|
Why cannot ping between endpoints.
![[nl]](/s/countries/nl.gif) Shadow Hawkins on Friday, 26 April 2013 15:41:44
I have two nlams05 tunnels, each with its own subnet. I cannot ping one endpoint from the other endpoint/subnet. Endpoints are pingable from the Internet. Both endpoints can ping6 to www.kame.net. When my nlams04 tunnel was working (PoP is now down), both endpoints/subnets could ping the other endpoint. Any clue? Subnets are firewalled and don't respond to ping, endpoints are firewalled, but they allow IPv6 ping echo reply.
Why cannot ping between endpoints.
Shadow Hawkins on Friday, 26 April 2013 22:50:14
More details: Linux ping says "no route" and Windows ping says target network is not reachable.
Why cannot ping between endpoints.
Please show your interface tables, routing tables, traceroutes, etc.
For your textual description the only answer is "something is likely misconfigured".
Why cannot ping between endpoints.
Shadow Hawkins on Saturday, 27 April 2013 09:58:28
Traceren van de route naar cl-***.ams-05.nl.sixxs.net [2001:610:600:***::*]
via maximaal 30 hops:
1 Het doelnetwerk is niet bereikbaar.
De trace is voltooid.
But tracert to www.kame.net works without any problem.
With the same configuration (except for IP and subnets addresses and having one Surfnet and one Scarlet tunnel instead of two Surfnet tunnels) ping worked ok.
It seems that Surfnet does not like ping/traceroute from Surfnet endpoints.
Why cannot ping between endpoints.
Shadow Hawkins on Saturday, 27 April 2013 10:06:31
The configuration of one Surfnet subnet did not change at all, so it should be at least able to ping the other Surfnet endpoint. At least, it was able to ping the Scarlet endpoint when the Scarlet PoP was working.
Why cannot ping between endpoints.
Shadow Hawkins on Saturday, 27 April 2013 10:08:24
My IPv6 firewall is shown at http://www.dd-wrt.com/phpBB2/viewtopic.php?p=664358 (under slobodan post).
Why cannot ping between endpoints.
I'll repeat:
Please show your interface tables, routing tables, traceroutes, etc.
The first part is very important. Please show them on both hosts involved.
Why cannot ping between endpoints.
Shadow Hawkins on Sunday, 28 April 2013 14:05:18
At one side:
1: lo: <LOOPBACK,MULTICAST,UP,10000> mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qlen 1000
inet6 fe80::225:9cff:????:????/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qlen 1000
inet6 fe80::225:9cff:????:????/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qlen 1000
inet6 fe80::225:9cff:????:????/64 scope link
valid_lft forever preferred_lft forever
8: vlan1@eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500
inet6 fe80::225:9cff:????:????/64 scope link
valid_lft forever preferred_lft forever
9: vlan2@eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500
inet6 fe80::225:9cff:????:????/64 scope link
valid_lft forever preferred_lft forever
11: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500
inet6 2001:610:???::/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::225:9cff:????:????/64 scope link
valid_lft forever preferred_lft forever
18: sixxs: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1280 qlen 500
inet6 2001:610:600:???::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::410:600:???:2/64 scope link
valid_lft forever preferred_lft forever
1: lo: <LOOPBACK,MULTICAST,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:25:9c:??:??:?? brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:25:9c:??:??:?? brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:25:9c:??:??:?? brd ff:ff:ff:ff:ff:ff
5: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
link/void
6: tunl0: <NOARP> mtu 1480 qdisc noop
link/ipip 0.0.0.0 brd 0.0.0.0
7: gre0: <NOARP> mtu 1476 qdisc noop
link/gre 0.0.0.0 brd 0.0.0.0
8: vlan1@eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
link/ether 00:25:9c:??:??:?? brd ff:ff:ff:ff:ff:ff
9: vlan2@eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc htb
link/ether 00:25:9c:??:??:?? brd ff:ff:ff:ff:ff:ff
10: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
11: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
link/ether 00:25:9c:??:??:?? brd ff:ff:ff:ff:ff:ff
16: imq0: <NOARP,UP,10000> mtu 1500 qdisc htb qlen 30
link/void
17: imq1: <NOARP> mtu 1500 qdisc noop qlen 30
link/void
18: sixxs: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1280 qdisc pfifo_fast qlen 500
link/[65534]
At the other side:
1: lo: <LOOPBACK,MULTICAST,UP,10000> mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qlen 1000
inet6 fe80::e2cb:4eff:????:????/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qlen 1000
inet6 fe80::e2cb:4eff:????:????/64 scope link
valid_lft forever preferred_lft forever
8: vlan1@eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500
inet6 fe80::e2cb:4eff:????:????/64 scope link
valid_lft forever preferred_lft forever
9: vlan2@eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500
inet6 fe80::e2cb:4eff:????:????/64 scope link
valid_lft forever preferred_lft forever
11: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500
inet6 2001:610:600:???::/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::e2cb:4eff:????:????/64 scope link
valid_lft forever preferred_lft forever
12: sixxs: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1280 qlen 500
inet6 2001:610:600:???::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::410:600:???:2/64 scope link
valid_lft forever preferred_lft forever
1: lo: <LOOPBACK,MULTICAST,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether e0:cb:4e:??:??:?? brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether e0:cb:4e:??:??:?? brd ff:ff:ff:ff:ff:ff
4: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
link/void
5: tunl0: <NOARP> mtu 1480 qdisc noop
link/ipip 0.0.0.0 brd 0.0.0.0
6: gre0: <NOARP> mtu 1476 qdisc noop
link/gre 0.0.0.0 brd 0.0.0.0
7: vlan0@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether e0:cb:4e:??:??:?? brd ff:ff:ff:ff:ff:ff
8: vlan1@eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
link/ether e0:cb:4e:??:??:?? brd ff:ff:ff:ff:ff:ff
9: vlan2@eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
link/ether e0:cb:4e:??:??:?? brd ff:ff:ff:ff:ff:ff
10: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
11: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
link/ether e0:cb:4e:??:??:?? brd ff:ff:ff:ff:ff:ff
12: sixxs: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1280 qdisc pfifo_fast qlen 500
link/[65534]
To be precise, my firewall is in the last slobodan post at the indicated URL.
Why cannot ping between endpoints.
11: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 inet6 2001:610:???::/64 scope global valid_lft forever preferred_lft forever
12: sixxs: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1280 qlen 500 inet6 2001:610:600:???::2/64 scope global valid_lft forever preferred_lft forever
11: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 inet6 2001:610:600:???::/64 scope global valid_lft forever preferred_lft forever
12: sixxs: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1280 qlen 500 inet6 2001:610:600:???::2/64 scope global
As you masked out the important bits, they are all the same, as such, nothing much can be said about this.
These are the interfaces, the routing tables are in this case actually more important.
If you want to mask out things, for whatever mysterious reason that might be, then replace the prefixes completely with AAAA::/64 and BBBB::/64 etc, don't just remove things.
Why cannot ping between endpoints.
Shadow Hawkins on Sunday, 28 April 2013 16:37:53
The addresses are:
11: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500
inet6 2001:610:AAA::/64 scope global
valid_lft forever preferred_lft forever
12: sixxs: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1280 qlen 500
inet6 2001:610:600:BBB:CCC::2/64 scope global
valid_lft forever preferred_lft forever
11: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500
inet6 2001:610:600:DDD:EEEE::/64 scope global
valid_lft forever preferred_lft forever
12: sixxs: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1280 qlen 500
inet6 2001:610:600:DDD:EEEE::2/64 scope global
ip -6 route at one point is:
2001:610:BBB:CCC::/64 dev sixxs metric 256 expires 42680299sec
2001:610:AAA::/64 dev br0 metric 256
2001:610:AAA::/64 dev br0 metric 1024 expires 42680299sec
unreachable 2001:610:AAA::/48 dev lo metric 1024 expires 42680300sec error -128
fe80::/64 dev eth0 metric 256 expires 42680260sec
fe80::/64 dev eth2 metric 256 expires 42680263sec
fe80::/64 dev vlan1 metric 256 expires 42680263sec
fe80::/64 dev eth1 metric 256 expires 42680263sec
fe80::/64 dev br0 metric 256 expires 42680263sec
fe80::/64 dev vlan2 metric 256 expires 42680266sec
fe80::/64 dev sixxs metric 256 expires 42680300sec
ff00::/8 dev eth0 metric 256 expires 42680260sec
ff00::/8 dev eth2 metric 256 expires 42680263sec
ff00::/8 dev vlan1 metric 256 expires 42680263sec
ff00::/8 dev eth1 metric 256 expires 42680263sec
ff00::/8 dev br0 metric 256 expires 42680263sec
ff00::/8 dev vlan2 metric 256 expires 42680266sec
ff00::/8 dev sixxs metric 256 expires 42680300sec
default via 2001:610:BBB:CCC::1 dev sixxs metric 1024 expires 42680300sec
unreachable default dev lo metric -1 error -128
At the other end I don't have access right now, but I assume it is pretty much the same, with DDD:EEEE instead of both AAA and BBB:CCC.
Why cannot ping between endpoints.
The addresses are: 11: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 inet6 2001:610:AAA::/64 scope global valid_lft forever preferred_lft forever
One should never configure the lowest address (2001:610:AAA:: in this case) on an interface as that is the subnet anycast address. Using <prefix>::1 is common practice.
11: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 inet6 2001:610:600:DDD:EEEE::/64 scope global valid_lft forever preferred_lft forever 12: sixxs: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1280 qlen 500 inet6 2001:610:600:DDD:EEEE::2/64 scope global
I assume these '11 and 12' are on another host, given that they have the same interface IDs.
Again, do not use the subnet anycast address.
Why did you configure the tunnel prefix (2001:610:600:DDD:EEEE::/64 on the br0 interface? Please use the Subnet Prefix here.
ip -6 route at one point is: 2001:610:BBB:CCC::/64 dev sixxs metric 256 expires 42680299sec 2001:610:AAA::/64 dev br0 metric 256 2001:610:AAA::/64 dev br0 metric 1024 expires 42680299sec ...
default via 2001:610:BBB:CCC::1 dev sixxs metric 1024 expires 42680300sec
Where did the routes for 2001:610:600:DDD:EEEE::/64 go?
At the other end I don't have access right now, but I assume it is pretty much the same, with DDD:EEEE instead of both AAA and BBB:CCC.
Assumptions are not enough, please actually check if it is also wrong.
Why cannot ping between endpoints.
Shadow Hawkins on Sunday, 28 April 2013 19:33:42
Jeroen Massar wrote:
> The addresses are:
Point taken, but it always worked like this.
11: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 inet6 2001:610:AAA::/64 scope global valid_lft forever preferred_lft forever
One should never configure the lowest address (2001:610:AAA:: in this case) on an interface as that is the subnet anycast address. Using <prefix>::1 is common practice.>11: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500
You're right, it's not the same address, but in fact it was:
11: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500
inet6 2001:610:600:FDDD:EEEE::/64 scope global
valid_lft forever preferred_lft forever
12: sixxs: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1280 qlen 500
inet6 2001:610:600:DDD:EEEE::2/64 scope global
inet6 2001:610:600:DDD:EEEE::/64 scope global valid_lft forever preferred_lft forever 12: sixxs: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1280 qlen 500 inet6 2001:610:600:DDD:EEEE::2/64 scope global
I assume these '11 and 12' are on another host, given that they have the same interface IDs.
Again, do not use the subnet anycast address.
Why did you configure the tunnel prefix (2001:610:600:DDD:EEEE::/64 on the br0 interface? Please use the Subnet Prefix here.> ip -6 route at one point is:
I don't understand. Should I have routes from 2001:610:BBB:CCC to 2001:610:600:DDD:EEEE? Why? I just want to ping it once in a while, not to establish a permanent connection.
2001:610:BBB:CCC::/64 dev sixxs metric 256 expires 42680299sec 2001:610:AAA::/64 dev br0 metric 256 2001:610:AAA::/64 dev br0 metric 1024 expires 42680299sec ...
default via 2001:610:BBB:CCC::1 dev sixxs metric 1024 expires 42680300sec
Where did the routes for 2001:610:600:DDD:EEEE::/64 go?> At the other end I don't have access right now, but I assume it is pretty much the same, with DDD:EEEE instead of both AAA and BBB:CCC.
Assumptions are not enough, please actually check if it is also wrong.
True, as noted above, one has a DDD:EEEE address while the other has FDDD:EEEE address.
I will reconfigure connections with ::1 behind.
Why cannot ping between endpoints.
Shadow Hawkins on Sunday, 28 April 2013 19:36:59
By the way, I got rid of redirecting /48 to lo, it didn't seem to work.
Why cannot ping between endpoints.
Shadow Hawkins on Sunday, 28 April 2013 19:51:09
After reconfiguring with ::1/64 ping works. Problem solved.
Why cannot ping between endpoints.
Tudor Georgescu wrote:
By the way, I got rid of redirecting /48 to lo, it didn't seem to work.
What did not work?
Routing the whole /48 to lo (loopback) is done so that packets destined for that /48 that are not routed anywhere specifically are not sent back up the tunnel. As such, this always performs it's task. (unless wrongly set up of course).
Why cannot ping between endpoints.
Shadow Hawkins on Monday, 29 April 2013 11:32:33
Jeroen Massar wrote:
What did not work?
Routing the whole /48 to lo (loopback) is done so that packets destined for that /48 that are not routed anywhere specifically are not sent back up the tunnel. As such, this always performs it's task. (unless wrongly set up of course).
Ok, I have reinstated the /48 redirection at one router, at the other one it is /64 being redirected, since the subnet is /64, not /48. I seems that the /48 redirection was blacklisting the IP of the first router.
|
![[ch]](/s/countries/ch.gif)
on Saturday, 27 April 2013 09:39:22
Posting is only allowed when you are