SixXS::Sunset 2017-06-06

OpenSuSE 11.3 failing the SixXS ping test
[fi] Shadow Hawkins on Monday, 20 September 2010 08:28:42
I've run OpenSuSE /w SixXS for years. After upgrading into 11.3 SixXS ping stopped working properly. There are no problems with outgoing or incoming traffic. I can access outside world and have verified incoming ping working from native IPv6 and other SixXS hosts. The problem is that my tunnel stats show very poor quality connection. To prevent from losing points once a week for two day downtime I've ran: # ping6 -i 15 noc.sixxs.net That restores tunnel statistics to the normal level. Any ideas?
OpenSuSE 11.3 failing the SixXS ping test
[ch] Jeroen Massar SixXS Staff on Monday, 20 September 2010 08:30:28
See "FAQ: Connection Tracker..."
OpenSuSE 11.3 failing the SixXS ping test
[fi] Shadow Hawkins on Monday, 27 September 2010 09:12:39
Do you mean My tunnel goes down after some idletime. My tunnelendpoint also is a NAT/Connection Tracker? I'm not NATing, the server has /29 block of public IP addresses.
OpenSuSE 11.3 failing the SixXS ping test
[ch] Jeroen Massar SixXS Staff on Monday, 27 September 2010 12:43:39
You don't have to NAT to have a connection tracker, note the slash in the title of that FAQ entry. If you do some kind of firewalling most likely connection tracking is enabled; differently put: if you didn't manually disable it it is active.
OpenSuSE 11.3 failing the SixXS ping test
[fi] Shadow Hawkins on Monday, 27 September 2010 12:09:46
Further information about the problem. This forum thread describes my problem: proto-41 tunnel "drops" connection I also did some TCPdumping with # tcpdump -n -i eth0 "ip proto 41" For a while everything was ok, but then: 12:54:37.763125 IP 62.Tun.Nel.Prov > 89.My.IP.Addr: IP6 2001:xxxx::1 > 2001:xxxx::2: ICMP6, echo request, seq 5717, length 64 12:54:46.810731 IP 62.Tun.Nel.Prov > 89.My.IP.Addr: IP6 2001:xxxx::1 > 2001:xxxx::2: ICMP6, echo request, seq 6139, length 64 12:54:56.030655 IP 62.Tun.Nel.Prov > 89.My.IP.Addr: IP6 2001:xxxx::1 > 2001:xxxx::2: ICMP6, echo request, seq 6561, length 64 My end rather surprisingly stops replying! I was monitoring the situation and did this on another window: # ping6 noc.sixxs.net 64 bytes from noc.sixxs.net: icmp_seq=1 ttl=53 time=9347 ms ... 64 bytes from noc.sixxs.net: icmp_seq=15 ttl=54 time=1142 ms 64 bytes from noc.sixxs.net: icmp_seq=16 ttl=54 time=137 ms ... 64 bytes from noc.sixxs.net: icmp_seq=23 ttl=53 time=59.3 ms Which resulted in success from SixXS PoP ping: # tcpdump -n -i eth0 "ip proto 41" 12:55:33.385584 IP 62.Tun.Nel.Prov > 89.My.IP.Addr: IP6 2001:xxxx::1 > 2001:xxxx::2: ICMP6, echo request, seq 7405, length 64 12:55:33.385689 IP 89.My.IP.Addr > 62.Tun.Nel.Prov: IP6 2001:xxxx::2 > 2001:xxxx::1: ICMP6, echo reply, seq 7405, length 64 When the lock-down occurrs, no IPv6-traffic will pass. Any outgoing IPv6-traffic will enable normal functionality. The problem can be reproduced with any OpenSuSE 11.3 machine. I tested this on a x86 and x64 boxes.
OpenSuSE 11.3 failing the SixXS ping test
[ch] Jeroen Massar SixXS Staff on Monday, 27 September 2010 12:45:17
Yes, that is because your host is doing connection tracking and the entry for the tunnel expires at one point and your host does not pass the packets anymore from then on.
OpenSuSE 11.3 failing the SixXS ping test
[de] Shadow Hawkins on Monday, 27 September 2010 13:06:54
You probably have some rule like
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
in your firewall configuration. This does connection tracking (stateful firewall). You should add something like
iptables -A INPUT -s <your PoP IPv4 address> -p 41 -j ACCEPT
to let pass all proto-41 traffic unconditionally.
OpenSuSE 11.3 failing the SixXS ping test
[fi] Shadow Hawkins on Monday, 27 September 2010 14:02:51
Since everybody seems to insist, that I do connection tracking: # iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Anything else?
OpenSuSE 11.3 failing the SixXS ping test
[ch] Jeroen Massar SixXS Staff on Monday, 27 September 2010 14:13:47
Try "lsmod | grep conntrack" instead ;) It doesn't matter which rules you have, it matters that the module is loaded. Also do a "cat /proc/net/nf_conntrack" as root (uid==0) to see which entries exist.
OpenSuSE 11.3 failing the SixXS ping test (Solved)
[fi] Shadow Hawkins on Monday, 27 September 2010 14:42:35
Solved! Thank you for being so persistent. My excuse here is that this is something that used to work, but got broken without me doing anything. Adding this to /etc/sysconfig/SuSEfirewall2 and restarting SuSEfirewall2_setup seems to do the trick.
FW_SERVICES_EXT_IP="ipv6"
It adds an IPtables rule -A input_ext -p ipv6 -j ACCEPT ... which seems to make things work. Exactly like you said.

Please note Posting is only allowed when you are logged in.
Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker