Ticket ID: SIXXS #984946 Ticket Status: User PoP: deham01 - Easynet (Hamburg)
Endpoint not routing my packets
Shadow Hawkins on Wednesday, 25 February 2009 17:24:01
Dear Sixxs team,
I have a problem with (probably) routing. I have set up my tunnel using aiccu. I have just changed the IPv4 address of my endpoint since we moved to a new line. We are now directly connected with our endpoint's provider (easynet) via an MPLS, so we should end up right in their datacenter.
To start: the configuration of my sixxs interface looks like this:
freiheit-gateway ~ # ifconfig sixxs
sixxs Link encap:IPv6-in-IPv4
inet6 addr: 2001:6f8:900:c28::2/64 Scope:Global
inet6 addr: fe80::c3b1:3073/128 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1280 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:187 dropped:0 overruns:0 carrier:187
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
This seems to look ok. Now for the routing:
freiheit-gateway ~ # ip -6 route show
2001:6f8:900:c28::/64 via :: dev sixxs metric 256 mtu 1280 advmss 1220 hoplimit 4294967295
fe80::/64 dev eth0 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth1 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 via :: dev sixxs metric 256 mtu 1280 advmss 1220 hoplimit 4294967295
ff00::/8 dev eth0 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev eth1 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev sixxs metric 256 mtu 1280 advmss 1220 hoplimit 4294967295
default via 2001:6f8:900:c28::1 dev sixxs metric 1024 mtu 1280 advmss 1220 hoplimit 4294967295
This also looks good as far as I can see.
Now, if I ping ipv6.google.com or any other IPv6 address (even the one of my tunnel endpoint), I get the following output:
freiheit-gateway ~ # ping6 ipv6.google.com
PING ipv6.google.com(2001:4860:0:1001::68) 56 data bytes
From cl-3113.ham-01.de.sixxs.net icmp_seq=1 Destination unreachable: Address unreachable
From cl-3113.ham-01.de.sixxs.net icmp_seq=2 Destination unreachable: Address unreachable
^C
--- ipv6.google.com ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 999ms
If I capture the packets with tcpdump, I can see the packets going into the tunnel, but nothing is returned. A traceroute to ipv6.google.com yields the following result:
freiheit-gateway ~ # traceroute6 ipv6.google.com
traceroute to ipv6.l.google.com (2001:4860:0:1001::68) from 2001:6f8:900:c28::2, 30 hops max, 16 byte packets
1 cl-3113.ham-01.de.sixxs.net (2001:6f8:900:c28::2) 0.061 ms !H 0.031 ms !H 0.027 ms !H
So, I think this is a routing problem of some sort, but I cannot figure out what is happening. I can also not see the heartbeat ping from the other side. Is that a problem?
The setup here is like the following:
easynet -[firewall0]-[MPLS-endpoint]-- MPLS --[MPLS-endpoint/firewall1]--transfer-net--[firewall2]--internal-net
The IPv6 endpoint is now on firewall2. What type of traffic is needed by the AICCU tunnel? Maybe some of the previous firewalls are blocking that type of traffic...
Any help would be appreciated!
Christoph
State change: user
Jeroen Massar on Wednesday, 25 February 2009 21:22:20
The state of this ticket has been changed to user
Endpoint not routing my packets
Jeroen Massar on Wednesday, 25 February 2009 21:28:12 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
No packets even traveled there, that is odd.
Use "ip tunnel show <device>" and "ip link show <device>" which shows some important details
freiheit-gateway ~ # traceroute6 ipv6.google.com traceroute to ipv6.l.google.com (2001:4860:0:1001::68) from 2001:6f8:900:c28::2, 30 hops max, 16 byte packets 1 cl-3113.ham-01.de.sixxs.net (2001:6f8:900:c28::2) 0.061 ms !H 0.031 ms !H 0.027 ms !H
That is your local host reporting it can't use the tunnel. Is the local portion of the tunnel correct? (See above tunnel command to check). AICCU does not set that though and it should be 'any'.
The IPv6 endpoint is now on firewall2. What type of traffic is needed by the AICCU tunnel? Maybe some of the previous firewalls are blocking that type of traffic...
See FAQ: I have a firewall, what ports/protocols are used?
Endpoint not routing my packets
Shadow Hawkins on Thursday, 26 February 2009 11:01:55 No packets even traveled there, that is odd. Use "ip tunnel show <device>" and "ip link show <device>" which shows some important details
This is what I get:
freiheit-gateway ~ # ip tunnel show sixxs
sixxs: ipv6/ip remote 212.224.0.188 local 195.177.48.115 ttl 64
freiheit-gateway ~ # ip link show sixxs
6: sixxs@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue
link/sit 195.177.48.115 peer 212.224.0.188
This seems to be fine as well... or should the local IP be the one of my local interface and not the one seen from the PoP since I'm behind a NAT firewall?
Endpoint not routing my packets
Jeroen Massar on Thursday, 26 February 2009 15:31:00 or should the local IP be the one of my local interface and not the one seen from the PoP since I'm behind a NAT firewall?
Yes. As that IP is not assigned to your host, how is your host supposed to use it?
Posting is only allowed when you are logged in. |