Investigating frequent tunnel stalls
Shadow Hawkins on Thursday, 17 July 2014 14:22:32
Dear all,
I'm running a tunnel with routed /48 on my FritzBox 7360 (to deham01), mainly to have IPv6 connectivity to my rootserver(s) which have native IPv6.
I'm experiencing quite some stalls on the traffic; best example is tab completition in ssh sessions for stuff that you *know* exists, but the shell returns some 10 seconds later. I've traced the root cause to the sixxs tunnel; when avoiding the tunnel all shell sessions have fast response times. However, the tunnel is not slow per se: when triggering huge bandwith usage (e.g. copy .iso file per scp/sftp), it also takes a noticeable ~10s until the copy starts, but then runs with the expected up/downlink speeds for my connection.
There is no obscure routing of the traffic, even tcpdumps look perfectly normal - besides the pauses in low- traffic connections.
Any hints from you guys how to debug this further?
regards
Jens
Investigating frequent tunnel stalls
Jeroen Massar on Thursday, 17 July 2014 14:28:44 I'm experiencing quite some stalls on the traffic;
"stalls". That sounds a lot like PathMTU issues.
Make sure that nothing on the path is filtering out ICMP and that your MTU settings are correct.
If you run a pcap through Wireshark you should get a big hint about this btw.
A tracepath6 can be very useful in determining that this is the problem.
Investigating frequent tunnel stalls
Shadow Hawkins on Thursday, 17 July 2014 16:07:51
Jeroen Massar wrote:
> I'm experiencing quite some stalls on the traffic;
"stalls". That sounds a lot like PathMTU issues.
Make sure that nothing on the path is filtering out ICMP and that your MTU settings are correct.
If you run a pcap through Wireshark you should get a big hint about this btw.
thanks for your hints, I see this frequently upon connection establishement (2001:6f8:xx::2 is my FritzBox 7360):
180115.388240000 2001:6f8:xx::2 2a00:1828:xx::62 ICMPv6 1294 Destination Unreachable (Administratively prohibited)
so it seems I have a culprit. Will try to switch to aiccu and re-test.
regards
Jens
Investigating frequent tunnel stalls
Jeroen Massar on Thursday, 17 July 2014 18:30:34 180115.388240000 2001:6f8:xx::2 2a00:1828:xx::62 ICMPv6 1294 Destination Unreachable (Administratively prohibited)
What kind of firewall rules do you have in place?
The content of that packet will explain you what packet it is being triggered on.
Investigating frequent tunnel stalls
Shadow Hawkins on Friday, 18 July 2014 07:58:51
Jeroen Massar wrote:
> 180115.388240000 2001:6f8:xx::2 2a00:1828:xx::62 ICMPv6 1294 Destination Unreachable (Administratively prohibited)
What kind of firewall rules do you have in place?
I'm not sure what to think of this yet, the ipv6 client behind the FritzBox is completely open (exposed host). Both tracepath and tracepath6 give reasonable pmtu for the connection (1448 v4 and 1280 v6), nevertheless I see Administratively prohibited packages.
Even more strange, its not reproducible behaviour for multiple tracepath runs...
Obvioulsy there is no possibility to inspect/change the rules for the FritzBox itself.
Thanks for your suggestions so far, will investigate further.
regards
Jens
Investigating frequent tunnel stalls
Jeroen Massar on Friday, 18 July 2014 08:10:42 nevertheless I see Administratively prohibited packages.
(note: packets, not "packages")
Admin Denied == The packet is firewalled.
The source of the ICMP message is the host sending it. You stated above that it is the address of your Fritz!Box, hence there must be a rule in there that denies the packet.
If you get 'admin denied' it is not weird that your connection "stalls", though it should just break/disconnect at that point.
If this happens afer "a while", say, more than 90 minutes, then it might be that you have timouts in the connection tracking / firewalling happening your firewall (the fritz!box).
Posting is only allowed when you are logged in. |