Ticket ID: SIXXS #866880 Ticket Status: User PoP: nlams05 - SURFnet (Amsterdam)
Can't get endpoint pingable (pop reports downtime)
Shadow Hawkins on Sunday, 30 November 2008 15:58:51
Hi,
I've been struggling to get my ipv6 tunnel fully working. I can't get my tunnel endpoint to _always_ respond to ping requests. My endpoint is an Ubuntu 8.04 server, running the tunnel using aiccu (newest version). This server also provides NAT for my IPv4 connection (PPPoE).
The problem is exactly what is described on https://www.sixxs.net/faq/connectivity/?faq=conntracking, but the given solutions do not help me out. The first solution does not solve the problem and the second (NOTRACK) breaks my entire IPv6 connectivity, on my server as well on my subnet.
I've also tried the solution given by Brian OConnor in https://www.sixxs.net/forum/?msg=setup-841752, but it does not help either. I did change the IP addresses to the (external) IPv4 address of my server, but as the tunnel should not be NAT'ted, I guess it shouldn't solve anything anyway.
Maybe someone can give me a push in the right direction? Below some output that might help in finding the issue. If you want to know more, please ask. Thanks!
Some listings that might help anyone find the problem:
============================
aiccu test passes all 8 tests succesfully
uname -a
Linux syzzer-server 2.6.24-19-server #1 SMP Wed Aug 20 18:43:06 UTC 2008 x86_64 GNU/Linux
traceroute 192.87.102.107
traceroute to 192.87.102.107 (192.87.102.107), 30 hops max, 40 byte packets
1 145.94.1.0 (145.94.1.0) 0.210 ms 0.144 ms 0.174 ms
2 130.161.2.121 (130.161.2.121) 0.357 ms 0.362 ms 0.328 ms
3 dunet1.tudelft.nl (130.161.1.49) 0.561 ms 0.539 ms 0.628 ms
4 GE2-0-0.2032.JNR01.Asd002A.surf.net (145.145.26.97) 2.010 ms 2.116 ms 2.116 ms
5 AE0.500.JNR01.Asd001A.surf.net (145.145.80.82) 2.267 ms 2.230 ms 2.211 ms
6 V1105.sw14.amsterdam1.surf.net (145.145.18.94) 2.190 ms 2.230 ms 2.272 ms
7 sixxs.surfnet.nl (192.87.102.107) 2.146 ms 2.188 ms 2.180 ms
traceroute 2001:610:600:525::1
traceroute to 2001:610:600:525::1 (2001:610:600:525::1), 30 hops max, 40 byte packets
1 gw-1318.ams-05.nl.sixxs.net (2001:610:600:525::1) 2.230 ms 2.206 ms 2.203 ms
tcpdump -n -s 1500 -i sixxs
tcpdump: WARNING: sixxs: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on sixxs, link-type RAW (Raw IP), capture size 1500 bytes
15:52:15.881813 IP6 2001:610:697:0:2420:8f46:d6a1:50d6 > 2001:4860:0:1001::68: ICMP6, echo request, seq 9, length 40
15:52:15.887123 IP6 2001:4860:0:1001::68 > 2001:610:697:0:2420:8f46:d6a1:50d6: ICMP6, echo reply, seq 9, length 40
15:52:16.881482 IP6 2001:610:697:0:2420:8f46:d6a1:50d6 > 2001:4860:0:1001::68: ICMP6, echo request, seq 10, length 40
15:52:16.886874 IP6 2001:4860:0:1001::68 > 2001:610:697:0:2420:8f46:d6a1:50d6: ICMP6, echo reply, seq 10, length 40
15:52:17.881504 IP6 2001:610:697:0:2420:8f46:d6a1:50d6 > 2001:4860:0:1001::68: ICMP6, echo request, seq 11, length 40
15:52:17.886763 IP6 2001:4860:0:1001::68 > 2001:610:697:0:2420:8f46:d6a1:50d6: ICMP6, echo reply, seq 11, length 40
15:52:18.881519 IP6 2001:610:697:0:2420:8f46:d6a1:50d6 > 2001:4860:0:1001::68: ICMP6, echo request, seq 12, length 40
15:52:18.886864 IP6 2001:4860:0:1001::68 > 2001:610:697:0:2420:8f46:d6a1:50d6: ICMP6, echo reply, seq 12, length 40
8 packets captured
8 packets received by filter
0 packets dropped by kernel
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- 172.20.24.0/22 anywhere tcp dpt:1500
DROP tcp -- anywhere anywhere tcp dpt:1500
ACCEPT tcp -- anywhere anywhere tcp dpt:49001
ACCEPT tcp -- anywhere anywhere tcp dpt:6991
ACCEPT udp -- anywhere anywhere udp dpt:6991
ACCEPT ipv6 -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT ipv6-icmp-- anywhere anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.1.10 tcp dpt:6991
ACCEPT udp -- anywhere 192.168.1.10 udp dpt:6991
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT udp -- anywhere anywhere udp dpt:6991 to:192.168.1.10:6991
DNAT tcp -- anywhere anywhere tcp dpt:6991 to:192.168.1.10:6991
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE !ipv6 -- anywhere anywhere
MASQUERADE !ipv6 -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
State change: user
Jeroen Massar on Sunday, 30 November 2008 16:02:27
The state of this ticket has been changed to user
Can't get endpoint pingable (pop reports downtime)
Jeroen Massar on Sunday, 30 November 2008 16:06:25
AICCU only sets up a tunnel, it doesn't fix your kernel.
When listing output of ip[6]tables (note that there are two) always use "ip[6]tables -v --list -n", this as verbose mode shows a lot more details, and -n makes sure that things are not resolved, as how things resolve for you, might be completely different for the rest of the planet.
For the rest, unfortunately, we can't help out, this is a problem on your side of the tunnel, nor ours. Use the forums for these kind of issues, there is nothing we can do to resolve your problem.
Posting is only allowed when you are logged in. |