On Wed, Oct 01, 2014 at 10:09:49AM -0500, Mark Felder via Outages wrote:
On Wed, Oct 1, 2014, at 09:37, Chuck Anderson via Outages wrote:
On Wed, Oct 01, 2014 at 02:17:01PM +0000, Gary Gapinski via Outages wrote:
On 10/01/2014 01:50 PM, Chuck Anderson via Outages wrote:
While on my Hurricane Electric IPv6 tunnel, I cannot access juniper.net unless I change my local interface MTU. 1500 fails, but 1280 works. I noticed this a few days ago. Before that I had no problems with a 1500 MTU. Is anyone else seeing this issue?
No, but if your are using a 6in4 tunnel, the MTU should be 1480 (not 1500).
(I just successfully went to www.juniper.net via IPv6 with that MTU 1480.)
My tunnel router has a 1280 MTU on the henet interface:
6in4-henet Link encap:IPv6-in-IPv4 inet6 addr: 2001:470:xxxx:xxxx::2/64 Scope:Global inet6 addr: fe80::xxxx:xxxx/128 Scope:Link UP POINTOPOINT RUNNING NOARP MTU:1280 Metric:1 RX packets:17148418 errors:0 dropped:0 overruns:0 frame:0 TX packets:12347808 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2660258163 (2.4 GiB) TX bytes:2833651623 (2.6 GiB)
But the LAN interface of that router has an MTU of 1500, as does my desktop system. I believe the issue is that the juniper.net web server has an MTU of 1500 and their network or somewhere along the path is blocking ICMP Packet Too Big messages that would be sent by the HE.net tunnel router.
Like I said, I changed nothing on my end, and it was working before. I don't know if juniper.net just added IPv6 to their website, or if something else changed in the path.
It's nearly a requirement to lower your MTU / enable mss-clamping when doing ipv6 tunnels. It's possible some connectivity of yours was broken and you just didn't notice it until now. I had to do this on my J series and I also have to do it on my OpenBSD firewall --
# mss clamping down to 1280. 1220 + 60 for ipv6 header match on egress all scrub (random-id no-df max-mss 1220)
The whole fragmentation situation with IPv6 is kind of a joke
I know. But I'm reporting this here on outages in the hopes that a responsible party would see it and can fix the root cause of this particular issue. E.g. stop dropping ICMP Packet Too Big.