Aiccu tunnel stops working when under traffic
Carmen Sandiego on Sunday, 12 May 2013 18:31:16
Hi there,
i think i have a little problem with my configuration. When i start the tunnel everything works fine (pinging, webseite loading, ...), but when i continue browsing or start downloading a file, the tunnel stops working, i.e. i have no ipv6 connection to PoP or other ipv6 sites and also the tunnel stats here on the user pannel show a 100% packet loss.
Does anyone has a hint, what the problem could be?
Thanks in advance,
Christian
Here is information on my setup:
-------------------------------------------------------------------
my network setup:
cable modem <---> router <---> eth0 (DMZ)
^ raspberry ipv6 router
| eth1
| ^
| |
-> switch <-
^
|
[Other computers in home network]
root@berryrouter:~# ifconfig
eth0 Link encap:Ethernet Hardware Adresse b8:27:eb:0f:4e:37
inet Adresse:10.0.1.103 Bcast:10.0.1.255 Maske:255.255.255.0
inet6-Adresse: fe80::ba27:ebff:fe0f:4e37/64 Gltigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:1245164 errors:0 dropped:0 overruns:0 frame:0
TX packets:1031368 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlnge:1000
RX bytes:686941322 (655.1 MiB) TX bytes:339720454 (323.9 MiB)
eth1 Link encap:Ethernet Hardware Adresse 00:24:9b:04:5c:76
inet6-Adresse: 2001:4dd0:ff00:90c7::1/64 Gltigkeitsbereich:Global
inet6-Adresse: fe80::224:9bff:fe04:5c76/64 Gltigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1280 Metrik:1
RX packets:305324 errors:0 dropped:267 overruns:0 frame:0
TX packets:322711 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlnge:1000
RX bytes:28446270 (27.1 MiB) TX bytes:365595282 (348.6 MiB)
lo Link encap:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
inet6-Adresse: ::1/128 Gltigkeitsbereich:Maschine
UP LOOPBACK RUNNING MTU:16436 Metrik:1
RX packets:52 errors:0 dropped:0 overruns:0 frame:0
TX packets:52 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlnge:0
RX bytes:7428 (7.2 KiB) TX bytes:7428 (7.2 KiB)
sit0 Link encap:IPv6-nach-IPv4
inet6-Adresse: ::127.0.0.1/96 Gltigkeitsbereich:Unbekannt
inet6-Adresse: ::10.0.1.103/96 Gltigkeitsbereich:Kompatibilitt
UP RUNNING NOARP MTU:1480 Metrik:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlnge:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
sixxs Link encap:UNSPEC Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet6-Adresse: 2001:4dd0:ff00:10c7::2/64 Gltigkeitsbereich:Global
inet6-Adresse: fe80::4cd0:ff00:10c7:2/64 Gltigkeitsbereich:Verbindung
UP PUNKTZUPUNKT RUNNING NOARP MULTICAST MTU:1280 Metrik:1
RX packets:9 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlnge:500
RX bytes:3660 (3.5 KiB) TX bytes:3600 (3.5 KiB)
-------------------------------------------------------------------
root@berryrouter:~# ip -6 route list
::/96 via :: dev sit0 metric 256
2001:4dd0:ff00:10c7::/64 dev sixxs proto kernel metric 256
2001:4dd0:ff00:90c7::/64 dev eth1 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth1 proto kernel metric 256
fe80::/64 dev sixxs proto kernel metric 256
default via 2001:4dd0:ff00:10c7::1 dev sixxs metric 1024
-------------------------------------------------------------------
root@berryrouter:~# ip6tables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT ipv6-icmp anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
DROP all anywhere anywhere rt type:0 segsleft:0
ACCEPT all fe80::/10 anywhere
ACCEPT all ip6-mcastprefix/8 anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT ipv6-icmp anywhere anywhere
DROP all anywhere anywhere rt type:0 segsleft:0
ACCEPT all 2001:4dd0:ff00:90c7::/64 anywhere state NEW
ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp anywhere 2001:4dd0:ff00:90c7::1/128 tcp dpt:ssh
ACCEPT tcp anywhere 2001:4dd0:ff00:90c7:21f:d0ff:fe9f:1342/128 tcp dpt:http
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT ipv6-icmp anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
DROP all anywhere anywhere rt type:0 segsleft:0
ACCEPT all fe80::/10 anywhere
ACCEPT all ip6-mcastprefix/8 anywhere
-------------------------------------------------------------------
root@berryrouter:~# aiccu test
Tunnel Information for T111026:
POP Id : decgn01
IPv6 Local : 2001:4dd0:ff00:10c7::2/64
IPv6 Remote : 2001:4dd0:ff00:10c7::1/64
Tunnel Type : ayiya
Adminstate : enabled
Userstate : enabled
#######
####### AICCU Quick Connectivity Test
#######
####### [1/8] Ping the IPv4 Local/Your Outer Endpoint (10.0.1.103)
### This should return so called 'echo replies'
### If it doesn't then check your firewall settings
### Your local endpoint should always be pingable
### It could also indicate problems with your IPv4 stack
PING 10.0.1.103 (10.0.1.103) 56(84) bytes of data.
64 bytes from 10.0.1.103: icmp_req=1 ttl=64 time=0.214 ms
64 bytes from 10.0.1.103: icmp_req=2 ttl=64 time=0.153 ms
64 bytes from 10.0.1.103: icmp_req=3 ttl=64 time=0.170 ms
--- 10.0.1.103 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.153/0.179/0.214/0.025 ms
######
Did this work? [Y/n] y
####### [2/8] Ping the IPv4 Remote/PoP Outer Endpoint (78.35.24.124)
### These pings should reach the PoP and come back to you
### In case there are problems along the route between your
### host and the PoP this could not return replies
### Check your firewall settings if problems occur
PING 78.35.24.124 (78.35.24.124) 56(84) bytes of data.
64 bytes from 78.35.24.124: icmp_req=1 ttl=53 time=25.2 ms
64 bytes from 78.35.24.124: icmp_req=2 ttl=53 time=25.7 ms
64 bytes from 78.35.24.124: icmp_req=3 ttl=53 time=25.0 ms
--- 78.35.24.124 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 25.095/25.368/25.776/0.321 ms
######
Did this work? [Y/n] y
####### [3/8] Traceroute to the PoP (78.35.24.124) over IPv4
### This traceroute should reach the PoP
### In case this traceroute fails then you have no connectivity
### to the PoP and this is most probably the problem
traceroute to 78.35.24.124 (78.35.24.124), 30 hops max, 60 byte packets
1 10.0.1.1 (10.0.1.1) 1.061 ms 0.541 ms 0.478 ms
2 * * *
3 88-134-220-166-dynip.superkabel.de (88.134.220.166) 11.783 ms 11.550 ms 11.409 ms
4 88-134-193-223-dynip.superkabel.de (88.134.193.223) 11.151 ms 11.190 ms 11.289 ms
5 88-134-193-220-dynip.superkabel.de (88.134.193.220) 15.631 ms 15.414 ms 15.781 ms
6 88-134-196-190-dynip.superkabel.de (88.134.196.190) 15.521 ms 13.286 ms 13.073 ms
7 88-134-238-221-dynip.superkabel.de (88.134.238.221) 25.812 ms 83-169-128-250.static.superkabel.de (83.169.128.250 ) 26.147 ms 88-134-238-221-dynip.superkabel.de (88.134.238.221) 24.795 ms
8 88-134-203-138-dynip.superkabel.de (88.134.203.138) 25.598 ms 25.404 ms 25.271 ms
9 rtdecix2-g00.netcologne.de (80.81.193.212) 99.111 ms 98.981 ms 98.730 ms
10 core-pg1-t41.netcologne.de (89.1.16.9) 27.962 ms 27.712 ms 25.027 ms
11 core-eup2-t41.netcologne.de (87.79.16.205) 33.211 ms 24.689 ms 26.025 ms
12 sixxs-pop1.netcologne.net (78.35.24.124) 25.968 ms 25.768 ms 27.251 ms
######
Did this work? [Y/n] y
###### [4/8] Checking if we can ping IPv6 localhost (::1)
### This confirms if your IPv6 is working
### If ::1 doesn't reply then something is wrong with your IPv6 stack
PING ::1(::1) 56 data bytes
64 bytes from ::1: icmp_seq=1 ttl=64 time=0.258 ms
64 bytes from ::1: icmp_seq=2 ttl=64 time=0.238 ms
64 bytes from ::1: icmp_seq=3 ttl=64 time=0.239 ms
--- ::1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 0.238/0.245/0.258/0.009 ms
######
Did this work? [Y/n] y
###### [5/8] Ping the IPv6 Local/Your Inner Tunnel Endpoint (2001:4dd0:ff00:10c7::2)
### This confirms that your tunnel is configured
### If it doesn't reply then check your interface and routing tables
PING 2001:4dd0:ff00:10c7::2(2001:4dd0:ff00:10c7::2) 56 data bytes
64 bytes from 2001:4dd0:ff00:10c7::2: icmp_seq=1 ttl=64 time=0.273 ms
64 bytes from 2001:4dd0:ff00:10c7::2: icmp_seq=2 ttl=64 time=0.262 ms
64 bytes from 2001:4dd0:ff00:10c7::2: icmp_seq=3 ttl=64 time=0.313 ms
--- 2001:4dd0:ff00:10c7::2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 0.262/0.282/0.313/0.029 ms
######
Did this work? [Y/n] y
###### [6/8] Ping the IPv6 Remote/PoP Inner Tunnel Endpoint (2001:4dd0:ff00:10c7::1)
### This confirms the reachability of the other side of the tunnel
### If it doesn't reply then check your interface and routing tables
### Don't forget to check your firewall of course
### If the previous test was successful then this could be both
### a firewalling and a routing/interface problem
PING 2001:4dd0:ff00:10c7::1(2001:4dd0:ff00:10c7::1) 56 data bytes
64 bytes from 2001:4dd0:ff00:10c7::1: icmp_seq=1 ttl=64 time=28.2 ms
64 bytes from 2001:4dd0:ff00:10c7::1: icmp_seq=2 ttl=64 time=26.9 ms
64 bytes from 2001:4dd0:ff00:10c7::1: icmp_seq=3 ttl=64 time=28.0 ms
--- 2001:4dd0:ff00:10c7::1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 26.935/27.745/28.252/0.578 ms
######
Did this work? [Y/n] y
###### [7/8] Traceroute6 to the central SixXS machine (noc.sixxs.net)
### This confirms that you can reach the central machine of SixXS
### If that one is reachable you should be able to reach most IPv6 destinations
### Also check http://www.sixxs.net/ipv6calc/ which should show an IPv6 connection
### If your browser supports IPv6 and uses it of course.
traceroute to noc.sixxs.net (2001:838:1:1:210:dcff:fe20:7c7c), 30 hops max, 80 byte packets
1 gw-4296.cgn-01.de.sixxs.net (2001:4dd0:ff00:10c7::1) 27.840 ms 27.161 ms 27.986 ms
2 2001:4dd0:1234:3::42 (2001:4dd0:1234:3::42) 27.778 ms 28.146 ms 29.481 ms
3 core-eup2-ge1-22.netcologne.de (2001:4dd0:1234:3:dc40::a) 29.637 ms 29.174 ms 28.683 ms
4 rtamsix-te4-2.netcologne.de (2001:4dd0:a2b:6d:30::b) 31.329 ms 31.756 ms 31.319 ms
5 ams-ix.ipv6.concepts.nl (2001:7f8:1::a501:2871:1) 31.111 ms 33.065 ms 32.593 ms
6 2001:838:5:a::2 (2001:838:5:a::2) 33.361 ms 33.063 ms 33.093 ms
7 noc.sixxs.net (2001:838:1:1:210:dcff:fe20:7c7c) 32.471 ms 33.833 ms 32.823 ms
######
Did this work? [Y/n] y
###### [8/8] Traceroute6 to (www.kame.net)
### This confirms that you can reach a Japanese IPv6 destination
### If that one is reachable you should be able to reach most IPv6 destinations
### You should also check http://www.kame.net which should display
### a animated kame (turtle), of course only when your browser supports and uses IPv6
traceroute to www.kame.net (2001:200:dff:fff1:216:3eff:feb1:44d7), 30 hops max, 80 byte packets
1 gw-4296.cgn-01.de.sixxs.net (2001:4dd0:ff00:10c7::1) 27.055 ms 28.745 ms 28.282 ms
2 2001:4dd0:1234:3::42 (2001:4dd0:1234:3::42) 27.785 ms 29.922 ms 29.478 ms
3 core-eup2-ge1-22.netcologne.de (2001:4dd0:1234:3:dc40::a) 28.994 ms 28.711 ms 28.222 ms
4 rtint5-te2-1.netcologne.de (2001:4dd0:a2b:2f:dc40::b) 27.738 ms 27.246 ms 29.702 ms
5 kol-b2-link.telia.net (2001:2000:3080:d2::1) 29.130 ms * *
6 ffm-b12-v6.telia.net (2001:2000:3018:4a::1) 41.235 ms 32.982 ms 31.386 ms
7 ntt-ic-155239-ffm-b12.c.telia.net (2001:2000:3080:58e::2) 32.552 ms 32.130 ms 33.458 ms
8 ae-2.r20.frnkge04.de.bb.gin.ntt.net (2001:728:0:2000::65) 33.555 ms 33.111 ms 32.636 ms
9 ae-1.r23.amstnl02.nl.bb.gin.ntt.net (2001:728:0:2000::6e) 40.884 ms 46.447 ms 45.068 ms
10 ae-0.r22.amstnl02.nl.bb.gin.ntt.net (2001:418:0:2000::1c5) 40.332 ms 39.859 ms 41.149 ms
11 as-0.r25.tokyjp01.jp.bb.gin.ntt.net (2001:418:0:2000::16) 306.906 ms 293.141 ms 293.321 ms
12 po-2.a15.tokyjp01.jp.ra.gin.ntt.net (2001:218:0:6000::116) 309.455 ms 299.998 ms 294.964 ms
13 ge-8-2.a15.tokyjp01.jp.ce.gin.ntt.net (2001:218:2000:5000::82) 297.104 ms 305.525 ms 290.242 ms
14 ve44.foundry6.otemachi.wide.ad.jp (2001:200:0:10::141) 296.769 ms 302.367 ms 310.172 ms
15 2001:200:0:180a:a6ba:dbff:fe1d:19f4 (2001:200:0:180a:a6ba:dbff:fe1d:19f4) 298.196 ms 301.448 ms 294.630 ms
16 2001:200:dff:fff1:216:3eff:feb1:44d7 (2001:200:dff:fff1:216:3eff:feb1:44d7) 305.684 ms 309.465 ms 305.243 ms
######
Did this work? [Y/n] y
###### ACCU Quick Connectivity Test (done)
### Either the above all works and gives no problems
### or it shows you where what goes wrong
### Check the SixXS FAQ (http://www.sixxs.net/faq/
### for more information and possible solutions or hints
### Don't forget to check the Forums (http://www.sixxs.net/forum/)
### for a helping hand.
### Passing the output of 'aiccu autotest >aiccu.log' is a good idea.
*** press a key to continue ***
Aiccu tunnel stops working when under traffic
Jeroen Massar on Monday, 13 May 2013 13:29:50 root@berryrouter:~# ip6tables -L
Try ip6tables -v --list -n --line-numbers that will show you a lot more detail and also importantly the counters for each rule, which might enlighten you that some packets are being dropped or not.
Do note that you also need to look at the IPv4 firewall and also the configuration as you are tunneling over IPv4.
DROP all anywhere anywhere rt type:0 segsleft:0
Why do you have that rule for instance?
ACCEPT all 2001:4dd0:ff00:90c7::/64 anywhere state NEW ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
Seems you are attempting connection tracking, what kernel and distribution and versions of utilities are you using?
Also note that you did not specify an interface, thus you are lucky that the PoP does source address spoofing filtering for you, otherwise anybody could just create a NEW state from the above address range...
You might want to check at the IPv4 level if packets are being sent and if that fails or not.
Posting is only allowed when you are logged in. |