579
edits
Changes
Jump to navigation
Jump to search
Created page with "== IPv6 DEBUG == These suggestions are '''''only''''' related to issues that might be encountered when accessing my [http://ipv6.chappell-family.com/ipv6tcptest/ IPv6 firewal..."
== IPv6 DEBUG ==
These suggestions are '''''only''''' related to issues that might be encountered when accessing my [http://ipv6.chappell-family.com/ipv6tcptest/ IPv6 firewall tester.] For general IPv6 debug please see:
* [http://www.getipv6.info/index.php/Troubleshoot_IPv6_Issues Arin IPv6 debug - many useful links]
* [http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/index.html Linux IPv6 HOWTO]
* [http://technet.microsoft.com/en-us/library/cc737698%28WS.10%29.aspx Microsoft IPv6 Howto.]
* [http://n1.netalyzr.icsi.berkeley.edu/analysis/ Berkeley University Network analysis tool - very thorough, but requires Java]
First check your general IPv6 connectivity. At a command prompt or terminal check that your machine has a global unicast IPv6 address allocated (i.e. 2000::/3, so begins either 2XXX or 3XXX) as shown in these examples:
C:\Users>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : home.example.com
'''IPv6 Address. . . . . . . . . . . : 2xxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx'''
Temporary IPv6 Address. . . . . . : 2xxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
Link-local IPv6 Address . . . . . : fe80::xxxx:xxxx:xxxx:xxxx%10
IPv4 Address. . . . . . . . . . . : 192.168.33.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::xxxx:xxxx:xxxx:xxxx%10
192.168.33.1
On a Linux machine, or similar, then when queried as root, the response would look similar to:
machine:/home/user1 # ifconfig
eth0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet addr:192.168.33.254 Bcast:192.168.33.255 Mask:255.255.255.0
'''inet6 addr: 2XXX:XXXX:XXXX:XXXX::XXXX/64 Scope:Global'''
inet6 addr: fe80::abc:c0ff:fede:xxxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:225635003 errors:0 dropped:0 overruns:0 frame:0
TX packets:268102245 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1533376458 (1462.3 Mb) TX bytes:1466607126 (1398.6 Mb)
Interrupt:220
Note: The output will differ from the above examples if you are using a tunneled approach, although it would still be useful to check that a valid IPv6 address is being allocated to your machine.
If you do NOT have a global unicast IPv6 address allocated then you need to determine the reason (which address allocation method are you using? DHCPv6, SLAAC or statically assigned addresses? If you're using SLAAC then can you detect router advertisements (ICMPv6) being broadcast? Use Wireshark/tcpdump to determine this.)
If you DO have a global unicast address, then you can check basic IPv6 connectivity using either ping (Windows) or ping6 (Linux). If you are using a tunnel then verify that you can ping/ping6 the distant end of the tunnel.
ping6 ipv6.google.com
you should see a response similar to:
ping6 ipv6.google.com
PING ipv6.google.com(fx-in-x63.1e100.net) 56 data bytes
64 bytes from fx-in-x63.1e100.net: icmp_seq=1 ttl=56 time=24.7 ms
64 bytes from fx-in-x63.1e100.net: icmp_seq=2 ttl=56 time=25.6 ms
...
If this is NOT successful then either your DNS AAAA lookups or general IPv6 connectivity is broken (determine which based on your error messages).
If you have a name lookup error then it is possible to bypass the DNS lookups and ping google's IPv6 host directly:
ping6 -c 3 2a00:1450:400c:c01::67
PING 2a00:1450:400c:c01::67(2a00:1450:400c:c01::67) 56 data bytes
64 bytes from 2a00:1450:400c:c01::67: icmp_seq=1 ttl=56 time=19.0 ms
64 bytes from 2a00:1450:400c:c01::67: icmp_seq=2 ttl=56 time=18.3 ms
64 bytes from 2a00:1450:400c:c01::67: icmp_seq=3 ttl=56 time=18.3 ms
'''Caution: google's ipv6 address changes frequently - this was correct in Jan 2012, it may not be now!
'''
If this fails to work then your general IPv6 connectivity is broken! A few things to check if this is the case:
* Can successfully ping your router?
* Check your IPv6 routing table:
C:\Users\user1>route print
===========================================================================
Interface List
11...XX XX XX XX XX XX ......Intel(R) Centrino(R) Advanced-N 6200 AGN
10...YY YY YY YY YY YY ......Atheros AR8131 PCI-E Gigabit Ethernet Controller
1...........................Software Loopback Interface 1
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
IPv4 Route Table
===========================================================================
removed for clarity
...
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
'''11 281 ::/0 fe80::XXXX:XXXX:XXXX:XXXX'''
1 306 ::1/128 On-link
15 58 2XXX::/32 On-link
15 306 2XXX:X:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/128
On-link
11 33 2XXX:XXXX:XXXX:XXXX::/64 On-link
11 281 2XXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/128
On-link
11 281 2XXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/128
On-link
11 281 fe80::/64 On-link
15 306 fe80::/64 On-link
15 306 fe80::XXXX:XXXX:XXXX:XXXX/128
On-link
11 281 fe80::XXXX:XXXX:XXXX:XXXX/128
On-link
1 306 ff00::/8 On-link
15 306 ff00::/8 On-link
11 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
Or for a linux host:
machine:/home/user1 # '''ip -6 route show'''
2XXX:XXXX:XXXX:XXXX::/64 via :: dev tun-ipv6 proto kernel metric 256 mtu 1280 advmss 1220 hoplimit 4294967295
2XXX:XXXX:XXXX:XX::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 via :: dev tun-ipv6 proto kernel metric 256 mtu 1280 advmss 1220 hoplimit 4294967295
'''default via 2XXX:XXXX:XXXX:XXXX::X dev tun-ipv6 metric 1024 mtu 1280 advmss 1220 hoplimit 4294967295'''
If the direct ping6 does work then your DNS AAAA-record lookups may be broken. To check whether you can perform IPv6 AAAA lookups, at a command prompt try:
nslookup -type=aaaa ipv6.chappell-family.com
you should see a response similar to:
Server: ::1
Address: ::1#53
Non-authoritative answer:
ipv6.chappell-family.com has AAAA address 2001:470:1f08:185c::2
Authoritative answers can be found from:
ipv6.chappell-family.com nameserver = ns4.he.net.
ipv6.chappell-family.com nameserver = ns2.he.net.
ipv6.chappell-family.com nameserver = ns1.he.net.
ipv6.chappell-family.com nameserver = ns3.he.net.
ns1.he.net internet address = 216.218.130.2
ns2.he.net internet address = 216.218.131.2
ns2.he.net has AAAA address 2001:470:200::2
ns3.he.net internet address = 216.218.132.2
ns3.he.net has AAAA address 2001:470:300::2
ns4.he.net internet address = 216.66.1.2
ns4.he.net has AAAA address 2001:470:400::2
If you don't get a similar response then you need to investigate your DNS setup, or perhaps your ISP's.
Based on the fact that you've probably already accessed my server using IPv4 then the following IPv4 A-record lookup should work:
nslookup ipv6.chappell-family.com
Server: ::1
Address: ::1#53
Non-authoritative answer:
Name: ipv6.chappell-family.com
Address: 212.159.122.74
If all of the above was successful then your browser may not be prioritising IPv6 DNS requests. The following browsers are known to support IPv6 prioritisation:
* Microsoft's Internet Explorer,
* Google's Chrome
* Apple's Safari
* Mozilla's Firefox (but see the section below)
* w3m
* lynx
If you believe your browser is not prioritising IPv6 then check whether you can access the following URLs:
* [http://ipv6.google.com Google's IPv6-only-URL]
* [http://www6.ipv6.chappell-family.com My IPv6-only-URL]
Both of the above links are for IPv6-only websites - i.e. they have no IPv4 DNS entry - so if you get an error accessing these websites despite being able to perform the DNS lookups correctly then your browser is not prioritising IPv6.
At this point it would be worthwhile checking whether another browser (from the list above) gives the same result.
== Firefox IPv6 DNS Prioritisation Specific ==
Firefox has a specific configuration option with which to disable IPv6 DNS queries (I recently came across Firefox on Linux Mint v12 being configured this way). The option can be displayed by entering the following url into firefox:
about:config
Accept the warning about dragons, and then in the filter bar enter:
ipv6
The resulting list should now show an entry:
network.dns.disableIPv6
If this entry is set to '''true''' then double click on the entry to change its sense to '''FALSE'''. Then try again!
== WINDOWS 7 RESPONSES ==
A correctly configured Windows 7 machine shows the following responses:
ipv6.chappell-family.com has two DNS entries (AAAA and A records) and consequently returns two addresses:
nslookup ipv6.chappell-family.com
Server: server.example.com
Address: 192.168.33.1
Non-authoritative answer:
Name: ipv6.chappell-family.com
Addresses: 2001:470:1f08:185c::2
212.159.122.74
www6.ipv6.chappell-family.com has a single AAAA DNS record:
nslookup www6.ipv6.chappell-family.com
Server: server.example.com
Address: 192.168.33.1
Name: www6.ipv6.chappell-family.com
Address: 2001:470:1f08:185c::2
Assuming these work correctly then a ping should also resolve:
ping www6.ipv6.chappell-family.com
Pinging www6.ipv6.chappell-family.com [2001:470:1f08:185c::2] with 32 bytes of data:
Reply from 2001:470:1f08:185c::2: time<1ms
Reply from 2001:470:1f08:185c::2: time<1ms
Reply from 2001:470:1f08:185c::2: time<1ms
Reply from 2001:470:1f08:185c::2: time<1ms
Ping statistics for 2001:470:1f08:185c::2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
and finally pointing your web browser towards my [http://www6.ipv6.chappell-family.com/ipv6tcptest/ IPv6-only port scanner] should also work.
----
<adsense>1</adsense>
These suggestions are '''''only''''' related to issues that might be encountered when accessing my [http://ipv6.chappell-family.com/ipv6tcptest/ IPv6 firewall tester.] For general IPv6 debug please see:
* [http://www.getipv6.info/index.php/Troubleshoot_IPv6_Issues Arin IPv6 debug - many useful links]
* [http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/index.html Linux IPv6 HOWTO]
* [http://technet.microsoft.com/en-us/library/cc737698%28WS.10%29.aspx Microsoft IPv6 Howto.]
* [http://n1.netalyzr.icsi.berkeley.edu/analysis/ Berkeley University Network analysis tool - very thorough, but requires Java]
First check your general IPv6 connectivity. At a command prompt or terminal check that your machine has a global unicast IPv6 address allocated (i.e. 2000::/3, so begins either 2XXX or 3XXX) as shown in these examples:
C:\Users>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : home.example.com
'''IPv6 Address. . . . . . . . . . . : 2xxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx'''
Temporary IPv6 Address. . . . . . : 2xxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
Link-local IPv6 Address . . . . . : fe80::xxxx:xxxx:xxxx:xxxx%10
IPv4 Address. . . . . . . . . . . : 192.168.33.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::xxxx:xxxx:xxxx:xxxx%10
192.168.33.1
On a Linux machine, or similar, then when queried as root, the response would look similar to:
machine:/home/user1 # ifconfig
eth0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet addr:192.168.33.254 Bcast:192.168.33.255 Mask:255.255.255.0
'''inet6 addr: 2XXX:XXXX:XXXX:XXXX::XXXX/64 Scope:Global'''
inet6 addr: fe80::abc:c0ff:fede:xxxx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:225635003 errors:0 dropped:0 overruns:0 frame:0
TX packets:268102245 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1533376458 (1462.3 Mb) TX bytes:1466607126 (1398.6 Mb)
Interrupt:220
Note: The output will differ from the above examples if you are using a tunneled approach, although it would still be useful to check that a valid IPv6 address is being allocated to your machine.
If you do NOT have a global unicast IPv6 address allocated then you need to determine the reason (which address allocation method are you using? DHCPv6, SLAAC or statically assigned addresses? If you're using SLAAC then can you detect router advertisements (ICMPv6) being broadcast? Use Wireshark/tcpdump to determine this.)
If you DO have a global unicast address, then you can check basic IPv6 connectivity using either ping (Windows) or ping6 (Linux). If you are using a tunnel then verify that you can ping/ping6 the distant end of the tunnel.
ping6 ipv6.google.com
you should see a response similar to:
ping6 ipv6.google.com
PING ipv6.google.com(fx-in-x63.1e100.net) 56 data bytes
64 bytes from fx-in-x63.1e100.net: icmp_seq=1 ttl=56 time=24.7 ms
64 bytes from fx-in-x63.1e100.net: icmp_seq=2 ttl=56 time=25.6 ms
...
If this is NOT successful then either your DNS AAAA lookups or general IPv6 connectivity is broken (determine which based on your error messages).
If you have a name lookup error then it is possible to bypass the DNS lookups and ping google's IPv6 host directly:
ping6 -c 3 2a00:1450:400c:c01::67
PING 2a00:1450:400c:c01::67(2a00:1450:400c:c01::67) 56 data bytes
64 bytes from 2a00:1450:400c:c01::67: icmp_seq=1 ttl=56 time=19.0 ms
64 bytes from 2a00:1450:400c:c01::67: icmp_seq=2 ttl=56 time=18.3 ms
64 bytes from 2a00:1450:400c:c01::67: icmp_seq=3 ttl=56 time=18.3 ms
'''Caution: google's ipv6 address changes frequently - this was correct in Jan 2012, it may not be now!
'''
If this fails to work then your general IPv6 connectivity is broken! A few things to check if this is the case:
* Can successfully ping your router?
* Check your IPv6 routing table:
C:\Users\user1>route print
===========================================================================
Interface List
11...XX XX XX XX XX XX ......Intel(R) Centrino(R) Advanced-N 6200 AGN
10...YY YY YY YY YY YY ......Atheros AR8131 PCI-E Gigabit Ethernet Controller
1...........................Software Loopback Interface 1
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
IPv4 Route Table
===========================================================================
removed for clarity
...
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
'''11 281 ::/0 fe80::XXXX:XXXX:XXXX:XXXX'''
1 306 ::1/128 On-link
15 58 2XXX::/32 On-link
15 306 2XXX:X:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/128
On-link
11 33 2XXX:XXXX:XXXX:XXXX::/64 On-link
11 281 2XXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/128
On-link
11 281 2XXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/128
On-link
11 281 fe80::/64 On-link
15 306 fe80::/64 On-link
15 306 fe80::XXXX:XXXX:XXXX:XXXX/128
On-link
11 281 fe80::XXXX:XXXX:XXXX:XXXX/128
On-link
1 306 ff00::/8 On-link
15 306 ff00::/8 On-link
11 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
Or for a linux host:
machine:/home/user1 # '''ip -6 route show'''
2XXX:XXXX:XXXX:XXXX::/64 via :: dev tun-ipv6 proto kernel metric 256 mtu 1280 advmss 1220 hoplimit 4294967295
2XXX:XXXX:XXXX:XX::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 via :: dev tun-ipv6 proto kernel metric 256 mtu 1280 advmss 1220 hoplimit 4294967295
'''default via 2XXX:XXXX:XXXX:XXXX::X dev tun-ipv6 metric 1024 mtu 1280 advmss 1220 hoplimit 4294967295'''
If the direct ping6 does work then your DNS AAAA-record lookups may be broken. To check whether you can perform IPv6 AAAA lookups, at a command prompt try:
nslookup -type=aaaa ipv6.chappell-family.com
you should see a response similar to:
Server: ::1
Address: ::1#53
Non-authoritative answer:
ipv6.chappell-family.com has AAAA address 2001:470:1f08:185c::2
Authoritative answers can be found from:
ipv6.chappell-family.com nameserver = ns4.he.net.
ipv6.chappell-family.com nameserver = ns2.he.net.
ipv6.chappell-family.com nameserver = ns1.he.net.
ipv6.chappell-family.com nameserver = ns3.he.net.
ns1.he.net internet address = 216.218.130.2
ns2.he.net internet address = 216.218.131.2
ns2.he.net has AAAA address 2001:470:200::2
ns3.he.net internet address = 216.218.132.2
ns3.he.net has AAAA address 2001:470:300::2
ns4.he.net internet address = 216.66.1.2
ns4.he.net has AAAA address 2001:470:400::2
If you don't get a similar response then you need to investigate your DNS setup, or perhaps your ISP's.
Based on the fact that you've probably already accessed my server using IPv4 then the following IPv4 A-record lookup should work:
nslookup ipv6.chappell-family.com
Server: ::1
Address: ::1#53
Non-authoritative answer:
Name: ipv6.chappell-family.com
Address: 212.159.122.74
If all of the above was successful then your browser may not be prioritising IPv6 DNS requests. The following browsers are known to support IPv6 prioritisation:
* Microsoft's Internet Explorer,
* Google's Chrome
* Apple's Safari
* Mozilla's Firefox (but see the section below)
* w3m
* lynx
If you believe your browser is not prioritising IPv6 then check whether you can access the following URLs:
* [http://ipv6.google.com Google's IPv6-only-URL]
* [http://www6.ipv6.chappell-family.com My IPv6-only-URL]
Both of the above links are for IPv6-only websites - i.e. they have no IPv4 DNS entry - so if you get an error accessing these websites despite being able to perform the DNS lookups correctly then your browser is not prioritising IPv6.
At this point it would be worthwhile checking whether another browser (from the list above) gives the same result.
== Firefox IPv6 DNS Prioritisation Specific ==
Firefox has a specific configuration option with which to disable IPv6 DNS queries (I recently came across Firefox on Linux Mint v12 being configured this way). The option can be displayed by entering the following url into firefox:
about:config
Accept the warning about dragons, and then in the filter bar enter:
ipv6
The resulting list should now show an entry:
network.dns.disableIPv6
If this entry is set to '''true''' then double click on the entry to change its sense to '''FALSE'''. Then try again!
== WINDOWS 7 RESPONSES ==
A correctly configured Windows 7 machine shows the following responses:
ipv6.chappell-family.com has two DNS entries (AAAA and A records) and consequently returns two addresses:
nslookup ipv6.chappell-family.com
Server: server.example.com
Address: 192.168.33.1
Non-authoritative answer:
Name: ipv6.chappell-family.com
Addresses: 2001:470:1f08:185c::2
212.159.122.74
www6.ipv6.chappell-family.com has a single AAAA DNS record:
nslookup www6.ipv6.chappell-family.com
Server: server.example.com
Address: 192.168.33.1
Name: www6.ipv6.chappell-family.com
Address: 2001:470:1f08:185c::2
Assuming these work correctly then a ping should also resolve:
ping www6.ipv6.chappell-family.com
Pinging www6.ipv6.chappell-family.com [2001:470:1f08:185c::2] with 32 bytes of data:
Reply from 2001:470:1f08:185c::2: time<1ms
Reply from 2001:470:1f08:185c::2: time<1ms
Reply from 2001:470:1f08:185c::2: time<1ms
Reply from 2001:470:1f08:185c::2: time<1ms
Ping statistics for 2001:470:1f08:185c::2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
and finally pointing your web browser towards my [http://www6.ipv6.chappell-family.com/ipv6tcptest/ IPv6-only port scanner] should also work.
----
<adsense>1</adsense>