Forcing the heatbeat (Zentyal / EBox)
Shadow Hawkins on Saturday, 12 November 2011 15:52:39
I recently moved my tunnel from the original location where I'd been trying to get it to work (and instead now have native IPv6!) to my other location. This site runs a Zentyal server (Ubuntu lts with EBox, basically) as its router and though I installed AICCU fine and could test the tunnel via the command line when SSL'd into that box I found on the second day that the tunnel had dropped during the night.
Initially I wondered whether this was simply due to the fact that I can't actually make use of the tunnel from my internal machines yet (because we can't route through the tunnel without a subnet, despite the apparent /64 'ness of the link) but that turned out to not be the case. It just seemed that the box wouldn't respond to the test pings (or rather ping6s) being used, despite the box being on and answering on IPv4 without problems 24/7.
I've ended up creating a small CRON job to keep the 'IPv6'ness alive. Starting every ten minutes it does a ping6 on the other end of the tunnel every 15 seconds and that, it seems from the graphs, is enough to ensure that the inbound check pings are correctly responded to.
#!/bin/bash
ping6 -c 40 -i 15 pop6 > /dev/null
where pop6 is set in the local hosts file as the far tunnel end.
@AlisonW
Forcing the heatbeat (Zentyal / EBox)
Jeroen Massar on Sunday, 13 November 2011 14:46:50
See: FAQ: My tunnel goes down after some idletime. My tunnelendpoint also is a NAT/Connection Tracker
I would have hoped that that FAQ title would have been obvious enough ;)
Forcing the heatbeat (Zentyal / EBox)
Shadow Hawkins on Sunday, 13 November 2011 17:37:25
For anyone else running Zentyal / EBox though they would not find any entries here using a search (as indeed I did not), thus this post enables other people to find such information / solution.
Additionally that FAQ title doesn't directly apply as (a) machine is never idle - it runs SSL, HTTP and other permanent services with outbound (albeit IPv4) in operation continuously for monitoring purposes by a second site, and (b) the issue has nothing to do with NAT.
Other that I'm sure it is a useful FAQ entry ;-P
@AlisonW
Forcing the heatbeat (Zentyal / EBox)
Jeroen Massar on Sunday, 13 November 2011 23:53:03
Those connections need to go over IPv6 and thus the tunnel for them to affect the connectiontracker that tracks the "connection" for the packets concerning the tunnel. Your ping is doing exactly that btw.
The issue in so far has to do with NAT as that function requires (for it to work with a variety of protocols) the use of a connection tracker.
Also that zentyal/ebox is jus another linux distro thus pf course those faqs also apply.
Posting is only allowed when you are logged in. |