Trouble getting my heartbeat tunnel running
Shadow Hawkins on Friday, 10 July 2009 00:55:15
I've been trying all night getting my tunnel to run, but haven't succeeded yet. Maybe someone else sees the mistake i'm making?
The tunnel endpoint is a gentoo linux machine (10.0.0.10), in a nat behind a netgear router (outside: 82.215.31.76, inside: 10.0.0.1), ip 10.0.0.10 is configured as a DMZ on the router.
When running 'aiccu test', test [6/8] (Ping PoP inner endpoint) fails with message "ping: sendmsg: Operation not permitted". As per FAQ entry "Tunnel endpoint didn't ping", I've disabled the firewall on the machine, and checked the logs for blocked packets when the firewall was enabled. This didn't help, unfortunately.
I also ran tcpdump during 'aiccu test', output below. When localhost and local endpoint are pinged, traffic is seem, but the failing test does not generate any output.
Any ideas?
Output from aiccu test:
sock_getline() : "200 SixXS TIC Service on noc.sixxs.net ready (http://www.sixxs.net)"
sock_printf() : "client TIC/draft-00 AICCU/2007.01.15-console-linux Linux/2.6.27-openvz-briullov.1-r1"
sock_getline() : "200 Client Identity accepted"
sock_printf() : "get unixtime"
sock_getline() : "200 1247178656"
sock_printf() : "starttls"
sock_getline() : "400 This service is not SSL enabled (yet)"
TIC Server does not support TLS but TLS is not required, continuing
sock_printf() : "username THY3-SIXXS"
sock_getline() : "200 Choose your authentication challenge please"
sock_printf() : "challenge md5"
sock_getline() : "200 <snipped>"
sock_printf() : "authenticate md5 <snipped>"
sock_getline() : "200 Succesfully logged in using md5 as THY3-SIXXS (Tom Hendrikx) from 2001:960:800::2"
sock_printf() : "tunnel show T22260"
sock_getline() : "201 Showing tunnel information for T22260"
sock_getline() : "TunnelId: T22260"
sock_getline() : "Type: 6in4-heartbeat"
sock_getline() : "IPv6 Endpoint: 2001:7b8:2ff:2f2::2"
sock_getline() : "IPv6 POP: 2001:7b8:2ff:2f2::1"
sock_getline() : "IPv6 PrefixLength: 64"
sock_getline() : "Tunnel MTU: 1280"
sock_getline() : "Tunnel Name: eebo homenet"
sock_getline() : "POP Id: nlede01"
sock_getline() : "IPv4 Endpoint: heartbeat"
sock_getline() : "IPv4 POP: 193.109.122.244"
sock_getline() : "UserState: enabled"
sock_getline() : "AdminState: enabled"
sock_getline() : "Password: <snipped>"
sock_getline() : "Heartbeat_Interval: 60"
sock_getline() : "202 Done"
Succesfully retrieved tunnel information for T22260
sock_printf() : "QUIT Down where we belong"
ioctl: No buffer space available
RTNETLINK answers: File exists
RTNETLINK answers: File exists
heartbeat_socket() - IPv4 : 10.0.0.10
[HB] HEARTBEAT TUNNEL 2001:7b8:2ff:2f2::2 sender 1247178656 982f68ee7677ba03435c820d811d4483
Tunnel Information for T22260:
POP Id : nlede01
IPv6 Local : 2001:7b8:2ff:2f2::2/64
IPv6 Remote : 2001:7b8:2ff:2f2::1/64
Tunnel Type : 6in4-heartbeat
Adminstate : enabled
Userstate : enabled
#######
####### AICCU Quick Connectivity Test
#######
####### [1/8] Ping the IPv4 Local/Your Outer Endpoint (10.0.0.10)
### This should return so called 'echo replies'
### If it doesn't then check your firewall settings
### Your local endpoint should always be pingable
### It could also indicate problems with your IPv4 stack
PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.
64 bytes from 10.0.0.10: icmp_seq=1 ttl=64 time=0.000 ms
64 bytes from 10.0.0.10: icmp_seq=2 ttl=64 time=0.000 ms
64 bytes from 10.0.0.10: icmp_seq=3 ttl=64 time=0.000 ms
--- 10.0.0.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.000/0.000/0.000/0.000 ms
######
####### [2/8] Ping the IPv4 Remote/PoP Outer Endpoint (193.109.122.244)
### These pings should reach the PoP and come back to you
### In case there are problems along the route between your
### host and the PoP this could not return replies
### Check your firewall settings if problems occur
PING 193.109.122.244 (193.109.122.244) 56(84) bytes of data.
64 bytes from 193.109.122.244: icmp_seq=1 ttl=59 time=10.0 ms
64 bytes from 193.109.122.244: icmp_seq=2 ttl=59 time=10.0 ms
64 bytes from 193.109.122.244: icmp_seq=3 ttl=59 time=10.0 ms
--- 193.109.122.244 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2020ms
rtt min/avg/max/mdev = 10.000/10.000/10.001/0.081 ms
######
####### [3/8] Traceroute to the PoP (193.109.122.244) over IPv4
### This traceroute should reach the PoP
### In case this traceroute fails then you have no connectivity
### to the PoP and this is most probably the problem
traceroute to 193.109.122.244 (193.109.122.244), 30 hops max, 40 byte packets
1 gateway.homenet.whyscream.net (10.0.0.1) 0.000 ms 0.000 ms 10.000 ms
2 1-28.bbned.dsl.internl.net (82.215.28.1) 20.000 ms 20.000 ms 20.000 ms
3 ge2-7.newxr1.nik-asd.internl.net (217.149.196.33) 20.000 ms 20.000 ms 20.000 ms
4 amsix-501.xe-0-0-0.jun1.galilei.network.bit.nl (195.69.144.35) 20.000 ms 30.000 ms 30.000 ms
5 nlede01.sixxs.net (193.109.122.244) 30.000 ms 30.000 ms 30.000 ms
######
###### [4/8] Checking if we can ping IPv6 localhost (::1)
### This confirms if your IPv6 is working
### If ::1 doesn't reply then something is wrong with your IPv6 stack
PING ::1(::1) 56 data bytes
64 bytes from ::1: icmp_seq=1 ttl=64 time=0.000 ms
64 bytes from ::1: icmp_seq=2 ttl=64 time=0.000 ms
64 bytes from ::1: icmp_seq=3 ttl=64 time=0.000 ms
--- ::1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.000/0.000/0.000/0.000 ms
######
###### [5/8] Ping the IPv6 Local/Your Inner Tunnel Endpoint (2001:7b8:2ff:2f2::2)
### This confirms that your tunnel is configured
### If it doesn't reply then check your interface and routing tables
PING 2001:7b8:2ff:2f2::2(2001:7b8:2ff:2f2::2) 56 data bytes
64 bytes from 2001:7b8:2ff:2f2::2: icmp_seq=1 ttl=64 time=0.000 ms
64 bytes from 2001:7b8:2ff:2f2::2: icmp_seq=2 ttl=64 time=0.000 ms
64 bytes from 2001:7b8:2ff:2f2::2: icmp_seq=3 ttl=64 time=0.000 ms
--- 2001:7b8:2ff:2f2::2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.000/0.000/0.000/0.000 ms
######
###### [6/8] Ping the IPv6 Remote/PoP Inner Tunnel Endpoint (2001:7b8:2ff:2f2::1)
### This confirms the reachability of the other side of the tunnel
### If it doesn't reply then check your interface and routing tables
### Don't forget to check your firewall of course
### If the previous test was succesful then this could be both
### a firewalling and a routing/interface problem
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
PING 2001:7b8:2ff:2f2::1(2001:7b8:2ff:2f2::1) 56 data bytes
--- 2001:7b8:2ff:2f2::1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms
Output from: tcpdump -v -n -s 1500 -i any ip6 (during aiccu test):
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 1500 bytes
00:47:33.611344 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) ::1 > ::1: [icmp6 sum ok] ICMP6, echo request, length 64, seq 1
00:47:33.611344 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) ::1 > ::1: [icmp6 sum ok] ICMP6, echo reply, length 64, seq 1
00:47:34.611355 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) ::1 > ::1: [icmp6 sum ok] ICMP6, echo request, length 64, seq 2
00:47:34.611355 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) ::1 > ::1: [icmp6 sum ok] ICMP6, echo reply, length 64, seq 2
00:47:35.611365 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) ::1 > ::1: [icmp6 sum ok] ICMP6, echo request, length 64, seq 3
00:47:35.611365 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) ::1 > ::1: [icmp6 sum ok] ICMP6, echo reply, length 64, seq 3
00:47:35.621365 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) 2001:7b8:2ff:2f2::2 > 2001:7b8:2ff:2f2::2: [icmp6 sum ok] ICMP6, echo request, length 64, seq 1
00:47:35.621365 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) 2001:7b8:2ff:2f2::2 > 2001:7b8:2ff:2f2::2: [icmp6 sum ok] ICMP6, echo reply, length 64, seq 1
00:47:36.621376 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) 2001:7b8:2ff:2f2::2 > 2001:7b8:2ff:2f2::2: [icmp6 sum ok] ICMP6, echo request, length 64, seq 2
00:47:36.621376 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) 2001:7b8:2ff:2f2::2 > 2001:7b8:2ff:2f2::2: [icmp6 sum ok] ICMP6, echo reply, length 64, seq 2
00:47:37.621386 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) 2001:7b8:2ff:2f2::2 > 2001:7b8:2ff:2f2::2: [icmp6 sum ok] ICMP6, echo request, length 64, seq 3
00:47:37.621386 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) 2001:7b8:2ff:2f2::2 > 2001:7b8:2ff:2f2::2: [icmp6 sum ok] ICMP6, echo reply, length 64, seq 3
^C
12 packets captured
24 packets received by filter
0 packets dropped by kernel
Trouble getting my heartbeat tunnel running
Shadow Hawkins on Friday, 10 July 2009 08:24:51
It seems your failed ping didn't make it to the interface. Try "ip6tables -L" (note the "6") and see if you have and IPv6 firewall rules defined, especially on the OUTPUT chain. For some reason netfilter has split IPv4 and IPv6 rulesets, so perhaps you may have neglected to check the IPv6 firewall?
Trouble getting my heartbeat tunnel running
Jeroen Massar on Friday, 10 July 2009 11:35:30 ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted PING 2001:7b8:2ff:2f2::1(2001:7b8:2ff:2f2::1) 56 data bytes
I would think you have a firewall issue there. Check both IPv4 and IPv6 firewalls.
Output from: tcpdump -v -n -s 1500 -i any ip6 (during aiccu test):
You need to look at ALL traffic, and you need to do it on the interface where the IPv4 traffic of the tunnel flows over.
See the contact page "reporting problems checklist" for a good checklist of things to look at.
00:47:33.611344 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) ::1 > ::1: [icmp6 sum ok] ICMP6, echo request, length 64, seq 1
Why are you seeing pings to localhost aka loopback traffic?
00:47:35.621365 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) 2001:7b8:2ff:2f2::2 > 2001:7b8:2ff:2f2::2: [icmp6 sum ok] ICMP6, echo request, length 64, seq 1
That is also loopback traffic.
Are you tcpdumping on lo0?
Trouble getting my heartbeat tunnel running
Shadow Hawkins on Saturday, 11 July 2009 19:53:30 I would think you have a firewall issue there. Check both IPv4 and IPv6 firewalls.
After some more googling, this was my next guess also. I investigated this further. I use shorewall for ipv4 firewalling, and apparently, it sets all default ipv6 chains to a DROP policy. This was not reset to ACCEPT when shutting down shorewall (it does that for ipv4 iptables). After fixing this, the tunnel works as expected. Thanks for the hint :)
PS: The loopback traffic in tcpdump is generated by test 4 and 5 in 'aiccu test', and shows up because I was dumping the 'any' interface.
Posting is only allowed when you are logged in. |