Debug suggestions related to IPv6 configuration issues that might be encountered when accessing my IPv6 firewall tester.
For general IPv6 debug please see:
- Arin IPv6 debug - many useful links
- Linux IPv6 HOWTO
- Microsoft IPv6 Howto.
- Berkeley University Network analysis tool - very thorough, but requires Java
General IPv6 Connectivity
First check your general IPv6 connectivity. At a command prompt or terminal check that your machine has a global unicast IPv6 address allocated (i.e. 2000::/3, so begins either 2XXX or 3XXX) as shown in these examples:
C:\Users>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : home.example.com IPv6 Address. . . . . . . . . . . : 2xxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx Temporary IPv6 Address. . . . . . : 2xxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx Link-local IPv6 Address . . . . . : fe80::xxxx:xxxx:xxxx:xxxx%10 IPv4 Address. . . . . . . . . . . : 192.168.33.3 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::xxxx:xxxx:xxxx:xxxx%10 192.168.33.1
On a Linux machine, or similar, then when queried as root, the response would look similar to:
machine:/home/user1 # ifconfig eth0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX inet addr:192.168.33.254 Bcast:192.168.33.255 Mask:255.255.255.0 inet6 addr: 2XXX:XXXX:XXXX:XXXX::XXXX/64 Scope:Global inet6 addr: fe80::abc:c0ff:fede:xxxx/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:225635003 errors:0 dropped:0 overruns:0 frame:0 TX packets:268102245 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1533376458 (1462.3 Mb) TX bytes:1466607126 (1398.6 Mb) Interrupt:220
Note: The output will differ from the above examples if you are using a tunneled approach, although it would still be useful to check that a valid IPv6 address is being allocated to your machine.
If you do NOT have a global unicast IPv6 address allocated then you need to determine the reason (which address allocation method are you using? DHCPv6, SLAAC or statically assigned addresses? If you're using SLAAC then can you detect router advertisements (ICMPv6) being broadcast? Use Wireshark/tcpdump to determine this.)
If you DO have a global unicast address, then you can check basic IPv6 connectivity using either ping (Windows) or ping6 (Linux). If you are using a tunnel then verify that you can ping/ping6 the distant end of the tunnel.
you should see a response similar to:
ping6 ipv6.google.com PING ipv6.google.com(fx-in-x63.1e100.net) 56 data bytes 64 bytes from fx-in-x63.1e100.net: icmp_seq=1 ttl=56 time=24.7 ms 64 bytes from fx-in-x63.1e100.net: icmp_seq=2 ttl=56 time=25.6 ms ...
If this is NOT successful then either your DNS AAAA lookups or general IPv6 connectivity is broken (determine which based on your error messages).
If you have a name lookup error then it is possible to bypass the DNS lookups and ping google's IPv6 host directly:
ping6 -c 3 2a00:1450:400c:c01::67 PING 2a00:1450:400c:c01::67(2a00:1450:400c:c01::67) 56 data bytes 64 bytes from 2a00:1450:400c:c01::67: icmp_seq=1 ttl=56 time=19.0 ms 64 bytes from 2a00:1450:400c:c01::67: icmp_seq=2 ttl=56 time=18.3 ms 64 bytes from 2a00:1450:400c:c01::67: icmp_seq=3 ttl=56 time=18.3 ms Caution: google's ipv6 address changes frequently - this was correct in Jan 2012, it may not be now!
If this fails to work then your general IPv6 connectivity is broken! A few things to check if this is the case:
- Can successfully ping your router?
- Check your IPv6 routing table:
C:\Users\user1>route print =========================================================================== Interface List 11...XX XX XX XX XX XX ......Intel(R) Centrino(R) Advanced-N 6200 AGN 10...YY YY YY YY YY YY ......Atheros AR8131 PCI-E Gigabit Ethernet Controller 1...........................Software Loopback Interface 1 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface =========================================================================== IPv4 Route Table =========================================================================== removed for clarity ... =========================================================================== Persistent Routes: None IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 11 281 ::/0 fe80::XXXX:XXXX:XXXX:XXXX 1 306 ::1/128 On-link 15 58 2XXX::/32 On-link 15 306 2XXX:X:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/128 On-link 11 33 2XXX:XXXX:XXXX:XXXX::/64 On-link 11 281 2XXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/128 On-link 11 281 2XXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/128 On-link 11 281 fe80::/64 On-link 15 306 fe80::/64 On-link 15 306 fe80::XXXX:XXXX:XXXX:XXXX/128 On-link 11 281 fe80::XXXX:XXXX:XXXX:XXXX/128 On-link 1 306 ff00::/8 On-link 15 306 ff00::/8 On-link 11 281 ff00::/8 On-link =========================================================================== Persistent Routes: None
Or for a linux host:
machine:/home/user1 # ip -6 route show 2XXX:XXXX:XXXX:XXXX::/64 via :: dev tun-ipv6 proto kernel metric 256 mtu 1280 advmss 1220 hoplimit 4294967295 2XXX:XXXX:XXXX:XX::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295 fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295 fe80::/64 via :: dev tun-ipv6 proto kernel metric 256 mtu 1280 advmss 1220 hoplimit 4294967295 default via 2XXX:XXXX:XXXX:XXXX::X dev tun-ipv6 metric 1024 mtu 1280 advmss 1220 hoplimit 4294967295
DNS Related Issues
If the direct ping6 does work then your DNS AAAA-record lookups may be broken. To check whether you can perform IPv6 AAAA lookups, at a command prompt try:
nslookup -type=aaaa ipv6.chappell-family.com
you should see a response similar to:
Server: ::1 Address: ::1#53 Non-authoritative answer: ipv6.chappell-family.com has AAAA address 2001:470:1f08:185c::2 Authoritative answers can be found from: ipv6.chappell-family.com nameserver = ns4.he.net. ipv6.chappell-family.com nameserver = ns2.he.net. ipv6.chappell-family.com nameserver = ns1.he.net. ipv6.chappell-family.com nameserver = ns3.he.net. ns1.he.net internet address = 220.127.116.11 ns2.he.net internet address = 18.104.22.168 ns2.he.net has AAAA address 2001:470:200::2 ns3.he.net internet address = 22.214.171.124 ns3.he.net has AAAA address 2001:470:300::2 ns4.he.net internet address = 126.96.36.199 ns4.he.net has AAAA address 2001:470:400::2
Based on the fact that must have already accessed my server using IPv4, in order to be reading this, then the following IPv4 A-record lookup should work:
nslookup ipv6.chappell-family.com Server: ::1 Address: ::1#53 Non-authoritative answer: Name: ipv6.chappell-family.com Address: 188.8.131.52
If you don't get a similar response then you need to investigate your DNS setup, or perhaps your ISP's.
DNS Resolver Issues
Some DNS services don't seem to reliably resolve AAAA lookups. In particular, some appear to resolve A and AAAA records with different delays, and/or reliability, which sometimes causes web browsers to determine that only an IPv4 address exists since the IPv6 lookup resolves too slowly/unreliably. You can try one of the publicly accessible DNS resolvers as an alternative to your current providers' if you believe that this might be the case. For those using a tunneled IPv6 connection then it is likely that your tunnel provider also offers a DNS resolver:
- SixXS DNS Servers
- Hurricane Electric - see Available DNS resolvers section of your tunnel setup (may be 2001:470:20::2 and 184.108.40.206)
Other public IPv6 DNS resolvers:
The order in which you list the resolvers in your DNS search list is important - so when trying a new resolver ensure that you place it at the front of your resolver list. Note that it is worth checking that you can communicate with the resolver before modifying your resolver list - if the resolver fails to respond then you may encounter significant delays when attempting to lookup a host. In a linux environment this can be checked using a command similar to:
machine:/home/user1 # host ipv6.chappell-family.com 2001:4860:4860::8888 Using domain server: Name: 2001:4860:4860::8888 Address: 2001:4860:4860::8888#53 Aliases: ipv6.chappell-family.com has address 220.127.116.11 ipv6.chappell-family.com has IPv6 address 2001:470:1f08:185c::2 ipv6.chappell-family.com mail is handled by 10 mail.ipv6.chappell-family.com.
Note that it isn't necessary to access your DNS resolver using IPv6 if you don't want to - as long as the DNS server supports AAAA queries then this is sufficient. The same query, but on a windows machine, using Google's IPv4 resolver:
C:\Users\user1>nslookup ipv6.chappell-family.com 18.104.22.168 Server: google-public-dns-b.google.com Address: 22.214.171.124 Non-authoritative answer: Name: ipv6.chappell-family.com Addresses: 2001:470:1f08:185c::2 126.96.36.199
WINDOWS 7 RESPONSES
A correctly configured Windows 7 machine shows the following responses:
ipv6.chappell-family.com has two DNS entries (AAAA and A records) and consequently returns two addresses:
nslookup ipv6.chappell-family.com Server: server.example.com Address: 192.168.33.1 Non-authoritative answer: Name: ipv6.chappell-family.com Addresses: 2001:470:1f08:185c::2 188.8.131.52
www6.ipv6.chappell-family.co.uk has a single AAAA DNS record:
nslookup www6.ipv6.chappell-family.co.uk Server: server.example.com Address: 192.168.33.1 Name: www6.ipv6.chappell-family.co.uk Address: 2001:470:1f08:185c::2
Assuming these work correctly then a ping should also resolve:
ping www6.ipv6.chappell-family.co.uk Pinging www6.ipv6.chappell-family.co.uk [2001:470:1f08:185c::2] with 32 bytes of data: Reply from 2001:470:1f08:185c::2: time<1ms Reply from 2001:470:1f08:185c::2: time<1ms Reply from 2001:470:1f08:185c::2: time<1ms Reply from 2001:470:1f08:185c::2: time<1ms Ping statistics for 2001:470:1f08:185c::2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
Browser IPv6 Prioritisation
If all of the above was successful then your browser may not be prioritising IPv6 DNS requests. The following browsers are known to support IPv6 prioritisation:
- Microsoft's Internet Explorer,
- Google's Chrome
- Apple's Safari
- Mozilla's Firefox (but see the section below)
If you believe your browser is not prioritising IPv6 then check whether you can access the following URLs:
Both of the above links are for IPv6-only websites - i.e. they have no IPv4 DNS entry - so if you get an error accessing these websites despite being able to perform the DNS lookups correctly then your browser is not prioritising IPv6.
At this point it would be worthwhile checking whether another browser (from the list above) gives the same result.
Firefox IPv6 DNS Prioritisation Specific
Firefox has a specific configuration option with which to disable IPv6 DNS queries (I recently came across Firefox on Linux Mint v12 being configured this way). The option can be displayed by entering the following url into firefox:
Accept the warning about dragons, and then in the filter bar enter:
The resulting list should now show an entry:
If this entry is set to true then double click on the entry to change its sense to FALSE. Then try again!
IPv6-only URL Test
and finally pointing your web browser towards my IPv6-only Raspberry Pi Powered port scanner should also work.