• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

IPv6 sites time out.

Started by PatrickDickey, March 13, 2014, 04:03:08 PM

Previous topic - Next topic

PatrickDickey

Hi everyone,

I'm not sure if the subject actually describes my issue. I'm running a linux network, and something happened recently to make any IPv6 sites time out before I reach them. If I go to http://www.whatismyipv6.com it shows my IPv4 address--not my IPv6 address. However, if I check my network information, I have my IPv6 address as well. I've checked my default route on my computer, and it points to my router (like it should). If I try to ping any IPv6 addresses, I lose all of the packets. All of my IPv4 sites work normally.

This happens on all of my computers, and I'm not sure what changed. I do know something was modified on my router (cisco 2514), but I don't remember what it was (as it's been a while since I accessed it, and then reloaded it).

My router config is this: (sorry for the length)

DCKY-ROUTER#show run
Building configuration...

Current configuration : 4977 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname DCKY-ROUTER
!
boot-start-marker
boot-end-marker
!
enable secret 5 gibberish that doesn't matter
!
no aaa new-model
ip subnet-zero
ip cef
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip name-server 2620:0:CCC::2
ip name-server 2620:0:CCD::2
!
vpdn enable
!
vpdn-group 1
request-dialin
  protocol pppoe
!
ipv6 unicast-routing
!
!
ip ftp username patrickdickey
ip ftp password 7 gibberish that doesn't matter
!
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:...::2/64
ipv6 enable
tunnel source Dialer1
tunnel destination 209.51.181.2
tunnel mode ipv6ip
!
interface Ethernet0
description My LAN Interface
ip address 192.168.2.1 255.255.255.0
ip nat inside
no ip mroute-cache
ipv6 address 2001:...::/64 eui-64 (I blanked out my IPv6 address, but it's correct)
ipv6 enable
no cdp enable
!
interface Ethernet1
description Physical ADSL Interface (Facing the ISP)
no ip address
no ip mroute-cache
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Serial0
no ip address
no ip mroute-cache
shutdown
no cdp enable
!
interface Serial1
no ip address
no ip mroute-cache
shutdown
no cdp enable
!
interface Dialer1
description Logical ADSL Interface
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname me
ppp chap password 7 gibberish that doesn't matter
ppp pap sent-username me password 7 gibberish that doesn't matter
!
ip nat inside source list 10 interface Dialer1 overload

<snipped out ip nat inside source as they don't apply (all IPv4 addresses)>

no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 10 permit 192.168.3.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
ipv6 route ::/0 Tunnel0
!
snmp-server community public RO
!
end


One thing I noticed just now (and I don't remember it ever changing) is that on my tunnel, it has "1F10" in the address, and in my ethernet, it has "1F11". Aside from the ::2 and :: at the end of the tunnel/ethernet address, that's the only difference in it. Would that make a difference (as in they both should be either 1F10 or 1F11 depending on what my tunnelbroker address is)?

I also noticed that my default route on my computer points to the router's FE80 address--not the 2001: address (possibly because of the 1F1x issue?). Is that normal? On the computer, the portion is 1F11 also (so I'm guessing the ethernet is wrong).

Thanks for any information that could help me with this. And have a great day.:)
Patrick.

PatrickDickey

#1
I'm adding this as a reply, so that it's not lost in the original post. My "client" addresses use the 1F10 portion, but my "routed" addresses use the 1F11 portion. So I'm not sure which one I'm supposed to be using where. Should all of my computers/router have the 1F10 in their addresses, or should they all have the 1F11? I'm going on the assumption that tunnelbroker is providing DHCP (as I removed it from my router's configuration at some point). I could be wrong about this though.

Thanks again, and have a great day.:)
Patrick.

UPDATE::::::::  I didn't notice this (and didn't realize that it happens) before. My Tunnel Server IPv4 endpoint address changed from what I have in my router configuration to a different one. So that was the entire cause of my issue. I fixed that, rebooted all of my computers, and now get an IPv6 address from whatismyipv6.com. Now, I need to go into my server, and change my DNS addresses back to IPv6 only (to see what breaks).

Hope this helps someone else, as it's the first thing you should check in your scripts.

broquea

1f10 should only be used on your tunnel interface.
1f11 is used on the wan facing NIC on the machine the tunnel terminates on.

PatrickDickey

I'm back with this problem (or a similar version of it).

If I have my tunnel enabled in my router, then all IPv6 capable sites time out. But, when I disable it (either using shutdown or removing the tunnel completely), all sites work. One issue that I still have is that my cell phone won't access IPv6 capable sites through wifi, but that's a different issue altogether.

I redid my configuration using the example configuration that Tunnelbroker provides (making the appropriate change to get my IPv4 address from my Dialer interface instead of the static one that they suggest). On some of my computers, I've had to resort to completely disabling IPv6 in order to get them to update properly (as they automatically try the IPv6 addresses for the update repositories).

Here's my current config (minus the "shutdown" command) for the Tunnel Interface. I'm hoping that it's not the Dialer interface causing the problem, as I'm on a dynamic IP.

configure terminal
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 enable
ipv6 address 2001:470:1f10:830::2/64
tunnel source Dialer1
tunnel destination 184.105.253.14
tunnel mode ipv6ip
ipv6 route ::/0 Tunnel0
end


I have a couple of questions.

1.  I have a script that updates my IPv4 address with Tunnelbroker (python script that checks to see if my IPv4 address has changed, and then updates using their https: link). So do I need to have my "tunnel source" line in there at all?

2.  And along that line, if I put my current IPv4 address into tunnel source (instead of Dialer1), what happens when it changes (and my updater sends the update to Tunnelbroker)?

3. One I just thought of is this: What's the difference between the updater providing my IPv4 address to tunnelbroker, and the Tunnel source command? I mean if I'm using the tunnel source command, and my Dialer1 IPv4 address changes, wouldn't that update my tunnel information, or do I still need to update it occasionally with the script?

Have a great weekend.:)
Patrick.

Jim Whitby

Quote from: PatrickDickey on May 24, 2014, 07:47:02 AM
I'm back with this problem (or a similar version of it).

I<snip>
Here's my current config (minus the "shutdown" command) for the Tunnel Interface. I'm hoping that it's not the Dialer interface causing the problem, as I'm on a dynamic IP.

configure terminal
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 enable
ipv6 address 2001:470:1f10:830::2/64
tunnel source Dialer1
tunnel destination 184.105.253.14
tunnel mode ipv6ip
ipv6 route ::/0 Tunnel0
end


<snip>

Try changing tunnel destination to 0.0.0.0, it may or may not work for you.

PatrickDickey

Quote from: Jim  Whitby on May 27, 2014, 11:22:19 AM
Quote from: PatrickDickey on May 24, 2014, 07:47:02 AM
I'm back with this problem (or a similar version of it).

I<snip>
Here's my current config (minus the "shutdown" command) for the Tunnel Interface. I'm hoping that it's not the Dialer interface causing the problem, as I'm on a dynamic IP.

configure terminal
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 enable
ipv6 address 2001:470:1f10:830::2/64
tunnel source Dialer1
tunnel destination 184.105.253.14
tunnel mode ipv6ip
ipv6 route ::/0 Tunnel0
end


<snip>

Try changing tunnel destination to 0.0.0.0, it may or may not work for you.

Unfortunately this didn't work. My router (and it's IOS) is old enough that it requires a valid hostname or IP address instead of 0.0.0.0 for the destination. The router is a Cisco 2514 router with IOS 12.2(25). I'm thinking it's a server-side issue because I hadn't made any changes to my configuration since I found out my endpoint changed. Yet suddenly all IPv6 sites time out. As soon as I disabled IPv6 on my ubuntu machines, they worked fine. My Galaxy S3 won't connect to my gmail accounts properly, unless I disable my wi-fi (as they're still getting and trying to use IPv6 addresses even though the tunnel is shut down). (the issue with gmail is in the MailDroid app--not the default mail app).

I know the tunnel has my correct IPv4 address (or at least that I've been updating it on my end) because I have a script that checks and updates it with Tunnelbroker whenever it changes. And every time it says that it updated, the reply from Tunnelbroker is OK. (Note, if my IPv4 address doesn't change, it doesn't try to update with Tunnelbroker).

I may try sending an email to Tunnelbroker's support staff, just to see if anyone else has been complaining of this issue. Maybe they'll move me to another endpoint. I'm not concerned about the added latency if they move me to a server that's a bit further away--as long as I can connect.

Have a great day.:)
Patrick.

PatrickDickey

OK, so the problem is solved again (at least this problem is solved).

What I did was start testing pings with various sizes. I found out that the largest packet I could send was 1,424 bytes. So, I checked what my MTU (Maximum Transmission Unit) was set at, (1480), and changed it to 1472. Everything's working fine now.

So for others, here's what I did, and what it means:

ping -l 1480 ipv6.google.com (failed)
ping -l 1400 ipv6.google.com (success)
ping -l 1450 ipv6.google.com (failed)
ping -l 1440 ipv6.google.com (failed)
ping -l 1430 ipv6.google.com (failed)
ping -l 1420 ipv6.google.com (success)
ping -l 1425 ipv6.google.com (failed)
ping -l 1424 ipv6.google.com (success)

Now if you go to your Advanced Settings for your tunnel(s), the default MTU is 1480 (which would allow a packet size of 1432 to pass through). Basically, your MTU will be whatever the maximum sized ping that succeeds + 28 (for the header information between the tunnels and the IPv4 wrapping and whatever other protocols are being used). At least that's my assumption of how the MTU works.

Have a great day.:)
Patrick.