SixXS::Sunset 2017-06-06

Ticket ID: SIXXS #1250285
Ticket Status: Resolved

PoP: dedus01 - SpeedPartner GmbH (Duesseldorf)

Tunnel not working
[de] Shadow Hawkins on Saturday, 07 November 2009 14:00:02
My heartbeat tunnel T20985 is not working. The heartbeat packets are apparently accepted (the IPv4 on the tunnelinfo page is updated), but I get no traffic through the tunnel at all. Even pinging the other tunnel endpoint does not work. "tcpdump -ni ppp0 host $(dig +short dedus01.sixxs.net)" only shows outgoing packets. Traceroute from outside suggests the tunnel is not set up (can't ping either tunnel endpoint). Routes are fine, and netfilter is not dropping anything. Clock offset to PoP is 0.095876 seconds. I've tried both AICCU and the sh client. My tunnel endpoint is a Linux machine serving as a NAT router. --- Linux glacier 2.6.31-ARCH #1 SMP PREEMPT Sat Sep 26 02:39:09 CEST 2009 i686 Intel(R) Atom(TM) CPU N270 @ 1.60GHz GenuineIntel GNU/Linux --- ppp0 = IPv4 DSL line (PPPoE) inet6 = heartbeat tunnel
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ra0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000 link/ether 00:22:43:16:47:9b brd ff:ff:ff:ff:ff:ff 3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:22:15:d3:99:9c brd ff:ff:ff:ff:ff:ff inet 10.0.0.1/16 brd 10.0.255.255 scope global eth0 inet6 2a01:198:3f6::1/64 scope global valid_lft forever preferred_lft forever inet6 2a01:198:3f6:0:222:15ff:fed3:999c/64 scope global valid_lft forever preferred_lft forever inet6 fe80::222:15ff:fed3:999c/64 scope link valid_lft forever preferred_lft forever 5: sit0: <NOARP> mtu 1480 qdisc noop state DOWN link/sit 0.0.0.0 brd 0.0.0.0 108: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc htb state UNKNOWN qlen 3 link/ppp inet 91.51.221.245 peer 217.0.119.22/32 scope global ppp0 110: inet6: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN link/sit 91.51.221.245 peer 91.184.37.98 inet6 2a01:198:200:48e::2/64 scope global valid_lft forever preferred_lft forever inet6 fe80::5b33:ddf5/128 scope link valid_lft forever preferred_lft forever
---
217.0.119.22 dev ppp0 proto kernel scope link src 91.51.221.245 10.0.0.0/16 dev eth0 proto kernel scope link src 10.0.0.1 default dev ppp0 scope link 2a01:198:200:48e::/64 via :: dev inet6 proto kernel metric 256 mtu 1420 advmss 1360 hoplimit 0 2a01:198:3f6::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 fe80::/64 via :: dev inet6 proto kernel metric 256 mtu 1420 advmss 1360 hoplimit 0 default via 2a01:198:200:48e::1 dev inet6 metric 1024 mtu 1420 advmss 1360 hoplimit 0
---
# Generated by iptables-save v1.4.5 on Sat Nov 7 13:26:26 2009 *nat :PREROUTING ACCEPT [13099140:1422369186] :POSTROUTING ACCEPT [101404:15464756] :OUTPUT ACCEPT [2382150:259596729] :forward-services - [0:0] -A PREROUTING -i ppp0 -j forward-services -A POSTROUTING -o ppp0 -j MASQUERADE -A forward-services -p tcp -m tcp --dport 6000 -j DNAT --to-destination 10.0.0.2 -A forward-services -p udp -m udp --dport 6000 -j DNAT --to-destination 10.0.0.2 -A forward-services -p tcp -m tcp --dport 23133 -j DNAT --to-destination 10.0.0.2 -A forward-services -p udp -m udp --dport 23133 -j DNAT --to-destination 10.0.0.2 -A forward-services -p udp -m udp --dport 7777 -j DNAT --to-destination 10.0.0.2 COMMIT # Completed on Sat Nov 7 13:26:26 2009 # Generated by iptables-save v1.4.5 on Sat Nov 7 13:26:26 2009 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [203:17864] :OUTPUT ACCEPT [436500:36685950] :services - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -j services -A INPUT -p ipv6 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp -m tcp --dport 135 -j DROP -A INPUT -p tcp -m tcp --dport 445 -j DROP -A INPUT -j LOG -A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset -A INPUT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable -A INPUT -p sctp -m sctp -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i eth0 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p icmp -j ACCEPT -A services -p tcp -m tcp --dport 6881 -j ACCEPT -A services -p udp -m udp --dport 6881 -j ACCEPT -A services -p tcp -m tcp --dport 6112 -j ACCEPT -A services -p tcp -m tcp --dport 6113 -j ACCEPT -A services -s 193.158.35.0/24 -d 224.0.0.0/4 -j ACCEPT -A services -s 217.0.119.0/24 -d 224.0.0.0/4 -j ACCEPT -A services -p udp -m udp --dport 123 -j ACCEPT COMMIT # Completed on Sat Nov 7 13:26:26 2009 # Generated by iptables-save v1.4.5 on Sat Nov 7 13:26:26 2009 *mangle :PREROUTING ACCEPT [426329322:281859513034] :INPUT ACCEPT [74597851:22848483244] :FORWARD ACCEPT [351424170:258972253504] :OUTPUT ACCEPT [91877541:52487249865] :POSTROUTING ACCEPT [443820436:311542386959] -A POSTROUTING -s 10.0.0.0/24 -j MARK --set-xmark 0x2/0xffffffff -A POSTROUTING -p tcp -m tcp --sport 6112 -j MARK --set-xmark 0x1/0xffffffff -A POSTROUTING -p tcp -m tcp --dport 6112 -j MARK --set-xmark 0x1/0xffffffff COMMIT # Completed on Sat Nov 7 13:26:26 2009
---
# Generated by ip6tables-save v1.4.5 on Sat Nov 7 13:27:10 2009 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [121373:20524459] :forward-services - [0:0] :services - [0:0] -A INPUT -m rt --rt-type 0 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -j services -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -j LOG -A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset -A INPUT -p udp -m udp -j REJECT --reject-with icmp6-port-unreachable -A INPUT -p sctp -m sctp -j REJECT --reject-with icmp6-port-unreachable -A FORWARD -m rt --rt-type 0 -j DROP -A FORWARD -i eth0 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -j forward-services -A FORWARD -p ipv6-icmp -j ACCEPT -A FORWARD -j LOG -A FORWARD -p tcp -m tcp -j REJECT --reject-with icmp6-adm-prohibited -A FORWARD -p udp -m udp -j REJECT --reject-with icmp6-adm-prohibited -A FORWARD -p sctp -m sctp -j REJECT --reject-with icmp6-adm-prohibited -A OUTPUT -m rt --rt-type 0 -j DROP -A forward-services -p tcp -m tcp --dport 113 -j ACCEPT -A services -p tcp -m tcp --dport 22 -j ACCEPT -A services -p tcp -m tcp --dport 6881 -j ACCEPT -A services -p udp -m udp --dport 6881 -j ACCEPT -A services -p udp -m udp --dport 123 -j ACCEPT COMMIT # Completed on Sat Nov 7 13:27:10 2009
---
traceroute to dedus01.sixxs.net (91.184.37.98), 30 hops max, 40 byte packets 1 217.0.119.22 (217.0.119.22) 19.416 ms 19.174 ms 19.238 ms 2 87.190.163.34 (87.190.163.34) 19.588 ms 19.690 ms 19.234 ms 3 f-ea5-i.F.DE.NET.DTAG.DE (62.154.16.161) 23.618 ms 23.630 ms 23.384 ms 4 62.156.138.94 (62.156.138.94) 23.754 ms 23.376 ms ffm-b6-link.telia.net (213.248.90.129) 23.378 ms 5 ffm-bb2-link.telia.net (80.91.251.158) 23.488 ms ffm-bb1-link.telia.net (80.91.251.154) 133.654 ms ffm-bb2-link.telia.net (80.91.249.85) 23.710 ms 6 ddf-b2-link.telia.net (80.91.249.235) 27.724 ms ddf-b2-link.telia.net (80.91.251.194) 27.974 ms ddf-b2-link.telia.net (80.91.249.235) 27.604 ms 7 speedpartner-106633-ddf-b1.c.telia.net (213.248.68.130) 27.694 ms 27.622 ms 27.693 ms 8 dedus01.sixxs.net (91.184.37.98) 27.902 ms 27.869 ms 29.650 ms
---
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 200 bytes 13:53:44.684727 IP 91.51.221.245 > 91.184.37.98: IP6 2a01:198:200:48e::2 > 2a01:198:200:48e::1: ICMP6, echo request, seq 1, length 64 13:53:45.693697 IP 91.51.221.245 > 91.184.37.98: IP6 2a01:198:200:48e::2 > 2a01:198:200:48e::1: ICMP6, echo request, seq 2, length 64 13:53:46.693501 IP 91.51.221.245 > 91.184.37.98: IP6 2a01:198:200:48e::2 > 2a01:198:200:48e::1: ICMP6, echo request, seq 3, length 64 13:53:47.693487 IP 91.51.221.245 > 91.184.37.98: IP6 2a01:198:200:48e::2 > 2a01:198:200:48e::1: ICMP6, echo request, seq 4, length 64 13:53:48.693504 IP 91.51.221.245 > 91.184.37.98: IP6 2a01:198:200:48e::2 > 2a01:198:200:48e::1: ICMP6, echo request, seq 5, length 64 13:53:49.693502 IP 91.51.221.245 > 91.184.37.98: IP6 2a01:198:200:48e::2 > 2a01:198:200:48e::1: ICMP6, echo request, seq 6, length 64 13:54:00.122487 IP 91.51.221.245 > 91.184.37.98: IP6 2a01:198:200:48e::2 > 2001:838:1:1:210:dcff:fe20:7c7c: ICMP6, echo request, seq 1, length 64 13:54:01.130374 IP 91.51.221.245 > 91.184.37.98: IP6 2a01:198:200:48e::2 > 2001:838:1:1:210:dcff:fe20:7c7c: ICMP6, echo request, seq 2, length 64 13:54:02.130185 IP 91.51.221.245 > 91.184.37.98: IP6 2a01:198:200:48e::2 > 2001:838:1:1:210:dcff:fe20:7c7c: ICMP6, echo request, seq 3, length 64 13:54:03.130165 IP 91.51.221.245 > 91.184.37.98: IP6 2a01:198:200:48e::2 > 2001:838:1:1:210:dcff:fe20:7c7c: ICMP6, echo request, seq 4, length 64 13:54:08.206356 IP 91.51.221.245.33548 > 91.184.37.98.3740: UDP, length 87 ^C 11 packets captured 11 packets received by filter 0 packets dropped by kernel
State change: user Locked
[ch] Jeroen Massar SixXS Staff on Saturday, 07 November 2009 14:19:10
Message is Locked
The state of this ticket has been changed to user
Tunnel not working
[ch] Jeroen Massar SixXS Staff on Saturday, 07 November 2009 14:24:14
We are not your personal firewall debugging service, thus remove that as the first step, as stated on the contage page. Then, when you do a tcpdump, as stated on the contact page, look also at ICMP traffic, as that can tell quite a deal.
I've tried both AICCU and the sh client. My tunnel endpoint is a Linux machine serving as a NAT router.
Where is the output of AICCU? What is the "sh client"? Please read that big yellow box and the text that refers to. Then try the forums.
Tunnel not working
[de] Shadow Hawkins on Saturday, 07 November 2009 15:26:59
We are not your personal firewall debugging service, thus remove that as the first step, as stated on the contage page.
As I said, netfilter is not dropping anything. The firewall is not the problem.
Then, when you do a tcpdump, as stated on the contact page, look also at ICMP traffic, as that can tell quite a deal.
I did capture all traffic between me and the PoP. Doing another tcpdump, the PoP now answers every 6in4 packet with an ICMP "protocol 41 port 0 unreachable" message. It didn't send any ICMP back until now.
15:22:21.892296 IP 91.51.221.245 > 91.184.37.98: IP6 2a01:198:200:48e::2 > 2a01:198:200:48e::1: ICMP6, echo request, seq 1, length 64 15:22:21.920269 IP 91.184.37.98 > 91.51.221.245: ICMP 91.184.37.98 protocol 41 port 0 unreachable, length 132 15:22:22.899867 IP 91.51.221.245 > 91.184.37.98: IP6 2a01:198:200:48e::2 > 2a01:198:200:48e::1: ICMP6, echo request, seq 2, length 64 15:22:22.927416 IP 91.184.37.98 > 91.51.221.245: ICMP 91.184.37.98 protocol 41 port 0 unreachable, length 132 15:22:23.899666 IP 91.51.221.245 > 91.184.37.98: IP6 2a01:198:200:48e::2 > 2a01:198:200:48e::1: ICMP6, echo request, seq 3, length 64 15:22:23.927412 IP 91.184.37.98 > 91.51.221.245: ICMP 91.184.37.98 protocol 41 port 0 unreachable, length 132 15:23:04.555284 IP 91.51.221.245.46084 > 91.184.37.98.3740: UDP, length 87
Where is the output of AICCU? What is the "sh client"?
"aiccu test" is successful until "[6/8] Ping the IPv6 Remote/PoP Inner Tunnel Endpoint (2a01:198:200:48e::1)." That fails. Output of AICCU (passwords removed):
Tunnel Information for T20985: POP Id : dedus01 IPv6 Local : 2a01:198:200:48e::2/64 IPv6 Remote : 2a01:198:200:48e::1/64 Tunnel Type : 6in4-heartbeat Adminstate : enabled Userstate : enabled
Nov 7 15:07:04 glacier aiccu: sock_getline() : "200 SixXS TIC Service on noc.sixxs.net ready (http://www.sixxs.net)" Nov 7 15:07:04 glacier aiccu: sock_printf() : "client TIC/draft-00 AICCU/2007.01.15-console-linux Linux/2.6.31-ARCH" Nov 7 15:07:04 glacier aiccu: sock_getline() : "200 Client Identity accepted" Nov 7 15:07:04 glacier aiccu: sock_printf() : "get unixtime" Nov 7 15:07:04 glacier aiccu: sock_getline() : "200 1257602824" Nov 7 15:07:04 glacier aiccu: sock_printf() : "starttls" Nov 7 15:07:04 glacier aiccu: sock_getline() : "400 This service is not SSL enabled (yet)" Nov 7 15:07:04 glacier aiccu: TIC Server does not support TLS but TLS is not required, continuing Nov 7 15:07:04 glacier aiccu: sock_printf() : "username JAS4-SIXXS" Nov 7 15:07:04 glacier aiccu: sock_getline() : "200 Choose your authentication challenge please" Nov 7 15:07:04 glacier aiccu: sock_printf() : "challenge md5" Nov 7 15:07:04 glacier aiccu: sock_getline() : "200 *redacted*" Nov 7 15:07:04 glacier aiccu: sock_printf() : "authenticate md5 *redacted*" :202:b3ff:fe46:bec" Nov 7 15:07:04 glacier aiccu: sock_getline() : "200 Succesfully logged in using md5 as JAS4-SIXXS (Jan Alexander Steffens) from 2001:7b8:3:4f Nov 7 15:07:04 glacier aiccu: sock_printf() : "tunnel show T20985" Nov 7 15:07:04 glacier aiccu: sock_getline() : "201 Showing tunnel information for T20985" Nov 7 15:07:04 glacier aiccu: sock_getline() : "TunnelId: T20985" Nov 7 15:07:04 glacier aiccu: sock_getline() : "Type: 6in4-heartbeat" Nov 7 15:07:04 glacier aiccu: sock_getline() : "IPv6 Endpoint: 2a01:198:200:48e::2" Nov 7 15:07:04 glacier aiccu: sock_getline() : "IPv6 POP: 2a01:198:200:48e::1" Nov 7 15:07:04 glacier aiccu: sock_getline() : "IPv6 PrefixLength: 64" Nov 7 15:07:04 glacier aiccu: sock_getline() : "Tunnel MTU: 1420" Nov 7 15:07:04 glacier aiccu: sock_getline() : "Tunnel Name: Home tunnel" Nov 7 15:07:04 glacier aiccu: sock_getline() : "POP Id: dedus01" Nov 7 15:07:04 glacier aiccu: sock_getline() : "IPv4 Endpoint: heartbeat" Nov 7 15:07:04 glacier aiccu: sock_getline() : "IPv4 POP: 91.184.37.98" Nov 7 15:07:04 glacier aiccu: sock_getline() : "UserState: enabled" Nov 7 15:07:04 glacier aiccu: sock_getline() : "AdminState: enabled" Nov 7 15:07:04 glacier aiccu: sock_getline() : "Password: *redacted*" Nov 7 15:07:04 glacier aiccu: sock_getline() : "Heartbeat_Interval: 60" Nov 7 15:07:04 glacier aiccu: sock_getline() : "202 Done" Nov 7 15:07:04 glacier aiccu: Succesfully retrieved tunnel information for T20985 Nov 7 15:07:04 glacier aiccu: sock_printf() : "QUIT A bitter thought, but I have to go" Nov 7 15:07:04 glacier aiccu: AICCU running as PID 16184 Nov 7 15:07:04 glacier aiccu: heartbeat_socket() - IPv4 : 91.51.221.245 Nov 7 15:07:04 glacier aiccu: [HB] HEARTBEAT TUNNEL 2a01:198:200:48e::2 sender 1257602824 *redacted* Nov 7 15:07:04 glacier aiccu: [HB] HEARTBEAT TUNNEL 2a01:198:200:48e::2 sender 1257602824 *redacted*
The sh client is https://www.sixxs.net/archive/sixxs/heartbeat/heartbeat.sh
Tunnel not working
[ch] Jeroen Massar SixXS Staff on Saturday, 07 November 2009 15:59:20
Changing from AYIYA to heartbeat doesn't always work smoothly (something to do with the AYIYA tunnel being up when changed...). Solved.
State change: resolved Locked
[ch] Jeroen Massar SixXS Staff on Saturday, 07 November 2009 15:58:34
Message is Locked
The state of this ticket has been changed to resolved

Please note Posting is only allowed when you are logged in.
Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker