• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Can send, but no longer able to receive packets through tunnel

Started by holmosapien, February 14, 2014, 02:04:24 PM

Previous topic - Next topic

holmosapien

This is a weird one. The HE guys are sharp and always on top of things, and I don't see any alerts or complaints, so I'm sure this has to be something on my end, but I might as well ask, right?

My tunnel to dal1 has been working great for years, but since this morning at 1:10 AM I can no longer receive traffic. My MRTG graphs immediately went flat. Testing with ping6 and tcpdump on the source and target systems, I see the echo request go out, the target receives the request and replies with an echo reply, but my end never sees that reply make it back. I don't even see the protocol 41 encapsulation coming in on the ethernet interface.

It's possible that my provider (AT&T U-verse) is doing something with the traffic, but it seems odd that it would only be the inbound half that's broken.  I wouldn't be surprised if they had something to do with that since they filter all protocol 41 traffic on the 3801HGV, but I swapped that out a couple months ago with an NV589 specifically to address that.

My side of the endpoint is a Linux system behind a Linksys/DD-WRT router behind the RG in pass-through mode. Even though it's served me well for a long time, my plan this weekend is to connect the Linux system directly to the RG just to remove one piece of complexity for quick testing.

Anyone else seeing anything like this?

tdavis


holmosapien

Brilliant. Thanks for the confirmation.

Disappointing, but at least you saved me a lot of time rearranging my network.

troz

Seriously, they screw up their configuration and/or load buggy software on their routers, but instead of reverting those changes, they just leave it broken for months.  Until they're fined billions for their a**hattery, they aren't going to care.

And yes, they are actively interfering with protocol 41 inbound:

% traceroute -P 41 23.116...
...
10  cr1.ormfl.ip.att.net (12.122.5.185)  53.487 ms  51.790 ms  51.938 ms
11  cr2.attga.ip.att.net (12.122.31.29)  51.487 ms  51.765 ms  51.936 ms
12  cr1.rlgnc.ip.att.net (12.122.30.81)  51.989 ms  51.803 ms  51.440 ms
13  12.123.138.101 (12.123.138.101)  50.986 ms  51.743 ms  51.939 ms
14  * * *
(etc.)

Other protocols fly right through.

[edit] it would very nice if "gre ip" were allowed (proto-47), as it's the only other way for it to work -- other than ipsec.  I understand their PPTP tests did not go well, but that was a while ago. I would hope HE is using newer hardware and software.