:0:1: icmp_seq=1 ttl=51 time=98.3 ms
1440 bytes from 2a03:2880:2110:df07:face:b00c:0:1: icmp_seq=2 ttl=51 time=98.4 ms
1440 bytes from 2a03:2880:2110:df07:face:b00c:0:1: icmp_seq=3 ttl=51 time=98.2 ms
1440 bytes from 2a03:2880:2110:df07:face:b00c:0:1: icmp_seq=4 ttl=51 time=98.8 ms
1440 bytes from 2a03:2880:2110:df07:face:b00c:0:1: icmp_seq=5 ttl=51 time=98.3 ms
--- facebook.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 98.209/98.437/98.870/0.361 ms
Tracepath6:
$ tracepath6 ssl.comodo.com
1?: [LOCALHOST] 0.059ms pmtu 1500
1: 2a01:348:2c2:100::1 1.054ms
1: 2a01:348:2c2:100::1 1.062ms
2: 2a01:348:2c2:100::1 1.046ms pmtu 1480
2: gw-1148.lon-02.gb.sixxs.net 14.203ms
3: gblon02.sixxs.net 14.310ms asymm 2
4: ge-0-0-5-20.cs0.thw.uk.goscomb.net 33.790ms asymm 3
5: xe-3-1.core00.the.uk.hso-group.net 14.713ms asymm 4
6: xe-3-1.core00.gs2.uk.hso-group.net 19.948ms asymm 5
7: xe-3-1.core00.sov.uk.hso-group.net 14.953ms asymm 6
8: ae2.edge00.sov.uk.hso-group.net 14.736ms asymm 7
9: xe-4-0-1.edge6.London1.Level3.net 14.765ms asymm 8
10: vl-52.car3.London1.Level3.net 15.276ms asymm 9
11: Internet-Connections-Ltd.car3.London1.Level3.net 15.156ms asymm 10
12: 2a01:3f8:0:c::1 15.227ms asymm 7
13: 2a01:3f8:0:8::2 22.211ms asymm 8
14: 2a01:3f8:0:108::2 29.301ms asymm 15
15: ge-1-0-7-2012.h6edccrt.hex67.lon.edge.ccanet.co.uk 21.779ms asymm 11
16: no reply
<snip>
31: no reply
Too many hops: pmtu 1480
Resume: pmtu 1480
$ tracepath6 google.com
1?: [LOCALHOST] 0.046ms pmtu 1500
1: domain.not.configured 1.026ms
1: domain.not.configured 1.030ms
2: domain.not.configured 1.052ms pmtu 1480
2: gw-1148.lon-02.gb.sixxs.net 14.208ms
3: gblon02.sixxs.net 14.178ms asymm 2
4: ge-0-0-5-20.cs0.thw.uk.goscomb.net 19.516ms asymm 3
5: xe-3-1.core00.the.uk.hso-group.net 26.776ms asymm 4
6: xe-3-1.core00.gs2.uk.hso-group.net 14.837ms asymm 5
7: xe-3-1.core00.sov.uk.hso-group.net 21.998ms asymm 6
8: no reply
<snip>
31: no reply
Too many hops: pmtu 1480
Resume: pmtu 1480
So, are there any suggestions as to what I can do?
Many thanks
State change: remoteproblem
The state of this ticket has been changed to remoteproblem
Incoming packet loss - possible MTU issue
https://ssl.comodo.com for example.
Comodo is known to be filtering ICMPv6. Little we can do about.
We also do not control any of the other destinations, you'll have to contact those networks directly.
Also, make sure that your local firewall is sending packets too big properly and not dropping such messages to the floor.
If the whois result is quite small, then the packets are received.
You might want to check tracepath6 for each of those destinations.
$ ping6 -nc 5 -s 1432 facebook.com
As you are not blocking fragmentation, those packets can still be fragmented. See the -M option ("-M do" is what you want).
Incoming packet loss - possible MTU issue
Shadow Hawkins on Friday, 25 July 2014 11:01:10Comodo is known to be filtering ICMPv6. Little we can do about.
I've confirmed that the same occurs on my home connection - native IPv6 over pppoe - the connection times out. What's happening now with ssl.comodo.com is this:
* MTU=1280 TCP:443 Connection would timeout
* MTU=1480 TCP:443 Connection is reset immediately with "no route to destination" (which is interesting as I can ping it) - the IMCPv6 "Destination Unreachable" packet comes from an IP not listed in the tracepath6 output.
I've given up with comodo here - clearly they're doing something wrong here if it doesn't even work over native IPv6. I fully appreciate you have no control over other people's networks - you wouldn't believe how often I get asked why [some other website] isn't working.
As for the whois, I made a mistake with my interpretation of the network capture:
* MTU=1280 whois was timing out.
* MTU=1480 whois capture packets with a few out of sequence packets & duplicate ACKs, and then an IPv4 connection. I had thought is was failing over to IPv4. However, the whois request to whois.crsnic.net is working on IPv6 - the subsequent IPv4 whois request was to our registrar.
Many apologies for the rubbish information.
So, it appears that whois.crsnic.net appears to be having some issues with lower MTUs - I'll have a play around with different values and see if I can find the point at which they start failing.
Also, make sure that your local firewall is sending packets too big properly and not dropping such messages to the floor.
I'm going to have to ask a stupid question here - what's the best way of doing this?
Incoming packet loss - possible MTU issue
* MTU=1480 TCP:443 Connection is reset immediately with "no route to destination" (which is interesting as I can ping it)
That is because something is doing "firewalling", hence packets it does not want are rejected with the wrong error code. Though, it could also mean that the tool that you are using for displaying the error code decodes it wrong. This as there typically is a sub-code, "admin filtered" / "admin prohibited" being one.
The IMCPv6 "Destination Unreachable" packet comes from an IP not listed in the tracepath6 output.
Which IP?
Do note that asynchronous routing can cause such a behaviour, next to hidden "firewall" devices.
> Also, make sure that your local firewall is sending packets too big properly and not dropping such messages to the floor.
I'm going to have to ask a stupid question here - what's the best way of doing this?
Depends on the tools involved. Enabling logging and checking that logging (or at least counters) is a good first step.
Incoming packet loss - possible MTU issue
Shadow Hawkins on Friday, 25 July 2014 15:38:24Which IP?
It's 2a02:1788:0:865::5001 - the tracepath6 for this IP is the exact same as that for ssl.comodo.com (shown below).
I didn't mention the address because I saw that the 2a02:1788::/32 block's authority is ns0.comdodns.com
baylyj@BaylyJ5 ~ $ ping6 -c 3 -n -s 1432 ssl.comodo.com
PING ssl.comodo.com(2a02:1788:4fd:cd::c742:cdf2) 1432 data bytes
1440 bytes from 2a02:1788:4fd:cd::c742:cdf2: icmp_seq=1 ttl=53 time=23.2 ms
1440 bytes from 2a02:1788:4fd:cd::c742:cdf2: icmp_seq=2 ttl=53 time=22.1 ms
1440 bytes from 2a02:1788:4fd:cd::c742:cdf2: icmp_seq=3 ttl=53 time=22.6 ms
--- ssl.comodo.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 22.153/22.675/23.254/0.483 ms
baylyj@BaylyJ5 ~ $ tracepath6 -n ssl.comodo.com
1?: [LOCALHOST] 0.020ms pmtu 1480
1: 2a01:348:2c2:100::1 1.152ms
1: 2a01:348:2c2:100::1 1.004ms
2: 2a01:348:6:47b::1 14.109ms
3: 2a01:348:0:4:0:3:1:1 14.155ms asymm 2
4: 2a01:348:0:4:0:3:0:1 16.089ms asymm 3
5: 2a01:348::65:0:1 25.561ms asymm 4
6: 2a01:348::63:1:1 22.834ms asymm 5
7: 2a01:348::71:1:1 23.348ms asymm 6
8: 2a01:348::50:0:1 14.946ms asymm 7
9: 2001:1900:5:2:2::951 14.945ms asymm 8
10: 2001:1900:101:2::3 15.436ms asymm 9
11: 2001:4c08:2003::2 15.231ms asymm 10
12: 2a01:3f8:0:d::2 21.433ms asymm 11
13: 2a01:3f8:0:9::1 21.972ms asymm 8
14: 2a01:3f8:0:108::2 34.535ms asymm 15
15: 2a02:1788:ff:51ae::b2ff:51ae 21.701ms asymm 11
16: no reply
<snip>
31: no reply
Too many hops: pmtu 1480
Resume: pmtu 1480
baylyj@BaylyJ5 ~ $ curl -6 https://ssl.comodo.com
curl: (7) Failed connect to ssl.comodo.com:443; Network is unreachable
Here is a link to a wireshark/tcpdump capture of the above commands
Wireshark describes the ICMPv6 packed for the failed https connection as "Destination unreachable (no route to destination):
Internet Control Message Protocol v6
Type: Destination Unreachable (1)
Code: 0 (no route to destination)
Interestingly, I logged onto my machine at home and tried opening ssl.comodo.com - the ssl handshake starts, but never completes and the browser gives up after 30s. Here's a link to a capture (if you're any way interested).
Finally, I tried it on a hosted server of ours - it works perfectly, but then, it's native IPv6 (MTU 1452).
So... as you say - something is doing firewalling, for what reason I really don't know.
As for dropping "packet too big", it wasn't - I wasn't seeing as many of the packets as I expected, until I realised the MTU for a route was being cached - but what you were asking gave me a much better idea of keywords to look for. For example, I've discovered that pfSense is dropping fragemented packets - confirmed by Bug #2762 - which doesn't help.
Thanks for the pointers and suggestions. I'm still going to have a play with various MTU values - if only for academic reasons, which is pretty much the point of this tunnel.
Incoming packet loss - possible MTU issue
John Bayly wrote:
Which IP?
It's 2a02:1788:0:865::5001 - the tracepath6 for this IP is the exact same as that for ssl.comodo.com (shown below).
I didn't mention the address because I saw that the 2a02:1788::/32 block's authority is ns0.comdodns.com
baylyj@BaylyJ5 ~ $ ping6 -c 3 -n -s 1432 ssl.comodo.com
You really need to set "-M do" for this to mean anything.
[..]
14: 2a01:3f8:0:108::2 34.535ms asymm 15
15: 2a02:1788:ff:51ae::b2ff:51ae 21.701ms asymm 11
16: no reply
<snip>
31: no reply
There is some kind of packet filtering happening and thus the pMTU is likely meaningless.
baylyj@BaylyJ5 ~ $ curl -6 https://ssl.comodo.com curl: (7) Failed connect to ssl.comodo.com:443; Network is unreachable
Note that you might also be filtered already due to you probing their network a lot...
Finally, I tried it on a hosted server of ours - it works perfectly, but then, it's native IPv6 (MTU 1452).
An MTU < 1500 is not 'native', likely some kind of tunneling happening.
So... as you say - something is doing firewalling, for what reason I really don't know.
Comodo is a 'security' company, hence not odd that they do 'security' even if they break things that they clearly do not know about.
As for dropping "packet too big", it wasn't
Note that these ICMPv6 PtBs are sent by the PoP, not by your host, as that is where the MTU change happens. You should be able to see it in the Live Tunnel Status though as there the last host that got one will be listed.
Do note that the other side (eg ssl.comodo.com) could send you a Packet Too Big that will reach to your host completely.
- I wasn't seeing as many of the packets as I expected, until I realised the MTU for a route was being cached - but what you were asking gave me a much better idea of keywords to look for. For example, I've discovered that pfSense is dropping fragemented packets - confirmed by Bug #2762 - which doesn't help.
Fragments should NEVER exist on a network. There is no reason for them (except for making things complex that do not need to be complex).
They are currently still in the IPv6 spec, but there have been various discussions of getting rid of them completely. TCP can handle the packet-cut-up and for UDP one should just send smaller packets, similar solutions exist for other protocols like TCP.
Incoming packet loss - possible MTU issue
Shadow Hawkins on Friday, 25 July 2014 16:24:31
I was supposed to be using the "-M do" switch - I probably went too far up the bash history when executing it and didn't notice as the result was as expected.
Note that you might also be filtered already due to you probing their network a lot...
The thought had crossed my mind.
> Finally, I tried it on a hosted server of ours - it works perfectly, but then, it's native IPv6 (MTU 1452).
An MTU < 1500 is not 'native', likely some kind of tunneling happening.
That was a typo - I posted the maximum icmp payload by mistake <sigh>
Didn't know about the "Live Tunnel Status" page - very handy.
Fragments should NEVER exist on a network. There is no reason for them (except for making things complex that do not need to be complex).
They are currently still in the IPv6 spec, but there have been various discussions of getting rid of them completely. TCP can handle the packet-cut-up and for UDP one should just send smaller packets, similar solutions exist for other protocols like TCP.
Fair point - my 1st port of call was to check out whether fragments were acceptable - being as they're in the spec I assumed that they were - I know path MTU discovery is expected to be used. I hadn't realised that they may be removed.
Incoming packet loss - possible MTU issue
I have been able to reach out to a few folks at Comodo, hopefully they will look into and attempt to resolve the problem on their side (if it is at their place, but it looks likely).
|
![[ch]](/s/countries/ch.gif)
on Thursday, 24 July 2014 17:50:43
Posting is only allowed when you are