• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Enthusiast: at a loss HE -> Webserver

Started by Izzin, May 09, 2010, 07:18:09 PM

Previous topic - Next topic

Izzin

Ok,

As much as I hate to do this, I have to ask for assistance.
I have my domain established, I have apache working.

I have the host pingable via HE's tools.

I can grab my file locally, I even see HE' hit my web server but I never see HE send a get request.

Working Request from my own network: (FYI, another security zone via a juniper SRX -- from zone desktops to zone dmz --)
20:56:13.344491 IP6 2001:470:c244:0:8d7f:bec5:2eb5:7514.54202 > ipv6.psitronic.net.www: Flags [S], seq 2017715871, win 8192, options [mss 1440,nop,wscale 2,nop,nop,sackOK], length 0
20:56:13.344519 IP6 ipv6.psitronic.net.www > 2001:470:c244:0:8d7f:bec5:2eb5:7514.54202: Flags [S.], seq 669711399, ack 2017715872, win 5760, options [mss 1440,nop,nop,sackOK,nop,wscale 6], length 0
20:56:13.345873 IP6 2001:470:c244:0:8d7f:bec5:2eb5:7514.54202 > ipv6.psitronic.net.www: Flags [.], ack 1, win 16560, length 0
20:56:13.345926 IP6 2001:470:c244:0:8d7f:bec5:2eb5:7514.54202 > ipv6.psitronic.net.www: Flags [P.], seq 1:421, ack 1, win 16560, length 420
20:56:13.345957 IP6 ipv6.psitronic.net.www > 2001:470:c244:0:8d7f:bec5:2eb5:7514.54202: Flags [.], ack 421, win 107, length 0
20:56:13.346894 IP6 ipv6.psitronic.net.www > 2001:470:c244:0:8d7f:bec5:2eb5:7514.54202: Flags [P.], seq 1:212, ack 421, win 107, length 211
20:56:13.552939 IP6 2001:470:c244:0:8d7f:bec5:2eb5:7514.54202 > ipv6.psitronic.net.www: Flags [.], ack 212, win 16507, length 0
20:56:15.423398 IP6 ipv6.psitronic.net.www > ipv6.he.net.36015: Flags [S.], seq 2019319429, ack 2016682775, win 5712, options [mss 1440,sackOK,TS val 9867790 ecr 316640389,[|tcp]>
20:56:28.353000 IP6 ipv6.psitronic.net.www > 2001:470:c244:0:8d7f:bec5:2eb5:7514.54202: Flags [F.], seq 212, ack 421, win 107, length 0
20:56:28.353474 IP6 2001:470:c244:0:8d7f:bec5:2eb5:7514.54202 > ipv6.psitronic.net.www: Flags [.], ack 213, win 16507, length 0
20:56:33.347928 IP6 2001:470:c244:0:8d7f:bec5:2eb5:7514.54202 > ipv6.psitronic.net.www: Flags [R.], seq 421, ack 213, win 0, length 0


HE's request: ( -- from zone vpn to zone dmz -- )
21:02:46.635195 IP6 ipv6.he.net.60909 > ipv6.psitronic.net.www: Flags [S], seq 3147558144, win 5760, options [mss 1440,sackOK,TS val 316743741 ecr 0,[|tcp]>
21:02:46.635240 IP6 ipv6.psitronic.net.www > ipv6.he.net.60909: Flags [S.], seq 3130302941, ack 3147558145, win 5712, options [mss 1440,sackOK,TS val 9965592 ecr 316743741,[|tcp]>
21:02:49.631856 IP6 ipv6.he.net.60909 > ipv6.psitronic.net.www: Flags [S], seq 3147558144, win 5760, options [mss 1440,sackOK,TS val 316744491 ecr 0,[|tcp]>
21:02:49.631882 IP6 ipv6.psitronic.net.www > ipv6.he.net.60909: Flags [S.], seq 3130302941, ack 3147558145, win 5712, options [mss 1440,sackOK,TS val 9966342 ecr 316743741,[|tcp]>
21:02:50.231394 IP6 ipv6.psitronic.net.www > ipv6.he.net.60909: Flags [S.], seq 3130302941, ack 3147558145, win 5712, options [mss 1440,sackOK,TS val 9966492 ecr 316743741,[|tcp]>
21:02:55.634406 IP6 ipv6.he.net.60909 > ipv6.psitronic.net.www: Flags [S], seq 3147558144, win 5760, options [mss 1440,sackOK,TS val 316745991 ecr 0,[|tcp]>
21:02:55.634426 IP6 ipv6.psitronic.net.www > ipv6.he.net.60909: Flags [S.], seq 3130302941, ack 3147558145, win 5712, options [mss 1440,sackOK,TS val 9967842 ecr 316743741,[|tcp]>
21:02:56.231394 IP6 ipv6.psitronic.net.www > ipv6.he.net.60909: Flags [S.], seq 3130302941, ack 3147558145, win 5712, options [mss 1440,sackOK,TS val 9967992 ecr 316743741,[|tcp]>
21:03:08.231405 IP6 ipv6.psitronic.net.www > ipv6.he.net.60909: Flags [S.], seq 3130302941, ack 3147558145, win 5712, options [mss 1440,sackOK,TS val 9970992 ecr 316743741,[|tcp]>
21:03:32.431405 IP6 ipv6.psitronic.net.www > ipv6.he.net.60909: Flags [S.], seq 3130302941, ack 3147558145, win 5712, options [mss 1440,sackOK,TS val 9977042 ecr 316743741,[|tcp]>
21:04:20.631406 IP6 ipv6.psitronic.net.www > ipv6.he.net.60909: Flags [S.], seq 3130302941, ack 3147558145, win 5712, options [mss 1440,sackOK,TS val 9989092 ecr 316743741,[|tcp]>


Any guidance will be greately appreciated, I only see 1 side of the traffic. 

From my webserver, apache2, ubuntu server 10.04
tcpdump -i  eth0 port 80

--Izz

cholzhauer

I think it's a firewall problem?

I can get the IPv6 address of your host, but I'm not able to browse to your site (I get a timeout)

You can look for my traffic and see if what you see from me is the same as you saw from HE.


Izzin

I see you come in, yes. Identical senario.

--Izz

cholzhauer

Has to be a firewall issue...do you have some way to remove the firewall/segmentation from the scenario and try again?

Izzin

Resolved the issue.

It happened to be an issue with the SRX210 I was using.

A friend and I locked it into an issue, the tunnel interface was originally ipip.0.

In using this interface, anything traversing it was stateless.
With changing it to ip-0/0/0.0, the traffic became stateful, and Enthusiast was optained.

--Izz

snarked

It appears that you allow packets to come in, but are you allowing the replies to go out?

jimb

You wouldn't be the first person to run into problems w/ the SRX series and IPv6 tunnels.  Owen DeLong of HE had some issues too.  He's not on here, but u might want to hit him up on the NANOG list.  His setup is way more complicated than you're probably is though.  :P

Izzin

Its all good, it is resolved now.

In 10.2 beta code, stateful firewall is now functional on branch srx.

It just happened to be an issue with the tunnel interface, ipip.0 no work, ip-0/0/0.0 works.

In checking back with juniper, it was found that ipip will be the cluster based interface, where ip-0/0/0 will be viable in single mode.

However, this is beta code, all subject to change.

The end result, time to wait for dns ttl to expire ;)

--Izz

DSSJMS

I am having the same issue as the original post I did verify my configuration is using ip-0/0/0.0 with the same results when I run a tcpdump on my server.  Here is a copy of my current configuration file on my SRX 220.



interfaces {
    ge-0/0/0 {
        description Main_External_Interface;
        unit 0 {
            description External_unit;
            family inet {
                address 70.88.135.217/28;
            }
        }
    }
    ip-0/0/0 {
        unit 0 {
            tunnel {
                source 70.88.135.217;
                destination 216.66.22.2;
            }
            family inet6 {
                address 2001:470:7:741::2/64;
            }
        }

    }
    ge-0/0/2 {
        description trust-v6;
        unit 0 {
            family inet6 {
                address 2001:470:e293:4000::1/50;
                dad-disable;
            }
        }
    }

}
routing-options {
    interface-routes {
        rib-group inet6 NS280;
    }
    rib inet6.0 {
        static {
            route ::/0 next-hop 2001:470:7:741::1;
        }
    }
    static {
        route 0.0.0.0/0 next-hop 70.88.135.222;
    }
    rib-groups {
        NS280 {
            import-rib inet6.0;
        }
    }
}
protocols {
    stp;
}
    }
    forwarding-options {
        family {
            inet6 {
                mode flow-based;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
---(more)---
                                       
                land;
            }
        }
    }
   
        from-zone untrust to-zone trust {
           
            policy dssjms-ipv6-dns {
                match {
                    source-address any-ipv6;
                    destination-address dssjms-ipv6-dns;
                    application junos-tcp-any;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }
            policy dmz-inbound-icmp6 {
                match {
                    source-address any-ipv6;
                    destination-address any-ipv6;
                    application [ junos-pingv6 junos-icmp6-dst-unreach-addr junos-icmp6-dst-unreach-admin junos-icmp6-dst-unreach-beyond junos-icmp6-dst-unreach-port junos-icmp6-dst-unreach-route junos-icmp6-echo-reply junos-icmp6-echo-request junos-icmp6-packet-to-big junos-icmp6-param-prob-header junos-icmp6-param-prob-nexthdr junos-icmp6-param-prob-option junos-icmp6-time-exceed-reassembly junos-icmp6-time-exceed-transit junos-icmp6-all ];
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy IPV6-DMZ-out {
                match {
                    source-address any-ipv6;
                    destination-address any-ipv6;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }
        }
    }
    zones {
       
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                ip-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                ge-0/0/2.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }


I am able to ping any of my systems from an external IPV6 network and when I had a FortiGate 800 and a Juniper NS208 running as the firewall between my network and HE I was able to complete access server behind those firewalls.

I am currently running
JUNOS Software Release [11.4R9.4]
Bios Version:      1.9


Please let me know if there is any more information needed from my setup or recommendations to resolve the issue I am currently having with allowing inbound traffic to my network.

I am able to ping/browse IPV6 only sites on the internet through the SRX so outbound traffic is working from my network with no issues.