Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Administrator certification test question (RESOLVED)  (Read 4409 times)

yurko

  • Newbie
  • *
  • Posts: 5
Administrator certification test question (RESOLVED)
« on: May 30, 2013, 12:30:36 PM »

I reached Administrator certification test.
My mail server has been installed and configured to support ipv6, DNS AAAA and MX records are fine, port 25 is not restricted by a firewall for both ipv4 and ipv6 protocols.
I'm able to send mails to my test address using telnet to ipv6 address port 25 from a different local ipv6 box.

If I open the test page (http://ipv6.he.net/certification/cert-main.php) and try to go through the Administrator test:
 - step 1 - code generated;
 - step 2 - email address entered;
 - step 3 - pressing button "Send It!" and watching spinning sign... the spinning never ends :(
The arrows sign keeps spinning for hours with no results, tcpdump on ipv6 interface never showed any activity.
I tried to use different browsers (mac Safari, mac Chrome and some win7 IE), also tried to log into the test page from both ipv4 and ipv6 networks, nothing changed.

How long did it take for you - wait through spinning sign to get some results?

Any ideas what I'm doing wrong or what the problem is?
« Last Edit: June 02, 2013, 12:59:36 PM by yurko »
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2686
Re: Administrator certification test question
« Reply #1 on: May 30, 2013, 12:51:53 PM »

Some more information like domain info might help.

It should respond pretty quickly
Logged

yurko

  • Newbie
  • *
  • Posts: 5
Re: Administrator certification test question
« Reply #2 on: May 30, 2013, 01:04:28 PM »

Some more information like domain info might help.

It should respond pretty quickly
Sure.
Client IPV6 address: 2001:470:7:80b::2/64
Routed /64: 2001:470:8:80b::/64

From my side tunnel is on linux server, tunnel ipv6 my side is 2001:470:7:80b::2, eth1 (internal net) has 2001:470:8:80b::1, both IPs answer on port 25.
Before I tried to use 2001:470:7:80b::2 as AAAA for name with MX configured, now I re-cofigured it to use 2001:470:8:80b::1 instead (not propagated to HE name servers yet).
Email address for my test: yurko@ipv6.yurko.net
So far HE name servers answer:
Code: [Select]
# dig @2001:470:20::2 mx ipv6.yurko.net +short
1 ipv6.yurko.net.
# dig @2001:470:20::2 aaaa ipv6.yurko.net +short
2001:470:7:80b::2

Unfortunately, as I understand, I cannot test connection to my ipv6 port 25 from a remote ipv6 address, because it's filtered by HE, according to last question at http://ipv6.he.net/certification/faq.php
Logged

kasperd

  • Founder, Netiter ApS
  • Hero Member
  • *****
  • Posts: 952
Re: Administrator certification test question
« Reply #3 on: May 30, 2013, 04:39:15 PM »

The last thread I saw where a user had problems with that test, it turned out that one of the issues was that some old DNS records were cached. If you changed any DNS records during the certification test, it might be that HE still has old DNS records cached.

How long has it been since you last modified some of the DNS records relevant to a server sending email to that domain?

Unfortunately, as I understand, I cannot test connection to my ipv6 port 25 from a remote ipv6 address
You can if the remote end is cooperating a little bit. One possibility is to run a Teredo relay on your own gateway, then if the remote end is on a Teredo address, it will work. Another possibility is to manually configure another tunnel between your server and the remote end, which need to reach your SMTP port.

Before you try any of those changes you should take a look at a dump of the tunnelled IPv6 traffic arriving on your network. You can dump it with tcpdump or equivalent. Then look for any SYN packets for port 25 when you try to run the test again.
Logged

yurko

  • Newbie
  • *
  • Posts: 5
Re: Administrator certification test question
« Reply #4 on: May 31, 2013, 11:59:48 AM »

The last thread I saw where a user had problems with that test, it turned out that one of the issues was that some old DNS records were cached. If you changed any DNS records during the certification test, it might be that HE still has old DNS records cached.
Yes, it may be the issue. However the specified HE name servers (2001:470:20::2 and 74.82.42.42) already have up-to-date DNS data.

How long has it been since you last modified some of the DNS records relevant to a server sending email to that domain?
Still under 48 hours.

Before you try any of those changes you should take a look at a dump of the tunnelled IPv6 traffic arriving on your network. You can dump it with tcpdump or equivalent. Then look for any SYN packets for port 25 when you try to run the test again.
I specified in my previous messages that tcpdump shows no port 25 traffic going through IPv6-in-IPv4 tunnel interface.

And yes, I am able to send mails inside my local Dualstack network to ipv6-only-MX mail server.
And test page still showing never ending spinning image... :(
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1709
Re: Administrator certification test question
« Reply #5 on: May 31, 2013, 12:27:21 PM »

Quote
Yes, it may be the issue. However the specified HE name servers (2001:470:20::2 and 74.82.42.42) already have up-to-date DNS data.

And yet, the open recursor is still not the local recursor running on the machine :)
Logged

kasperd

  • Founder, Netiter ApS
  • Hero Member
  • *****
  • Posts: 952
Re: Administrator certification test question
« Reply #6 on: May 31, 2013, 02:13:53 PM »

I specified in my previous messages that tcpdump shows no port 25 traffic going through IPv6-in-IPv4 tunnel interface.
I missed that. I think it is more interesting to look at the traffic on the IPv4 interface, sometimes that will reveal something, which you would not see from the decapsulated IPv6 packets. Though in your particular case, it might not make any difference.

And test page still showing never ending spinning image..
Would be nice, if it would tell you what it is trying to do. For example it should tell you, which IPv6 address it is trying to connect to.

Your options right now are:
  • Wait for DNS cache to expire.
  • Send an email to HE and ask them for more detail about why exactly the test is hanging.
  • Send an email to HE and request the DNS cache gets flushed.
  • Create a feature request to have the test page provide a bit more information on what it is trying to do.
Logged

yurko

  • Newbie
  • *
  • Posts: 5
Re: Administrator certification test question
« Reply #7 on: June 01, 2013, 10:44:27 AM »

Thank you all guys!

I emailed to HE and after couple of mails back-forward got the following answer:
Quote
Please try again.  Looks like a rule was being triggered too soon in the
blocks on that tunnel server.  Should be fine now.
Which means that actually port 25 was blocked from HE side of the tunnel by mistake or due to a bug.

After that I was able to finish all my certifications till the very last level with no problems.

Thank you all again and have a great weekend!
Logged