• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Can't browse VMware website

Started by xy16644, May 18, 2016, 02:05:27 PM

Previous topic - Next topic

xy16644

Hi All

I've been using my HE IPv6 tunnel for a few weeks now and have been very happy with it  :)

One thing I have noticed recently is that I can't browse VMwares blogs or kb website using IPv6:

http://blogs.vmware.com

or

https://kb.vmware.com/

It just times out from my machine. If I try it from another machine on my LAN the same thing happens. However, if I disable IPv6 I can browse the websites just fine.

Any ideas as to why this is happening?

I can ping blogs.vmware.com:

Quote
C:\Windows\system32>ping blogs.vmware.com

Pinging r35g2.x.incapdns.net [2a02:e980:3b::13] with 32 bytes of data:
Reply from 2a02:e980:3b::13: time=2ms
Reply from 2a02:e980:3b::13: time=160ms
Reply from 2a02:e980:3b::13: time=159ms
Reply from 2a02:e980:3b::13: time=158ms

and kb.vmware.com:

Quote
C:\Windows\system32>ping kb.vmware.com

Pinging khmrp.x.incapdns.net [2a02:e980:41::13] with 32 bytes of data:
Reply from 2a02:e980:41::13: time=30ms
Reply from 2a02:e980:41::13: time=29ms
Reply from 2a02:e980:41::13: time=29ms
Reply from 2a02:e980:41::13: time=28ms

So I'm unsure why I can't browse it? I don't have any firewall rules blocking certain HTTP/HTTPS traffic.

broquea

Check your MTU on your side and the broker's. Loads fine over native HE.

Napsterbater

I have the same problem with those 2 sites.

Just keeps trying to load and eventually Chrome shows Connection reset.

http://www.letmecheck.it/mtu-test.php Shows logs.vmware.com with a 1500MTU and me with a 1480 MTU which is correct and http://ipv6-test.com/pmtud/ shows no PMTUD problems detected.

Tried to attach screen shots but it errored.

xy16644

My MTU currently is 1452 on the tunnel and on my firewall.

What value should I set this to?

cholzhauer

I'm on a tunnel and have zero issues opening those sites.

xy16644


cholzhauer

My MTU value and your MTU values don't necessarily have to be the same; it's dependent on your environment.

Napsterbater

Quote from: cholzhauer on May 19, 2016, 06:38:08 AM
I'm on a tunnel and have zero issues opening those sites.

I can now open those sites.

No changes here.

xy16644

In the HE tunnel advanced section I have changed the MTU to 1460 and have also set my HE interface in pfsense to 1460 and I can now browse the kb.vmware.com website.

Strangely, I still can't browse the blogs.vmware.com website?

xy16644

I still seem to be battling with browsing VMwares websites. Currently my MTU in the Tunnel Broker website is set to 1480 for the MTU under the advanced section. I also set it to 1480 in pfsense but I am still having issues. I have tried a variety of MTU values but none of them have fixed this issue.

Is there anything else I can try? How do I find out what the MTU value should be for my setup?

Since I am studying for my VMware exam I really need to access their websites!

alebic

#10
Same problem here.

My ISP is Deutsche Telekom which uses PPPoE. The optimal MTU on the ISP interface is 1492 bytes (1500 - 8 Bytes PPPoE overhead).
Both my tunnel on the website and the tunnel interface in pfSense are set to 1472 (1492 - 20 Bytes 6in4 overhead).

Pinging kb.vmware.com with disabled fragmentation works fine (1472 - 48 bytes ICMPv6 overhead = 1424 bytes payload):
ping6 -M do -s 1424 -c 3 kb.vmware.com
PING kb.vmware.com(2a02:e980:46::13) 1424 data bytes
1432 bytes from 2a02:e980:46::13: icmp_seq=1 ttl=58 time=35.7 ms
1432 bytes from 2a02:e980:46::13: icmp_seq=2 ttl=58 time=36.3 ms
1432 bytes from 2a02:e980:46::13: icmp_seq=3 ttl=58 time=35.5 ms

--- kb.vmware.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 35.591/35.908/36.388/0.378 ms


All IPv6-enabled hosts in the network are affected. Still, all other IPv6 sites except kb.vmware.com and blogs.vmware.com work fine.
Trying to set the tunnel MTU to a lower or higher value didn't help either.

xy16644

So far the only way I can browse the VMware blogs and kb websites is to untick IPv6 in Windows temporarily which is a real pain as I have to often visit the Knowledgebase website.

I've tried a variety of MTU values on the HE tunnel in the advanced options and in pfense but nothing has helped.

Can someone from HE maybe provide an explanation or offer some advice please?  :)

alebic

Starting to think this is a problem with VMware rather than HE.

IPv6 doesn't seem to work at all on these sites. Had the same problems occur on native dual stack connections. Only the fallback to IPv4 seems to work better so they it's not as noticeable. This could be due to a different router (FritzBox instead of pfSense) though.

On Linux the problem is actually reproducible using this command:
wget -6 https://kb.vmware.com
This should download the homepage of the knowledge base on IPv6. The command actually times out on every IPv6 connection I've tried so far.
I've actually contacted VMware about this situation a few days ago but haven't heard back since.

In the meantime I've manged to find a workaround in pfSense (as long as unbound is used for DNS):
Within the pfSense Web GUI go to Services -> DNS Resolver -> Display Custom Options. Enter the following in the appearing text field:
Warning! These settings are probably not complying with various RFCs and DNS specs. Use with caution, since it could potentially break some clients!
server:
local-zone: kb.vmware.com. typetransparent
local-data: "kb.vmware.com. AAAA ::"
local-zone: blogs.vmware.com. typetransparent
local-data: "blogs.vmware.com. AAAA ::"


These options tell unbound to answer with an all-zeros IPv6 address when mentioned sites are queried. This seems to force most clients to fallback to IPv4 for these sites almost immediately. (The correct way in regards to RFCs would be to return no answer here (hence the warning), but that seems to require an additional DNS server like bind.)

xy16644

Something rather strange happened today...I could browse the VMware blog for the first time with IPv6 enabled on my machine. Before I had to disable IPv6 on my desktop to browse this website.

Maybe VMware changed something?