Ticket ID: SIXXS #1242794 Ticket Status: User PoP: deham01 - Easynet (Hamburg)
tunnel not working after switching type from AYIYA to static
Shadow Hawkins on Thursday, 29 October 2009 18:12:46
Hi,
[ I did send an mail about this problem to info@sixxs.net on Oct 11, but did not get a reply. Therefore I assume the mail got lost somewhere. ]
On October 11 I switched the tunnel type for
T10614 from AYIYA to static. I can now only send outgoing IPv6
packages, incoming packages seem to stop at the PoP.
Additionally I do not lose credits although the tunnel is shown as enabled with 100% packet loss on the tunnel information page.
I use Debian Lenny using the 2.6.26-2-xen-amd64 kernel provided by
Debian. There is no NAT involved, only an iptables firewall (see
below).
First here is the output from running `aiccu test':
----------------------------------------------------------------------
# aiccu test
Tunnel Information for T10614:
POP Id : deham01
IPv6 Local : 2001:6f8:900:7e9::2/64
IPv6 Remote : 2001:6f8:900:7e9::1/64
Tunnel Type : 6in4-static
Adminstate : enabled
Userstate : enabled
RTNETLINK answers: File exists
RTNETLINK answers: File exists
#######
####### AICCU Quick Connectivity Test
#######
####### [1/8] Ping the IPv4 Local/Your Outer Endpoint (188.40.34.72)
### This should return so called 'echo replies'
### If it doesn't then check your firewall settings
### Your local endpoint should always be pingable
### It could also indicate problems with your IPv4 stack
PING 188.40.34.72 (188.40.34.72) 56(84) bytes of data.
64 bytes from 188.40.34.72: icmp_seq=1 ttl=64 time=0.021 ms
64 bytes from 188.40.34.72: icmp_seq=2 ttl=64 time=0.016 ms
64 bytes from 188.40.34.72: icmp_seq=3 ttl=64 time=0.016 ms
--- 188.40.34.72 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.016/0.017/0.021/0.005 ms
######
Did this work? [Y/n]
####### [2/8] Ping the IPv4 Remote/PoP Outer Endpoint (212.224.0.188)
### These pings should reach the PoP and come back to you
### In case there are problems along the route between your
### host and the PoP this could not return replies
### Check your firewall settings if problems occur
PING 212.224.0.188 (212.224.0.188) 56(84) bytes of data.
64 bytes from 212.224.0.188: icmp_seq=1 ttl=56 time=20.9 ms
64 bytes from 212.224.0.188: icmp_seq=2 ttl=56 time=20.7 ms
64 bytes from 212.224.0.188: icmp_seq=3 ttl=56 time=20.5 ms
--- 212.224.0.188 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2007ms
rtt min/avg/max/mdev = 20.530/20.728/20.907/0.194 ms
######
Did this work? [Y/n]
####### [3/8] Traceroute to the PoP (212.224.0.188) over IPv4
### This traceroute should reach the PoP
### In case this traceroute fails then you have no connectivity
### to the PoP and this is most probably the problem
traceroute to 212.224.0.188 (212.224.0.188), 30 hops max, 40 byte packets
1 static.65.34.40.188.clients.your-server.de (188.40.34.65) 0.692 ms 0.741 ms 0.764 ms
2 hos-tr3.juniper2.rz10.hetzner.de (213.239.227.193) 0.125 ms hos-tr4.juniper2.rz10.hetzner.de (213.239.227.225) 0.164 ms hos-tr2.juniper1.rz10.hetzner.de (213.239.227.161) 0.135 ms
3 hos-bb1.juniper1.ffm.hetzner.de (213.239.240.224) 4.766 ms 4.783 ms 4.841 ms
4 hetzner-gw.noris.net (213.239.242.254) 5.202 ms 5.533 ms 5.536 ms
5 te0-0-0-5.er10.ixfra.de.easynet.net (80.81.192.14) 5.798 ms 5.793 ms 5.782 ms
6 te0-0-0.gr10.isham.de.easynet.net (87.86.77.65) 20.539 ms 20.502 ms 20.491 ms
7 ge1-11.br2.isham.de.easynet.net (87.86.69.161) 20.482 ms 20.460 ms 20.650 ms
8 ge7-1.cr20.isham.de.easynet.net (212.224.4.89) 20.790 ms 20.922 ms 21.007 ms
9 deham01.sixxs.net (212.224.0.188) 21.819 ms 21.925 ms 20.574 ms
######
Did this work? [Y/n]
###### [4/8] Checking if we can ping IPv6 localhost (::1)
### This confirms if your IPv6 is working
### If ::1 doesn't reply then something is wrong with your IPv6 stack
PING ::1(::1) 56 data bytes
64 bytes from ::1: icmp_seq=1 ttl=64 time=0.024 ms
64 bytes from ::1: icmp_seq=2 ttl=64 time=0.030 ms
64 bytes from ::1: icmp_seq=3 ttl=64 time=0.040 ms
--- ::1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.024/0.031/0.040/0.008 ms
######
Did this work? [Y/n]
###### [5/8] Ping the IPv6 Local/Your Inner Tunnel Endpoint (2001:6f8:900:7e9::2)
### This confirms that your tunnel is configured
### If it doesn't reply then check your interface and routing tables
PING 2001:6f8:900:7e9::2(2001:6f8:900:7e9::2) 56 data bytes
64 bytes from 2001:6f8:900:7e9::2: icmp_seq=1 ttl=64 time=0.030 ms
64 bytes from 2001:6f8:900:7e9::2: icmp_seq=2 ttl=64 time=0.058 ms
64 bytes from 2001:6f8:900:7e9::2: icmp_seq=3 ttl=64 time=0.039 ms
--- 2001:6f8:900:7e9::2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.030/0.042/0.058/0.012 ms
######
Did this work? [Y/n]
###### [6/8] Ping the IPv6 Remote/PoP Inner Tunnel Endpoint (2001:6f8:900:7e9::1)
### This confirms the reachability of the other side of the tunnel
### If it doesn't reply then check your interface and routing tables
### Don't forget to check your firewall of course
### If the previous test was succesful then this could be both
### a firewalling and a routing/interface problem
PING 2001:6f8:900:7e9::1(2001:6f8:900:7e9::1) 56 data bytes
--- 2001:6f8:900:7e9::1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms
######
Did this work? [Y/n] n
----------------------------------------------------------------------
Here is the interface information for eth0 and sixxs, and the IPv6
routing table:
----------------------------------------------------------------------
$ ip a s eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:24:21:29:eb:18 brd ff:ff:ff:ff:ff:ff
inet 188.40.34.72/26 brd 188.40.34.127 scope global eth0
inet6 fe80::224:21ff:fe29:eb18/64 scope link
valid_lft forever preferred_lft forever
$ ip a s sixxs
35: sixxs@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN
link/sit 188.40.34.72 peer 212.224.0.188
inet6 2001:6f8:900:7e9::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::bc28:2248/128 scope link
valid_lft forever preferred_lft forever
$ ip -6 r s
2001:6f8:900:7e9::1 dev sixxs metric 1024 mtu 1480 advmss 1420 hoplimit 4294967295
2001:6f8:900:7e9::/64 via :: dev sixxs metric 256 mtu 1480 advmss 1420 hoplimit 4294967295
unreachable 2001:6f8:1025::/48 dev lo metric 1024 error -101 mtu 16436 advmss 16376 hoplimit 4294967295
[ several fe80::/64 routes for local interfaces omitted ]
default via 2001:6f8:900:7e9::1 dev sixxs metric 1024 mtu 1480 advmss 1420 hoplimit 4294967295
----------------------------------------------------------------------
As I have another tunnel, I tested connectivity from/to there as well:
Pinging the problematic tunnel endpoint from the outside:
----------------------------------------------------------------------
# ping6 2001:6f8:900:7e9::2
PING 2001:6f8:900:7e9::2(2001:6f8:900:7e9::2) 56 data bytes
From 2001:6f8:900:830::1 icmp_seq=1 Destination unreachable: Address unreachable From 2001:6f8:900:830::1 icmp_seq=2 Destination unreachable: No route
----------------------------------------------------------------------
I can see outgoing packages from the partially working tunnel as well.
Here is the output from `tcpdump -i sixxs ip6' on *another* host while
pinging from the problematic tunnel side:
----------------------------------------------------------------------
15:33:22.592756 IP6 2001:6f8:900:7e9::2 > 2001:6f8:900:830::2: ICMP6, echo request, seq 1, length 64
15:33:22.592793 IP6 2001:6f8:900:830::2 > 2001:6f8:900:7e9::2: ICMP6, echo reply, seq 1, length 64
15:33:22.885319 IP6 2001:6f8:900:830::1 > 2001:6f8:900:830::2: ICMP6, destination unreachable[|icmp6]
----------------------------------------------------------------------
2001:6f8:900:7e9::2 is the endpoint of the non-working tunnel,
2001:6f8:900:830::2 is another working (AYIYA) tunnel on another host.
I cannot see incoming protocol 41 packages on my end using tcpdump.
Only some TCP packages are dropped by the iptables rules (I added a
logging statement for testing), so this should not be an issue.
Incoming protocol 41 traffic is allowed.
As outgoing packages work fine, I believe the problem might be on side
of the PoP. It seems the packages from there are not forwarded via the
static tunnel. I also found the ticket [1] which stated that there are
sometimes problems when switching from AYIYA to protocol 41 tunnels.
[1] http://www.sixxs.net/tickets/?msg=tickets-847225
Thanks in advance for looking into this!
Regards,
Ansgar Burchardt
State change: user
Jeroen Massar on Thursday, 29 October 2009 19:41:11
The state of this ticket has been changed to user
tunnel not working after switching type from AYIYA to static
Jeroen Massar on Thursday, 29 October 2009 19:48:22 [ I did send an mail about this problem to info@sixxs.net on Oct 11, but did not get a reply. Therefore I assume the mail got lost somewhere. ]
I suggest verifying your mail logs and other such things, as we did reply.
Additionally I do not lose credits although the tunnel is shown as enabled with 100% packet loss on the tunnel information page.
New/changed tunnels always are given some time to get setup, otherwise people would not manage to set their tunnel up and then start whining about not having enough credits....
There is no NAT involved, only an iptables firewall (see below).
Which does mean you have connection tracking. See the FAQ on this.
# aiccu test
Why bother with AICCU? It does not give you any advantage and is not required for static tunnels. You can easily configure static tunnels in /etc/network/interface on Debian. See the FAQ. (the test function does give some minor useful details of course though)
$ ip a s sixxs 35: sixxs@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN link/sit 188.40.34.72 peer 212.224.0.188 inet6 2001:6f8:900:7e9::2/64 scope global
There it is noted that you use an MTU of 1480. The tunnel on the SixXS side though is configured to use an MTU of 1280...
Posting is only allowed when you are logged in. |