• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Unable to reach opensuse.org

Started by JNelsonHE1, July 06, 2012, 12:29:01 PM

Previous topic - Next topic

JNelsonHE1

I've had a tunnel through tunnel broker for some time. With one exception, it works great.
For some reason, I can't get at www.opensuse.org (via IPv6).   I can traceroute6 to it just fine, ping6 it, etc...
Every other IPv6 site (seems) to work for me, but not that one. I always get connection timed out. I'm on openSUSE 12.1 x86_64.

Any thoughts?

broquea

Doesn't appear to be listening for HTTP on 2600:806:310::100. I've tried connecting from both native HE and native Comcast. Never connects.

jtcloe

I just brought it up in a web browser, IPv6 via HE tunnel, just fine.

Here's the IP's it hit:

http://www.opensuse.org2600:806:310::100
https://ssl.gstatic.com2607:f8b0:4009:803::100f
http://static.opensuse.org2001:67c:2178:8::18
http://beans.opensuse.org2001:67c:2178:8::21
http://counter.opensuse.org2001:67c:2178:8::16

kasperd

I cannot access the site over IPv4 or IPv6:$ ./traceroute6 www.opensuse.org
traceroute to www.opensuse.org (2600:806:310::100), 30 hops max, 80 byte packets
1  2001:470:1f0b:1e45:1f9c:c1d2:c8b6:9008  0.156 ms  0.169 ms  0.211 ms
2  2001:470:1f0a:1e45::1  43.277 ms  48.146 ms  53.675 ms
3  2001:470:0:69::1  63.088 ms  33.637 ms  44.755 ms
4  2001:470:0:1d2::1  86.652 ms  87.535 ms  82.236 ms
5  2001:470:0:128::1  122.857 ms  131.373 ms  131.700 ms
6  2001:504:f::64  118.755 ms  119.398 ms  129.933 ms
7  2600:806:31f::2  192.304 ms  208.713 ms  209.848 ms
8  2600:806:31f::2  209.070 ms  209.121 ms  208.922 ms
9  2600:806:310::100  217.827 ms  181.419 ms  181.778 ms
$ wget --connect-timeout 5 -O /dev/null http://www.opensuse.org/
--2012-07-08 11:31:31--  http://www.opensuse.org/
Resolving www.opensuse.org... 130.57.4.24, 2600:806:310::100
Connecting to www.opensuse.org|130.57.4.24|:80... failed: Connection timed out.
Connecting to www.opensuse.org|2600:806:310::100|:80... failed: Connection refused.
$

kasperd

Quote from: kasperd on July 08, 2012, 02:34:50 AMI cannot access the site over IPv4 or IPv6
I checked again. Now I am able to access the site over IPv4. However over IPv6 I am no longer able to get any response from the server.

Where I previously got connection refused over IPv6 I now get timeout. When looking at the network traffic I noticed something really weird. When I send TCP SYN packets to 2600:806:310::100 I get some packets back from a different IP address on that network. I actually receive neighbor solicitation messages from 2600:806:310::10.

Neighbor solicitation messages are only supposed to be sent to peers on directly attached links. I am nine hops away from that network, so there is no way I should receive those messages.

That's not a fault of the intermediate routers. They just forward the packet as they are supposed to without ever paying attention to the ICMPv6 payload. But the originating system shouldn't be sending me those neighbor solicitation messages.

The fact that I can still traceroute the IP address with no problems and the fact that the spurious messages originate from a different address in their network makes me think some load balancing system is involved. I am wondering if they could have made a mistake in the configuration of the netmask on some prefix causing the spurious neighbor solicitation messages.

But 2600:800::/27 and 2001:470::/32 only match on the first five bits. That would be a really strange misconfiguration. Did somebody perhaps configure a host to think it has a direct link to 2000::/3? Would a router actually forward the neighbor solicitation messages if they are send to an anycast MAC address?

The hop limit on the neigbor solicitation messages I receive make me think it must have been 255 when sent from the source.

I am tempted to reply to the neighbor solicitation messages with a MAC address of 33:33:00:00:00:02 just to see if that would actually make the communication with the webserver work.

JNelsonHE1

Would you think that this is a misconfiguration somewhere on opensuse.org's part, or something else in-between?


kasperd

Quote from: JNelsonHE1 on July 10, 2012, 09:41:15 AMWould you think that this is a misconfiguration somewhere on opensuse.org's part, or something else in-between?
I guess it is a misconfiguration on their part. I think it is a misconfiguration on the server itself, a load balancer in front of it, or a router directly connected to one of the two.

I can't imagine how the symptoms I see could possibly have been caused by a misconfiguration of the network somewhere between me and their network.