Aiccu test 6/8 fails; no return traffic
Shadow Hawkins on Wednesday, 23 July 2008 19:45:44
Hey all, signed up a few days ago for a dynamic (heartbeat) tunnel and have been going crazy trying to get it to work on my linux firewall/gateway system.
I've build the aiccu linux client from source and am using the following configuration generated by the windows gui version.
# AICCU Configuration (Saved by AICCU 2006.07.23)
username CKR1-SIXXS
password ********
protocol tic
server tic.sixxs.net
ipv6_interface sixxs
tunnel_id T16254
automatic true
#setupscript <path>
noconfigure false
requiretls false
verbose true
daemonize false
behindnat false
makebeats true
The tunnel seems to connect but packets seem to go out and not come back. Aiccu autotest fails at step 6/8.
The following shows the output of "tcpdump -i eth1 -nnv host 209.197.5.66":
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
12:23:31.605832 IP (tos 0x0, ttl 64, id 4132, offset 0, flags [DF], proto 17, length: 113) 68.98.40.174.42769 > 209.197.5.66.3740: UDP, length 85
12:23:41.587637 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 41, length: 124) 68.98.40.174 > 209.197.5.66: 2001:1938:81:1::2 > 2001:4860:0:2001::68: icmp6: echo request seq 0 (len 64, hlim 64)
12:23:41.619198 IP (tos 0x0, ttl 58, id 56388, offset 0, flags [none], proto 1, length: 152) 209.197.5.66 > 68.98.40.174: icmp 132: 209.197.5.66 protocol 41 port 0 unreachable
12:23:42.588361 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 41, length: 124) 68.98.40.174 > 209.197.5.66: 2001:1938:81:1::2 > 2001:4860:0:2001::68: icmp6: echo request seq 1 (len 64, hlim 64)
12:23:42.617006 IP (tos 0x0, ttl 58, id 56389, offset 0, flags [none], proto 1, length: 152) 209.197.5.66 > 68.98.40.174: icmp 132: 209.197.5.66 protocol 41 port 0 unreachable
12:23:43.588794 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 41, length: 124) 68.98.40.174 > 209.197.5.66: 2001:1938:81:1::2 > 2001:4860:0:2001::68: icmp6: echo request seq 2 (len 64, hlim 64)
12:23:43.616832 IP (tos 0x0, ttl 58, id 56390, offset 0, flags [none], proto 1, length: 152) 209.197.5.66 > 68.98.40.174: icmp 132: 209.197.5.66 protocol 41 port 0 unreachable
12:24:31.608662 IP (tos 0x0, ttl 64, id 64144, offset 0, flags [DF], proto 17, length: 113) 68.98.40.174.42769 > 209.197.5.66.3740: UDP, length 85
This shows one hearbeat packet leaving, three pings to ipv6.google.com, and another hearbeat packet. Whenever packets are expected back I instead get "protocol 41 port 0 unreachable" from the PoP.
Searching hasn't uncovered anything too useful, but it may be similar to the issue in Ticket 736349
I've tried using the sixxs.net web traceroute tool, but traces to 2001:1938:81:1::1 or 2001:1938:81:1::2 fail from the NOC. When I use the usphx01 PoP (the PoP for my tunnel) it just returns nothing, not even a single hop.
Anyway, I would really appreciate any insight anyone might have into this. I just can't seem to figure out what's going on. Perhaps I've just made some stupid mistakes. (Happens too often) I've also included some extra information below in case it's useful. Please let me know if anything else is required.
Thanks in advance for any help,
Chris Krusemark
My external ipv4: 68.98.40.174
Tunnel Information:
PoP Name : usphx01 (nl.eweka [AS12989])
Your Location : Tempe, us
SixXS IPv6 : 2001:1938:81:1::1/64
Your IPv6 : 2001:1938:81:1::2/64
SixXS IPv4 : 209.197.5.66
Tunnel Type : Dynamic (heartbeat)
[root@terminal ~]# ifconfig sixxs
sixxs Link encap:IPv6-in-IPv4
inet6 addr: 2001:1938:81:1::2/64 Scope:Global
inet6 addr: fe80::a08:1/64 Scope:Link
inet6 addr: fe80::c0a8:4d01/64 Scope:Link
inet6 addr: fe80::c0a8:701/64 Scope:Link
inet6 addr: fe80::4462:28ae/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1280 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:912 (912.0 b)
[root@terminal ~]# route -n --inet6
Kernel IPv6 routing table
Destination Next Hop Flags Metric Ref Use Iface
::1/128 :: U 0 498 2 lo
2001:1938:81:1::2/128 :: U 0 1 2 lo
2001:1938:81:1::/64 :: U 256 1 0 sixxs
fe80::a08:1/128 :: U 0 0 2 lo
fe80::4462:28ae/128 :: U 0 0 2 lo
fe80::c0a8:701/128 :: U 0 0 2 lo
fe80::c0a8:4d01/128 :: U 0 0 2 lo
fe80::210:5aff:fe08:d0ab/128 :: U 0 0 2 lo
fe80::250:baff:feb9:8ed0/128 :: U 0 0 2 lo
fe80::250:baff:fecc:2060/128 :: U 0 0 2 lo
fe80::/64 :: U 256 0 0 eth0
fe80::/64 :: U 256 0 0 eth2
fe80::/64 :: U 256 0 0 eth1
fe80::/64 :: U 256 0 0 sixxs
ff00::/8 :: U 256 0 0 eth0
ff00::/8 :: U 256 0 0 eth2
ff00::/8 :: U 256 0 0 eth1
ff00::/8 :: U 256 0 0 sixxs
::/0 2001:1938:81:1::1 UG 1024 11 0 sixxs
::/0 2001:1938:81:1::1 UG 1024 11 0 sixxs
Aiccu test 6/8 fails; no return traffic
Jeroen Massar on Wednesday, 23 July 2008 19:57:28
** Update: Or of course, the clock on the PoP which was missynchronized, grmbl... fixed. Do check the rest though.
Why does the version number there state 2006.07.23? That is quite old IMHO.
Looking at your routing table you have a double default route over the same interface, that can't be good.
Also, which kernel version? Some Linux kernels require 2000::/3 as a default route, especially when forwarding is enabled.
You also seem to have RFC1918 addresses on your interface, thus check that your 'local' part of the tunnel is set correctly (ip tunnel show <device>).
The proto-41 packets being rejected indicates that the PoP didn't configure your tunnel.
The first thing you should check is the clock on your computer though.
Aiccu test 6/8 fails; no return traffic
Shadow Hawkins on Wednesday, 23 July 2008 20:49:56
Thanks for the incredibly fast reply!
I didn't see what you had written before you updated the post, but I checked it as soon as I read your post and I could ping ipv6.google.com
However, when I tried to check the sixxs.net traceroute I noticed that it now says the usphx01 PoP is down. After a few minutes though it was back and all is working well!
To answer the other questions (maybe it'll help someone else someday):
1. The aiccu version comment is from the older windows gui which was only used originally to generate the aiccu.conf. The actual client I'm using was built from current sources. (Make sure gnutls-devel is installed)
2. I had noticed the double default route. While it did seem odd I didn't think it would hurt anything. I would imagine the second entry would simply never be used, although routing is not my strong point. :)
3. The kernel is 2.6.11.2 Not exactly new I know but certainly should work. As for the 2000::/3 I had read about this when researching the problem and tried it. It didn't seem to help at the time. I'll keep it in mind though, especially in regards to the forwarding when setting up a subnet in the future.
4. In regards to the RFC1918 addresses, I believe you are referring to a similar issue as in this Forum Post. I should have included the output before, but it had seemed to be correct. Same as below:
[root@terminal ~]# ip tunnel show sixxs
sixxs: ipv6/ip remote 209.197.5.66 local 68.98.40.174 ttl 64
5. As for clock-sync, the aiccu client wouldn't even try to start the tunnel until I had corrected the time and I didn't have it running long enough for that much clock drift.
Again, thanks so much for the prompt fix and for not replying with "RTFM" like in so many other forums.
Posting is only allowed when you are logged in. |