OpenSuSE 11.3 failing the SixXS ping test
Shadow Hawkins on Monday, 20 September 2010 08:28:42
I've run OpenSuSE /w SixXS for years. After upgrading into 11.3 SixXS ping stopped working properly. There are no problems with outgoing or incoming traffic. I can access outside world and have verified incoming ping working from native IPv6 and other SixXS hosts.
The problem is that my tunnel stats show very poor quality connection. To prevent from losing points once a week for two day downtime I've ran:
# ping6 -i 15 noc.sixxs.net
That restores tunnel statistics to the normal level.
Any ideas?
OpenSuSE 11.3 failing the SixXS ping test
Jeroen Massar on Monday, 20 September 2010 08:30:28
See "FAQ: Connection Tracker..."
OpenSuSE 11.3 failing the SixXS ping test
Shadow Hawkins on Monday, 27 September 2010 09:12:39
Do you mean My tunnel goes down after some idletime. My tunnelendpoint also is a NAT/Connection Tracker?
I'm not NATing, the server has /29 block of public IP addresses.
OpenSuSE 11.3 failing the SixXS ping test
Jeroen Massar on Monday, 27 September 2010 12:43:39
You don't have to NAT to have a connection tracker, note the slash in the title of that FAQ entry.
If you do some kind of firewalling most likely connection tracking is enabled; differently put: if you didn't manually disable it it is active.
OpenSuSE 11.3 failing the SixXS ping test
Shadow Hawkins on Monday, 27 September 2010 12:09:46
Further information about the problem.
This forum thread describes my problem: proto-41 tunnel "drops" connection
I also did some TCPdumping with
# tcpdump -n -i eth0 "ip proto 41"
For a while everything was ok, but then:
12:54:37.763125 IP 62.Tun.Nel.Prov > 89.My.IP.Addr: IP6 2001:xxxx::1 > 2001:xxxx::2: ICMP6, echo request, seq 5717, length 64
12:54:46.810731 IP 62.Tun.Nel.Prov > 89.My.IP.Addr: IP6 2001:xxxx::1 > 2001:xxxx::2: ICMP6, echo request, seq 6139, length 64
12:54:56.030655 IP 62.Tun.Nel.Prov > 89.My.IP.Addr: IP6 2001:xxxx::1 > 2001:xxxx::2: ICMP6, echo request, seq 6561, length 64
My end rather surprisingly stops replying! I was monitoring the situation and did this on another window:
# ping6 noc.sixxs.net
64 bytes from noc.sixxs.net: icmp_seq=1 ttl=53 time=9347 ms
...
64 bytes from noc.sixxs.net: icmp_seq=15 ttl=54 time=1142 ms
64 bytes from noc.sixxs.net: icmp_seq=16 ttl=54 time=137 ms
...
64 bytes from noc.sixxs.net: icmp_seq=23 ttl=53 time=59.3 ms
Which resulted in success from SixXS PoP ping:
# tcpdump -n -i eth0 "ip proto 41"
12:55:33.385584 IP 62.Tun.Nel.Prov > 89.My.IP.Addr: IP6 2001:xxxx::1 > 2001:xxxx::2: ICMP6, echo request, seq 7405, length 64
12:55:33.385689 IP 89.My.IP.Addr > 62.Tun.Nel.Prov: IP6 2001:xxxx::2 > 2001:xxxx::1: ICMP6, echo reply, seq 7405, length 64
When the lock-down occurrs, no IPv6-traffic will pass. Any outgoing IPv6-traffic will enable normal functionality. The problem can be reproduced with any OpenSuSE 11.3 machine. I tested this on a x86 and x64 boxes.
OpenSuSE 11.3 failing the SixXS ping test
Jeroen Massar on Monday, 27 September 2010 12:45:17
Yes, that is because your host is doing connection tracking and the entry for the tunnel expires at one point and your host does not pass the packets anymore from then on.
OpenSuSE 11.3 failing the SixXS ping test
Shadow Hawkins on Monday, 27 September 2010 13:06:54
You probably have some rule like iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT in your firewall configuration. This does connection tracking (stateful firewall). You should add something like iptables -A INPUT -s <your PoP IPv4 address> -p 41 -j ACCEPT to let pass all proto-41 traffic unconditionally.
OpenSuSE 11.3 failing the SixXS ping test
Shadow Hawkins on Monday, 27 September 2010 14:02:51
Since everybody seems to insist, that I do connection tracking:
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Anything else?
OpenSuSE 11.3 failing the SixXS ping test
Jeroen Massar on Monday, 27 September 2010 14:13:47
Try "lsmod | grep conntrack" instead ;)
It doesn't matter which rules you have, it matters that the module is loaded.
Also do a "cat /proc/net/nf_conntrack" as root (uid==0) to see which entries exist.
OpenSuSE 11.3 failing the SixXS ping test (Solved)
Shadow Hawkins on Monday, 27 September 2010 14:42:35
Solved!
Thank you for being so persistent. My excuse here is that this is something that used to work, but got broken without me doing anything.
Adding this to /etc/sysconfig/SuSEfirewall2 and restarting SuSEfirewall2_setup seems to do the trick.
FW_SERVICES_EXT_IP="ipv6"
It adds an IPtables rule
-A input_ext -p ipv6 -j ACCEPT
... which seems to make things work. Exactly like you said.
Posting is only allowed when you are logged in. |