Tunnel keeps dropping (Ubuntu, subnet)
Shadow Hawkins on Tuesday, 06 January 2009 04:16:55
See http://www.sixxs.net/forum/?msg=setup-884867
I've tried the de-NAT instructions and it seemed to work for a bit. However, several times in the last day my tunnel has gone down. Restarting AICCU doesn't fix it, but 'aiccu test' seems to fix it right away.
Any guesses?
Tunnel keeps dropping (Ubuntu, subnet)
Shadow Hawkins on Monday, 25 January 2010 19:44:25
Hey, it's been a year since I posted this. In case anyone happens upon this, the problem was that my physical interface (eth0) was not assigned an IP address.
Tunnel keeps dropping (Ubuntu, subnet)
Jeroen Massar on Tuesday, 06 January 2009 11:46:26
Yes, I guess it is broken!
That is the only thing to say about this. You will have to provide a lot more details if you actually want a proper answer.
Restarting aiccu should not be something that you would have to do.
'aiccu test' does nothing different (except exiting at the end) from the normal aiccu.
Unfortunately you are not providing any details at all thus there is nothing to be said about this 'problem'. I guess though if you claim 'it works' and 'it goes down' (what do you mean with "down" actually? Does the interface disappear, is the ifconfig 'up' flag gone? etc etc?) that you most likely want to start wiresharking things and doing packet logs and checking there what goes wrong.
Tunnel keeps dropping (Ubuntu, subnet)
Shadow Hawkins on Tuesday, 06 January 2009 21:55:43
Fair enough.
I changed to heartbeat (not behind NAT, this is my NAT box) and it didn't change anything. Firewall is set to ignore IPv6 (proto-41) traffic with NOTRACK.
It works for a bit, I don't really know what I do that fixes it. After a certain amount of time (possibly related to idle time; I haven't ever 'seen' it go down) it drops. By that I mean the interface exists, has an address, IPv4 works, but ping6 <anything> on the server/router nor the client(s) work.
aiccu test shows the problem is in me pinging the tunnel 'other side' (for lack of another word); I can ping my own IPv6 addr fine.
Interface stays up through the whole thing. Packets and bytes received stays at 0, sent increases normally.
I'll start learning how to use tcpdump and try and find out more, but does it sound like a PoP problem? *crosses fingers*
I will say that when the tunnel is up (ping6 works) everything else (routing, etc) works perfectly. And I'm unable to consistently fix it, contrary to my 'test' comment before.
Tunnel keeps dropping (Ubuntu, subnet)
Shadow Hawkins on Wednesday, 07 January 2009 04:59:31
It appears to be a routing issue.
root@erver:~# route -6
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
2001:4978:1da::/64 :: U 256 0 0 eth0
fe80::/64 :: U 256 0 0 eth0
fe80::/64 :: U 256 0 0 eth1
::/0 :: !n -1 1130423 lo
::1/128 :: Un 0 1 12020 lo
2001:4978:1da::/128 :: Un 0 1 0 lo
2001:4978:1da::1/128 :: Un 0 1 10 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::202:b3ff:fe46:6032/128 :: Un 0 1 0 lo
fe80::209:5bff:fe1a:629d/128 :: Un 0 1 9917 lo
ff00::/8 :: U 256 0 0 eth0
ff00::/8 :: U 256 0 0 eth1
::/0 :: !n -1 1130423 lo
I'd expect some of these to point to sixxs.
... OK I restarted aiccu again and got some sixxs entries. It still doesn't work.
root@meadserver:~# route -6
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
2001:4978:f:20a::/64 :: Un 256 0 1 sixxs
2001:4978:1da::/64 :: U 256 0 0 eth0
fe80::/64 :: U 256 0 0 eth0
fe80::/64 :: U 256 0 0 eth1
fe80::/64 :: Un 256 0 0 sixxs
::/0 2001:4978:f:20a::1 UG 1024 0 1 sixxs
::/0 :: !n -1 1130460 lo
::1/128 :: Un 0 1 12020 lo
2001:4978:f:20a::/128 :: Un 0 1 0 lo
2001:4978:f:20a::2/128 :: Un 0 1 0 lo
2001:4978:1da::/128 :: Un 0 1 0 lo
2001:4978:1da::1/128 :: Un 0 1 10 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::4365:1ad5/128 :: Un 0 1 0 lo
fe80::c0a8:101/128 :: Un 0 1 0 lo
fe80::202:b3ff:fe46:6032/128 :: Un 0 1 0 lo
fe80::209:5bff:fe1a:629d/128 :: Un 0 1 9921 lo
ff00::/8 :: U 256 0 0 eth0
ff00::/8 :: U 256 0 0 eth1
ff00::/8 :: U 256 0 0 sixxs
::/0 :: !n -1 1130460 lo
I'm completely at a loss. Routing really isn't my thing, and although I have a vague idea that this routing table is better than the last one, it's still broken.
Aiccu test fails on step 6 - ping IPv6 remote tunnel endpoint.
I'm out of ideas...
Tunnel keeps dropping (Ubuntu, subnet)
Jeroen Massar on Wednesday, 07 January 2009 08:40:44
Please use "ip -6 ro sho". Also provide firewalling tables ("ip6tables -v --list -n --line-numbers" and "iptables -v --list -n --line-numbers), interface tables ("ip -6 addr sho", "ip link sho", "ip tunnel sho") and of course the output of a verbose=true daemonize=false AICCU.
Also, which kernel do you have? In some cases one needs to add a 2000::/3 route for forwarding to work. Though as you are indicating that you can't even reach the remote tunnel endpoint that probably is a step that is not needed yet.
You also mention being behind a NAT (but exactly where that NAT is or what device performs that NAT is unclear as you don't provide those details.
As you are using a heartbeat tunnel, are you sure that your NAT device understands forwarding proto-41 (otherwise using AYIYA is the way to circumvent that issue). Next to that, is your computers clock properly NTP synced and set to the proper timezone? (although AICCU checks that at start, it doesn't do that during the running of the tool, thus if your clock drifts off, your connectivity dies off too; install a proper NTP daemon to resolve that, AICCU is not a time-keeping tool).
I'm out of ideas...
From the big yellow box "include a sufficient description as mentioned in the Reporting Problems section of the contact page"; without that nobody can help as nobody but you can look at your computer.
Tunnel keeps dropping (Ubuntu, subnet)
Shadow Hawkins on Wednesday, 07 January 2009 22:49:02 root@server:~# ip -6 ro sho
2001:4978:f:20a::/64 via :: dev sixxs proto kernel metric 256 mtu 1280 advmss 1220 hoplimit 4294967295
2001:4978:1da::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth1 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 via :: dev sixxs proto kernel metric 256 mtu 1280 advmss 1220 hoplimit 4294967295
default via 2001:4978:f:20a::1 dev sixxs metric 1024 mtu 1280 advmss 1220 hoplimit 4294967295
root@server:~# ip6tables -v --list -n --line-numbers
Chain INPUT (policy ACCEPT 894 packets, 64800 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1809 packets, 385K bytes)
num pkts bytes target prot opt in out source destination
root@server:~# iptables -v --list -n --line-numbers
Chain INPUT (policy ACCEPT 13M packets, 7090M bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 64M packets, 26G bytes)
num pkts bytes target prot opt in out source destination
1 194K 128M ACCEPT udp -- * * 0.0.0.0/0 192.168.1.100 udp dpt:47242
2 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.100 udp dpt:22983
Chain OUTPUT (policy ACCEPT 14M packets, 9042M bytes)
num pkts bytes target prot opt in out source destination
root@server:~# ip -6 addr sho
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:4978:1da::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::209:5bff:fe1a:629d/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 fe80::202:b3ff:fe46:6032/64 scope link
valid_lft forever preferred_lft forever
89: sixxs@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280
inet6 2001:4978:f:20a::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::4365:9836/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::c0a8:101/64 scope link
valid_lft forever preferred_lft forever
root@server:~# ip link sho
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:09:5b:1a:62:9d brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:02:b3:46:60:32 brd ff:ff:ff:ff:ff:ff
5: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
link/sit 0.0.0.0 brd 0.0.0.0
88: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN qlen 3
link/ppp
89: sixxs@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN
link/sit 67.101.152.54 peer 216.14.98.22
root@server:~# ip tunnel sho
sit0: ipv6/ip remote any local any ttl 64 nopmtudisc
sixxs: ipv6/ip remote 216.14.98.22 local 67.101.152.54 ttl 64
root@server:~# aiccu start aiccu.conf
sock_getline() : "200 SixXS TIC Service on noc.sixxs.net ready (http://www.sixxs.net)"
sock_printf() : "client TIC/draft-00 AICCU/2007.01.15-console-linux Linux/2.6.27-9-server"
sock_getline() : "200 Client Identity accepted"
sock_printf() : "get unixtime"
sock_getline() : "200 1231364593"
sock_printf() : "starttls"
sock_getline() : "400 This service is not SSL enabled (yet)"
TIC Server does not support TLS but TLS is not required, continuing
sock_printf() : "username <username>"
sock_getline() : "200 Choose your authentication challenge please"
sock_printf() : "challenge md5"
sock_getline() : "200 <redacted>"
sock_printf() : "authenticate md5 <redacted>"
sock_getline() : "200 Succesfully logged in using md5 as RMT2-SIXXS (Robert Mead) from 2001:960:800::2"
sock_printf() : "tunnel show T18337"
sock_getline() : "201 Showing tunnel information for T18337"
sock_getline() : "TunnelId: T18337"
sock_getline() : "Type: 6in4-heartbeat"
sock_getline() : "IPv6 Endpoint: 2001:4978:f:20a::2"
sock_getline() : "IPv6 POP: 2001:4978:f:20a::1"
sock_getline() : "IPv6 PrefixLength: 64"
sock_getline() : "Tunnel MTU: 1280"
sock_getline() : "Tunnel Name: My First Tunnel"
sock_getline() : "POP Id: uschi02"
sock_getline() : "IPv4 Endpoint: heartbeat"
sock_getline() : "IPv4 POP: 216.14.98.22"
sock_getline() : "UserState: enabled"
sock_getline() : "AdminState: enabled"
sock_getline() : "Password: <redacted md5>"
sock_getline() : "Heartbeat_Interval: 60"
sock_getline() : "202 Done"
Succesfully retrieved tunnel information for T18337
sock_printf() : "QUIT Every Time We Live Together"
Tunnel Information for T18337:
POP Id : uschi02
IPv6 Local : 2001:4978:f:20a::2/64
IPv6 Remote : 2001:4978:f:20a::1/64
Tunnel Type : 6in4-heartbeat
Adminstate : enabled
Userstate : enabled
heartbeat_socket() - IPv4 : 67.101.152.54
[HB] HEARTBEAT TUNNEL 2001:4978:f:20a::2 sender 1231364605 68597e0eba49d14d53fc887de79d5e8a
[HB] HEARTBEAT TUNNEL 2001:4978:f:20a::2 sender 1231364605 68597e0eba49d14d53fc887de79d5e8a
There have been several more [HB] lines between then and now
The 'server' box runs NAT, and has the appropriate NOTRACK rules from the FAQ. The same box is also a NTP server/client and on time. The kernel is maybe a month old, probably less (2.6.27-9)
Sorry for causing any undue annoyance, and I appreciate your efforts.
Posting is only allowed when you are logged in. |