Tunnel unreachable after a couple of minutes

[cvanmeer]

Hi all,

My situation:

- WAN (Ubee modem) -> Cisco 1841 version 12.4(25g) -> LAN

The Cisco is setup as DMZ host on the modem.
I have my HE tunnel set up as followed:

Code Select Expand


!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:470:6C:334::2/64
ipv6 enable
ipv6 traffic-filter ipv6-inet-in-he in
ipv6 inspect cbac-ipv6 out
ipv6 virtual-reassembly
tunnel source FastEthernet0/0
tunnel destination 216.66.86.114
tunnel mode ipv6ip
!
ipv6 route ::/0 Tunnel0
!
end


All setup and I can ping and resolve my server IPv6 address (2001:470:6C:334::1) and other IPv6 addresses from LAN -> WAN.
When I try to ping my client IPv6 address (2001:470:6C:334::2) from a remote location, I get a ping timeout.

Then by coincidence I discovered that when I ping my server IPv6 from the cisco, from that moment on, I can ping my client IPv6 from the remote location. But after a couple of minutes, that connection seems broken. So it seems that my tunnel is being disconnected somehow. Then I ping the server IPv6 and my client IPv6 is reachable again from the remote location. I don't see logging events about this in my Cisco.

Does anybody know why this could happen and how I could resolve this issue?

Kind regards,

Chris

[cholzhauer]

Normally it's a NAT issue where the firewall closes the connection to the tunnel server.  One way around this is to setup a ping that runs every so often and keeps the connection open

[cvanmeer]

Ok, sounds plausible.
I know that Cisco has

Code Select Expand

ip sla monitor but that only allows me to do a scheduled IPv4 ping...

[broquea]

Try setting an IPv6 host/ip as your time server, and use ntp as the keepalive?

[cvanmeer]

I created a crontab entry on my server that pings the broker's ipv6 end every minute. That seems to help my connection staying up. Thanks for the help.

[sttun]

One question: why don't you bridge the the Ubee modem and let the cisco take care of the internet connection?

[cvanmeer]

One question: why don't you bridge the the Ubee modem and let the cisco take care of the internet connection?

Still a bit reluctant to do that. And I don't know if my ISP (Ziggo) will cooperate with that.

[sttun]

Still a bit reluctant to do that. And I don't know if my ISP (Ziggo) will cooperate with that.

Well contact them and ask, worst case is that they will say "It's unsupported but possible" in which case it's up to you.
Does your isp use PPPoE, if they do check that your ios supports it and contact youre isp an ask to get the pppoe username and password as these may diffier from other accounts you have with them.
A plus with doing all this is that you eliminate one layer of nat or led the cisco which I suspect is brtter at it handle the nat.  Also since the cisco will have your public ip on the wan port things like ipsec vpn termination (again depending on your ios version and licence) will be a bit more strait forward.

Sorry if I sated a lot of obvious things here but since I don't know your experience (being an eager armature myself), I prefer to add as much detail as possible to avoid anyone messing up anything on the bases of my posts.


Note on language: I'm not a native English speaker (surprise surprise right :) ) so there will be quite a few errors (thank god for spell checkers) if the errors make my post difficult to read please ask for a clarification, and I'll do my best

[cvanmeer]

That's ok, I'm not a native speaker myself ;)
I'll give them a ring later this morning, see what they'll have to say.

[cvanmeer]

I ranged them up this morning and guess what?
They can't do it right now because of an error in their system...they can put the modem into bridge mode, but then the modem wouldn't come online afterwards...so I guess I'll have to wait until they resolve this glitch in their system. LOL

[sttun]

well an ISP screwing up their systems, that never happened before lol. Hope they get it sorted so you can get on with testing my suggestion, hope it helps you to get a stable tunnel. Report back when you have tested for a bit and have a nice evening :)

[cvanmeer]

No real need to put the router into bridge mode anymore.
I deleted my original tunnel (that was hosted in Germany) and created a new one, that is hosted in Amsterdam, and that seemed to have fixed my tunnel problem.
I'm a happy IPv6 camper now :)