SixXS::Sunset 2017-06-06

Ticket ID: SIXXS #866880
Ticket Status: User

PoP: nlams05 - SURFnet (Amsterdam)

Can't get endpoint pingable (pop reports downtime)
[nl] Shadow Hawkins on Sunday, 30 November 2008 15:58:51
Hi, I've been struggling to get my ipv6 tunnel fully working. I can't get my tunnel endpoint to _always_ respond to ping requests. My endpoint is an Ubuntu 8.04 server, running the tunnel using aiccu (newest version). This server also provides NAT for my IPv4 connection (PPPoE). The problem is exactly what is described on https://www.sixxs.net/faq/connectivity/?faq=conntracking, but the given solutions do not help me out. The first solution does not solve the problem and the second (NOTRACK) breaks my entire IPv6 connectivity, on my server as well on my subnet. I've also tried the solution given by Brian OConnor in https://www.sixxs.net/forum/?msg=setup-841752, but it does not help either. I did change the IP addresses to the (external) IPv4 address of my server, but as the tunnel should not be NAT'ted, I guess it shouldn't solve anything anyway. Maybe someone can give me a push in the right direction? Below some output that might help in finding the issue. If you want to know more, please ask. Thanks! Some listings that might help anyone find the problem: ============================ aiccu test passes all 8 tests succesfully uname -a Linux syzzer-server 2.6.24-19-server #1 SMP Wed Aug 20 18:43:06 UTC 2008 x86_64 GNU/Linux traceroute 192.87.102.107 traceroute to 192.87.102.107 (192.87.102.107), 30 hops max, 40 byte packets 1 145.94.1.0 (145.94.1.0) 0.210 ms 0.144 ms 0.174 ms 2 130.161.2.121 (130.161.2.121) 0.357 ms 0.362 ms 0.328 ms 3 dunet1.tudelft.nl (130.161.1.49) 0.561 ms 0.539 ms 0.628 ms 4 GE2-0-0.2032.JNR01.Asd002A.surf.net (145.145.26.97) 2.010 ms 2.116 ms 2.116 ms 5 AE0.500.JNR01.Asd001A.surf.net (145.145.80.82) 2.267 ms 2.230 ms 2.211 ms 6 V1105.sw14.amsterdam1.surf.net (145.145.18.94) 2.190 ms 2.230 ms 2.272 ms 7 sixxs.surfnet.nl (192.87.102.107) 2.146 ms 2.188 ms 2.180 ms traceroute 2001:610:600:525::1 traceroute to 2001:610:600:525::1 (2001:610:600:525::1), 30 hops max, 40 byte packets 1 gw-1318.ams-05.nl.sixxs.net (2001:610:600:525::1) 2.230 ms 2.206 ms 2.203 ms tcpdump -n -s 1500 -i sixxs tcpdump: WARNING: sixxs: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on sixxs, link-type RAW (Raw IP), capture size 1500 bytes 15:52:15.881813 IP6 2001:610:697:0:2420:8f46:d6a1:50d6 > 2001:4860:0:1001::68: ICMP6, echo request, seq 9, length 40 15:52:15.887123 IP6 2001:4860:0:1001::68 > 2001:610:697:0:2420:8f46:d6a1:50d6: ICMP6, echo reply, seq 9, length 40 15:52:16.881482 IP6 2001:610:697:0:2420:8f46:d6a1:50d6 > 2001:4860:0:1001::68: ICMP6, echo request, seq 10, length 40 15:52:16.886874 IP6 2001:4860:0:1001::68 > 2001:610:697:0:2420:8f46:d6a1:50d6: ICMP6, echo reply, seq 10, length 40 15:52:17.881504 IP6 2001:610:697:0:2420:8f46:d6a1:50d6 > 2001:4860:0:1001::68: ICMP6, echo request, seq 11, length 40 15:52:17.886763 IP6 2001:4860:0:1001::68 > 2001:610:697:0:2420:8f46:d6a1:50d6: ICMP6, echo reply, seq 11, length 40 15:52:18.881519 IP6 2001:610:697:0:2420:8f46:d6a1:50d6 > 2001:4860:0:1001::68: ICMP6, echo request, seq 12, length 40 15:52:18.886864 IP6 2001:4860:0:1001::68 > 2001:610:697:0:2420:8f46:d6a1:50d6: ICMP6, echo reply, seq 12, length 40 8 packets captured 8 packets received by filter 0 packets dropped by kernel iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT tcp -- 172.20.24.0/22 anywhere tcp dpt:1500 DROP tcp -- anywhere anywhere tcp dpt:1500 ACCEPT tcp -- anywhere anywhere tcp dpt:49001 ACCEPT tcp -- anywhere anywhere tcp dpt:6991 ACCEPT udp -- anywhere anywhere udp dpt:6991 ACCEPT ipv6 -- anywhere anywhere ACCEPT icmp -- anywhere anywhere ACCEPT ipv6-icmp-- anywhere anywhere DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere 192.168.1.10 tcp dpt:6991 ACCEPT udp -- anywhere 192.168.1.10 udp dpt:6991 Chain OUTPUT (policy ACCEPT) target prot opt source destination iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT udp -- anywhere anywhere udp dpt:6991 to:192.168.1.10:6991 DNAT tcp -- anywhere anywhere tcp dpt:6991 to:192.168.1.10:6991 Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE !ipv6 -- anywhere anywhere MASQUERADE !ipv6 -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination
State change: user Locked
[ch] Jeroen Massar SixXS Staff on Sunday, 30 November 2008 16:02:27
Message is Locked
The state of this ticket has been changed to user
Can't get endpoint pingable (pop reports downtime)
[ch] Jeroen Massar SixXS Staff on Sunday, 30 November 2008 16:06:25
AICCU only sets up a tunnel, it doesn't fix your kernel. When listing output of ip[6]tables (note that there are two) always use "ip[6]tables -v --list -n", this as verbose mode shows a lot more details, and -n makes sure that things are not resolved, as how things resolve for you, might be completely different for the rest of the planet. For the rest, unfortunately, we can't help out, this is a problem on your side of the tunnel, nor ours. Use the forums for these kind of issues, there is nothing we can do to resolve your problem.

Please note Posting is only allowed when you are logged in.

Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker