IPv6 DEBUG

From timswiki
Jump to: navigation, search

IPv6 DEBUG

Debug suggestions related to IPv6 configuration issues that might be encountered when accessing my IPv6 firewall tester.

For general IPv6 debug please see:


General IPv6 Connectivity

First check your general IPv6 connectivity. At a command prompt or terminal check that your machine has a global unicast IPv6 address allocated (i.e. 2000::/3, so begins either 2XXX or 3XXX) as shown in these examples:


 C:\Users>ipconfig
 
 Windows IP Configuration
 
 
 Ethernet adapter Local Area Connection:
 
    Connection-specific DNS Suffix  . : home.example.com
    IPv6 Address. . . . . . . . . . . : 2xxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
    Temporary IPv6 Address. . . . . . : 2xxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
    Link-local IPv6 Address . . . . . : fe80::xxxx:xxxx:xxxx:xxxx%10
    IPv4 Address. . . . . . . . . . . : 192.168.33.3
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : fe80::xxxx:xxxx:xxxx:xxxx%10
                                        192.168.33.1
 

On a Linux machine, or similar, then when queried as root, the response would look similar to:

 machine:/home/user1 # ifconfig
 
 eth0      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
           inet addr:192.168.33.254  Bcast:192.168.33.255  Mask:255.255.255.0
           inet6 addr: 2XXX:XXXX:XXXX:XXXX::XXXX/64 Scope:Global
           inet6 addr: fe80::abc:c0ff:fede:xxxx/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:225635003 errors:0 dropped:0 overruns:0 frame:0
           TX packets:268102245 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:1533376458 (1462.3 Mb)  TX bytes:1466607126 (1398.6 Mb)
           Interrupt:220


Note: The output will differ from the above examples if you are using a tunneled approach, although it would still be useful to check that a valid IPv6 address is being allocated to your machine.

If you do NOT have a global unicast IPv6 address allocated then you need to determine the reason (which address allocation method are you using? DHCPv6, SLAAC or statically assigned addresses? If you're using SLAAC then can you detect router advertisements (ICMPv6) being broadcast? Use Wireshark/tcpdump to determine this.)

If you DO have a global unicast address, then you can check basic IPv6 connectivity using either ping (Windows) or ping6 (Linux). If you are using a tunnel then verify that you can ping/ping6 the distant end of the tunnel.


 ping6 ipv6.google.com
 


you should see a response similar to:


 ping6 ipv6.google.com
  
 PING ipv6.google.com(fx-in-x63.1e100.net) 56 data bytes
 64 bytes from fx-in-x63.1e100.net: icmp_seq=1 ttl=56 time=24.7 ms
 64 bytes from fx-in-x63.1e100.net: icmp_seq=2 ttl=56 time=25.6 ms
 ...


If this is NOT successful then either your DNS AAAA lookups or general IPv6 connectivity is broken (determine which based on your error messages).


If you have a name lookup error then it is possible to bypass the DNS lookups and ping google's IPv6 host directly:


 ping6 -c 3 2a00:1450:400c:c01::67
 
 PING 2a00:1450:400c:c01::67(2a00:1450:400c:c01::67) 56 data bytes
 64 bytes from 2a00:1450:400c:c01::67: icmp_seq=1 ttl=56 time=19.0 ms
 64 bytes from 2a00:1450:400c:c01::67: icmp_seq=2 ttl=56 time=18.3 ms
 64 bytes from 2a00:1450:400c:c01::67: icmp_seq=3 ttl=56 time=18.3 ms
 
 Caution: google's ipv6 address changes frequently - this was correct in Jan 2012, it may not be now!

If this fails to work then your general IPv6 connectivity is broken! A few things to check if this is the case:

  • Can successfully ping your router?
  • Check your IPv6 routing table:


 C:\Users\user1>route print
 ===========================================================================
 Interface List
  11...XX XX XX XX XX XX ......Intel(R) Centrino(R) Advanced-N 6200 AGN
  10...YY YY YY YY YY YY ......Atheros AR8131 PCI-E Gigabit Ethernet Controller
   1...........................Software Loopback Interface 1
  17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
  15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 ===========================================================================   
 IPv4 Route Table
 ===========================================================================
 removed for clarity
 ...
 ===========================================================================
 Persistent Routes:
   None 
 
 IPv6 Route Table
 ===========================================================================
 Active Routes:
  If Metric Network Destination      Gateway
  11    281 ::/0                     fe80::XXXX:XXXX:XXXX:XXXX
   1    306 ::1/128                  On-link
  15     58 2XXX::/32                On-link
  15    306 2XXX:X:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/128
                                     On-link
  11     33 2XXX:XXXX:XXXX:XXXX::/64 On-link
  11    281 2XXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/128
                                     On-link
  11    281 2XXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/128
                                     On-link
  11    281 fe80::/64                On-link
  15    306 fe80::/64                On-link
  15    306 fe80::XXXX:XXXX:XXXX:XXXX/128
                                     On-link
  11    281 fe80::XXXX:XXXX:XXXX:XXXX/128
                                     On-link
   1    306 ff00::/8                 On-link
  15    306 ff00::/8                 On-link
  11    281 ff00::/8                 On-link
 ===========================================================================
 Persistent Routes:
   None


Or for a linux host:


 machine:/home/user1 # ip -6 route show
 2XXX:XXXX:XXXX:XXXX::/64 via :: dev tun-ipv6  proto kernel  metric 256  mtu 1280 advmss 1220 hoplimit 4294967295
 2XXX:XXXX:XXXX:XX::/64 dev eth0 proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295
 fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295
 fe80::/64 via :: dev tun-ipv6  proto kernel  metric 256  mtu 1280 advmss 1220 hoplimit 4294967295
 default via 2XXX:XXXX:XXXX:XXXX::X dev tun-ipv6  metric 1024  mtu 1280 advmss 1220 hoplimit 4294967295
 


DNS Related Issues

If the direct ping6 does work then your DNS AAAA-record lookups may be broken. To check whether you can perform IPv6 AAAA lookups, at a command prompt try:


 nslookup -type=aaaa ipv6.chappell-family.com


you should see a response similar to:


 Server:         ::1
 Address:        ::1#53
 
 Non-authoritative answer:
 ipv6.chappell-family.com        has AAAA address 2001:470:1f08:185c::2
 
 Authoritative answers can be found from:
 ipv6.chappell-family.com        nameserver = ns4.he.net.
 ipv6.chappell-family.com        nameserver = ns2.he.net.
 ipv6.chappell-family.com        nameserver = ns1.he.net.
 ipv6.chappell-family.com        nameserver = ns3.he.net.
 ns1.he.net      internet address = 216.218.130.2
 ns2.he.net      internet address = 216.218.131.2
 ns2.he.net      has AAAA address 2001:470:200::2
 ns3.he.net      internet address = 216.218.132.2
 ns3.he.net      has AAAA address 2001:470:300::2
 ns4.he.net      internet address = 216.66.1.2
 ns4.he.net      has AAAA address 2001:470:400::2
 

Based on the fact that must have already accessed my server using IPv4, in order to be reading this, then the following IPv4 A-record lookup should work:


 nslookup ipv6.chappell-family.com
   
 
 Server:         ::1
 Address:        ::1#53
 
 Non-authoritative answer:
 Name:   ipv6.chappell-family.com
 Address: 212.159.122.74


If you don't get a similar response then you need to investigate your DNS setup, or perhaps your ISP's.


DNS Resolver Issues

Some DNS services don't seem to reliably resolve AAAA lookups. In particular, some appear to resolve A and AAAA records with different delays, and/or reliability, which sometimes causes web browsers to determine that only an IPv4 address exists since the IPv6 lookup resolves too slowly/unreliably. You can try one of the publicly accessible DNS resolvers as an alternative to your current providers' if you believe that this might be the case. For those using a tunneled IPv6 connection then it is likely that your tunnel provider also offers a DNS resolver:


  • SixXS DNS Servers
  • Hurricane Electric - see Available DNS resolvers section of your tunnel setup (may be 2001:470:20::2 and 74.82.42.42)


Other public IPv6 DNS resolvers:


The order in which you list the resolvers in your DNS search list is important - so when trying a new resolver ensure that you place it at the front of your resolver list. Note that it is worth checking that you can communicate with the resolver before modifying your resolver list - if the resolver fails to respond then you may encounter significant delays when attempting to lookup a host. In a linux environment this can be checked using a command similar to:

 machine:/home/user1 # host ipv6.chappell-family.com 2001:4860:4860::8888
 
 Using domain server:
 Name: 2001:4860:4860::8888
 Address: 2001:4860:4860::8888#53
 Aliases:
 
 ipv6.chappell-family.com has address 212.159.122.74
 ipv6.chappell-family.com has IPv6 address 2001:470:1f08:185c::2
 ipv6.chappell-family.com mail is handled by 10 mail.ipv6.chappell-family.com.

Note that it isn't necessary to access your DNS resolver using IPv6 if you don't want to - as long as the DNS server supports AAAA queries then this is sufficient. The same query, but on a windows machine, using Google's IPv4 resolver:


 C:\Users\user1>nslookup ipv6.chappell-family.com 8.8.4.4
 Server:  google-public-dns-b.google.com
 Address:  8.8.4.4
 
 Non-authoritative answer:
 Name:    ipv6.chappell-family.com
 Addresses:  2001:470:1f08:185c::2
           212.159.122.74


WINDOWS 7 RESPONSES

A correctly configured Windows 7 machine shows the following responses:


ipv6.chappell-family.com has two DNS entries (AAAA and A records) and consequently returns two addresses:


 nslookup ipv6.chappell-family.com
 
 Server:  server.example.com
 Address:  192.168.33.1
 
 Non-authoritative answer:
 Name:    ipv6.chappell-family.com
 Addresses:  2001:470:1f08:185c::2
             212.159.122.74


www6.ipv6.chappell-family.co.uk has a single AAAA DNS record:


 nslookup www6.ipv6.chappell-family.co.uk
   
 Server:  server.example.com
 Address:  192.168.33.1
 
 Name:    www6.ipv6.chappell-family.co.uk
 Address:  2001:470:1f08:185c::2


Assuming these work correctly then a ping should also resolve:

 ping www6.ipv6.chappell-family.co.uk
 
 Pinging www6.ipv6.chappell-family.co.uk [2001:470:1f08:185c::2] with 32 bytes of data:
 Reply from 2001:470:1f08:185c::2: time<1ms
 Reply from 2001:470:1f08:185c::2: time<1ms
 Reply from 2001:470:1f08:185c::2: time<1ms
 Reply from 2001:470:1f08:185c::2: time<1ms
 
 Ping statistics for 2001:470:1f08:185c::2:
     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
 Approximate round trip times in milli-seconds:
     Minimum = 0ms, Maximum = 0ms, Average = 0ms


Browser IPv6 Prioritisation

If all of the above was successful then your browser may not be prioritising IPv6 DNS requests. The following browsers are known to support IPv6 prioritisation:


  • Microsoft's Internet Explorer,
  • Google's Chrome
  • Apple's Safari
  • Mozilla's Firefox (but see the section below)
  • w3m
  • lynx


If you believe your browser is not prioritising IPv6 then check whether you can access the following URLs:



Both of the above links are for IPv6-only websites - i.e. they have no IPv4 DNS entry - so if you get an error accessing these websites despite being able to perform the DNS lookups correctly then your browser is not prioritising IPv6.

At this point it would be worthwhile checking whether another browser (from the list above) gives the same result.

Firefox IPv6 DNS Prioritisation Specific

Firefox has a specific configuration option with which to disable IPv6 DNS queries (I recently came across Firefox on Linux Mint v12 being configured this way). The option can be displayed by entering the following url into firefox:


 about:config


Accept the warning about dragons, and then in the filter bar enter:


 ipv6


The resulting list should now show an entry:


 network.dns.disableIPv6


If this entry is set to true then double click on the entry to change its sense to FALSE. Then try again!


IPv6-only URL Test

and finally pointing your web browser towards my IPv6-only Raspberry Pi Powered port scanner should also work.


This website publishes a Privacy Policy. Continued use of this website implies your consent to the use of data outlined in the policy.