|
Packet loss when moving from AYIYA to static
![[gb]](/s/countries/gb.gif) Shadow Hawkins on Monday, 09 January 2012 13:21:14
I'm running a tunnel on FreeBSD 7.3-RELEASE-p2 and AICCU (v.20070115).
I had been running the tunnel through AYIYA, but I then set the host up in a DMZ to I could get a static 6in4 tunnel working.
However, since I've moved made this change, the Tunnel Statistics show that there's 100% packet loss about 50% of the time, I never had any problems with packet loss while using AYIYA.
What's strange is that I haven't noticed any issues with IPv6 traffic, and when I ping6 one of the hosts inside the static tunnel (from my home network which is IPv6 native) I get very little packet loss.
How do sixxs work out the tunnel statistics? It's unlikely that it's working it out incorrectly as a 2nd static tunnel (via pfSense) is showing only 0.3% packet loss. I've run tcpdump on the interface to see how sixxs is determining the latency & loss, but could see any icmp6 echo requests being sent. Is it done via neighbour solicitations?
Thanks,
John
Packet loss when moving from AYIYA to static
the Tunnel Statistics show that there's 100% packet loss about 50% of the time,
That sounds a lot like connection tracking behavior, see the FAQ point for that.
I never had any problems with packet loss while using AYIYA.
AYIYA sends heartbeats and thus keeps the connection automatically active.
That and/or your NAT device has shorter timeouts for UDP as for unknown protocols like protocol 41.
How do sixxs work out the tunnel statistics?
See the FAQ on "My endpoint does not ping"
but could see any icmp6 echo requests being sent.
Likely your "DMZ" mode is not fully forwarding every single packet.
Packet loss when moving from AYIYA to static
Shadow Hawkins on Monday, 09 January 2012 16:00:14
I've had a look at those two FAQs. I'd thought that it was done using ICMP6 requests, but not seeing any threw me.
I decided to do the following:
1). Start a rate-limited download over IPv6 so that traffic would be going through the tunnel continuously during the test
2). Execute tcpdump -ni em0 proto 41 to capture the 6in4 traffic.
3). Execute tcpdump -ni gif0 icmp6 to capture the icmp6 traffic.
4). SSH to my home network (over IPv4) and ping the IPv6 address of gif0 (90s interval).
What I saw:
1). Every 40s, an ICMP6 neighbor solicitation was sent to the POP, every single one was replied to.
2). Every 90s, I saw the ICMP6 echo request from my home network, every single echo request was replied to.
3). This is where it gets a bit strange. After a period, I started to see ICMP6 echo requests from the POP, for every request, a reply was sent. The successful pinging goes on for about 5 minutes, then it stops. I see no incoming ping requests from the POP for about 25 minutes. Then the pinging starts again, for 5 minutes. This cycle continues.
I can discount pfctl being the issue:
1). It's configured to allow inbound ICMP6 traffic.
2). Inbound ICMP6 traffic from my home network has no loss.
3). Configuring pfctl to allow all in on gif0 makes no difference.
The obvious cause of the issue would be the DMZ mode not working. However I'm not convinced it can be the cause. What I find incredibly strange is how the POP echo requests stop and start periodically, but the other echo requests have no issues whatsoever.
Packet loss when moving from AYIYA to static
I'd thought that it was done using ICMP6 requests, but not seeing any threw me.
The reachability measurements are done only once in a while.
3). This is where it gets a bit strange [..]
Nothing strange there as that is how the system works, ever once in a while it sends a couple of pings, then keeps silent and then nothing again. Sending pings all the time would be a futile source of packets, IPv6 can be a lot more than just ICMPv6.
(Side-note: it changes slightly when the PoP gets upgraded to v4, but but for a while longer that PoP will be on v3a)
I can discount pfctl being the issue: 1). It's configured to allow inbound ICMP6 traffic.
But what about the connection tracking in pf on the IPv4 level?
2). Inbound ICMP6 traffic from my home network has no loss.
What is the source/dest for 'inbound ICMP6 traffic from my home network'?
Inbound IMHO would be for you ICMPv6 that comes from the Internet to your network.
As such would that sentence not be "Inbound ICMPv6 traffic to my home network has no loss' ?
3). Configuring pfctl to allow all in on gif0 makes no difference.
No difference to what? Your above 'I saw' notes that you see pings once in a while, which is the correct behaviour.
The obvious cause of the issue would be the DMZ mode not working.
The obvious case is that some connection state gets lost in either pf or the DMZ and that does not allow packets to come through when the connection becomes idle.
Packet loss when moving from AYIYA to static
Shadow Hawkins on Monday, 09 January 2012 18:03:29The reachability measurements are done only once in a while.
... ever once in a while it sends a couple of pings, then keeps silent and then nothing again...
Understood, this would then explain the 5 minutes of pings (with a 15s interval), and then no activity for 25 minutes. I read "20 ping's which are sent every 30 minutes" from the FAQ as the POP pinging regularly with an interval of 90s. This then completely tallies up with my tcpdump captures.
Because of that incorrect assumption, I'd been thinking that the lack of pings were what the POP was counting as packet loss, hence my confusion when seeing no packet loss in any other traffic - Mea maxima culpa.
The reason that I didn't see the same behaviour on pfSense is that it pings gateways regularly to test if they are up.
I've added the proto 41 keep state entries to pf.conf.
Thanks for your patience!
|
![[ch]](/s/countries/ch.gif)
on Monday, 09 January 2012 13:25:49
Posting is only allowed when you are