IPv6 DEBUG

From timswiki
Revision as of 17:40, 21 April 2012 by Wikiadmin (talk | contribs) (Created page with "== IPv6 DEBUG == These suggestions are '''''only''''' related to issues that might be encountered when accessing my [http://ipv6.chappell-family.com/ipv6tcptest/ IPv6 firewal...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

IPv6 DEBUG

These suggestions are only related to issues that might be encountered when accessing my IPv6 firewall tester. For general IPv6 debug please see:


First check your general IPv6 connectivity. At a command prompt or terminal check that your machine has a global unicast IPv6 address allocated (i.e. 2000::/3, so begins either 2XXX or 3XXX) as shown in these examples:


 C:\Users>ipconfig
 
 Windows IP Configuration
 
 
 Ethernet adapter Local Area Connection:
 
    Connection-specific DNS Suffix  . : home.example.com
    IPv6 Address. . . . . . . . . . . : 2xxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
    Temporary IPv6 Address. . . . . . : 2xxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
    Link-local IPv6 Address . . . . . : fe80::xxxx:xxxx:xxxx:xxxx%10
    IPv4 Address. . . . . . . . . . . : 192.168.33.3
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : fe80::xxxx:xxxx:xxxx:xxxx%10
                                        192.168.33.1
 

On a Linux machine, or similar, then when queried as root, the response would look similar to:

 machine:/home/user1 # ifconfig
 
 eth0      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
           inet addr:192.168.33.254  Bcast:192.168.33.255  Mask:255.255.255.0
           inet6 addr: 2XXX:XXXX:XXXX:XXXX::XXXX/64 Scope:Global
           inet6 addr: fe80::abc:c0ff:fede:xxxx/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:225635003 errors:0 dropped:0 overruns:0 frame:0
           TX packets:268102245 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:1533376458 (1462.3 Mb)  TX bytes:1466607126 (1398.6 Mb)
           Interrupt:220


Note: The output will differ from the above examples if you are using a tunneled approach, although it would still be useful to check that a valid IPv6 address is being allocated to your machine.

If you do NOT have a global unicast IPv6 address allocated then you need to determine the reason (which address allocation method are you using? DHCPv6, SLAAC or statically assigned addresses? If you're using SLAAC then can you detect router advertisements (ICMPv6) being broadcast? Use Wireshark/tcpdump to determine this.)

If you DO have a global unicast address, then you can check basic IPv6 connectivity using either ping (Windows) or ping6 (Linux). If you are using a tunnel then verify that you can ping/ping6 the distant end of the tunnel.


 ping6 ipv6.google.com
 


you should see a response similar to:


 ping6 ipv6.google.com
  
 PING ipv6.google.com(fx-in-x63.1e100.net) 56 data bytes
 64 bytes from fx-in-x63.1e100.net: icmp_seq=1 ttl=56 time=24.7 ms
 64 bytes from fx-in-x63.1e100.net: icmp_seq=2 ttl=56 time=25.6 ms
 ...


If this is NOT successful then either your DNS AAAA lookups or general IPv6 connectivity is broken (determine which based on your error messages).


If you have a name lookup error then it is possible to bypass the DNS lookups and ping google's IPv6 host directly:


 ping6 -c 3 2a00:1450:400c:c01::67
 
 PING 2a00:1450:400c:c01::67(2a00:1450:400c:c01::67) 56 data bytes
 64 bytes from 2a00:1450:400c:c01::67: icmp_seq=1 ttl=56 time=19.0 ms
 64 bytes from 2a00:1450:400c:c01::67: icmp_seq=2 ttl=56 time=18.3 ms
 64 bytes from 2a00:1450:400c:c01::67: icmp_seq=3 ttl=56 time=18.3 ms
 
 Caution: google's ipv6 address changes frequently - this was correct in Jan 2012, it may not be now!

If this fails to work then your general IPv6 connectivity is broken! A few things to check if this is the case:

  • Can successfully ping your router?
  • Check your IPv6 routing table:


 C:\Users\user1>route print
 ===========================================================================
 Interface List
  11...XX XX XX XX XX XX ......Intel(R) Centrino(R) Advanced-N 6200 AGN
  10...YY YY YY YY YY YY ......Atheros AR8131 PCI-E Gigabit Ethernet Controller
   1...........................Software Loopback Interface 1
  17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
  15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 ===========================================================================   
 IPv4 Route Table
 ===========================================================================
 removed for clarity
 ...
 ===========================================================================
 Persistent Routes:
   None 
 
 IPv6 Route Table
 ===========================================================================
 Active Routes:
  If Metric Network Destination      Gateway
  11    281 ::/0                     fe80::XXXX:XXXX:XXXX:XXXX
   1    306 ::1/128                  On-link
  15     58 2XXX::/32                On-link
  15    306 2XXX:X:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/128
                                     On-link
  11     33 2XXX:XXXX:XXXX:XXXX::/64 On-link
  11    281 2XXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/128
                                     On-link
  11    281 2XXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/128
                                     On-link
  11    281 fe80::/64                On-link
  15    306 fe80::/64                On-link
  15    306 fe80::XXXX:XXXX:XXXX:XXXX/128
                                     On-link
  11    281 fe80::XXXX:XXXX:XXXX:XXXX/128
                                     On-link
   1    306 ff00::/8                 On-link
  15    306 ff00::/8                 On-link
  11    281 ff00::/8                 On-link
 ===========================================================================
 Persistent Routes:
   None


Or for a linux host:


 machine:/home/user1 # ip -6 route show
 2XXX:XXXX:XXXX:XXXX::/64 via :: dev tun-ipv6  proto kernel  metric 256  mtu 1280 advmss 1220 hoplimit 4294967295
 2XXX:XXXX:XXXX:XX::/64 dev eth0 proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295
 fe80::/64 dev eth0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 4294967295
 fe80::/64 via :: dev tun-ipv6  proto kernel  metric 256  mtu 1280 advmss 1220 hoplimit 4294967295
 default via 2XXX:XXXX:XXXX:XXXX::X dev tun-ipv6  metric 1024  mtu 1280 advmss 1220 hoplimit 4294967295
 


If the direct ping6 does work then your DNS AAAA-record lookups may be broken. To check whether you can perform IPv6 AAAA lookups, at a command prompt try:


 nslookup -type=aaaa ipv6.chappell-family.com


you should see a response similar to:


 Server:         ::1
 Address:        ::1#53
 
 Non-authoritative answer:
 ipv6.chappell-family.com        has AAAA address 2001:470:1f08:185c::2
 
 Authoritative answers can be found from:
 ipv6.chappell-family.com        nameserver = ns4.he.net.
 ipv6.chappell-family.com        nameserver = ns2.he.net.
 ipv6.chappell-family.com        nameserver = ns1.he.net.
 ipv6.chappell-family.com        nameserver = ns3.he.net.
 ns1.he.net      internet address = 216.218.130.2
 ns2.he.net      internet address = 216.218.131.2
 ns2.he.net      has AAAA address 2001:470:200::2
 ns3.he.net      internet address = 216.218.132.2
 ns3.he.net      has AAAA address 2001:470:300::2
 ns4.he.net      internet address = 216.66.1.2
 ns4.he.net      has AAAA address 2001:470:400::2
 


If you don't get a similar response then you need to investigate your DNS setup, or perhaps your ISP's.


Based on the fact that you've probably already accessed my server using IPv4 then the following IPv4 A-record lookup should work:


 nslookup ipv6.chappell-family.com
   
 
 Server:         ::1
 Address:        ::1#53
 
 Non-authoritative answer:
 Name:   ipv6.chappell-family.com
 Address: 212.159.122.74


If all of the above was successful then your browser may not be prioritising IPv6 DNS requests. The following browsers are known to support IPv6 prioritisation:


  • Microsoft's Internet Explorer,
  • Google's Chrome
  • Apple's Safari
  • Mozilla's Firefox (but see the section below)
  • w3m
  • lynx


If you believe your browser is not prioritising IPv6 then check whether you can access the following URLs:



Both of the above links are for IPv6-only websites - i.e. they have no IPv4 DNS entry - so if you get an error accessing these websites despite being able to perform the DNS lookups correctly then your browser is not prioritising IPv6.

At this point it would be worthwhile checking whether another browser (from the list above) gives the same result.

Firefox IPv6 DNS Prioritisation Specific

Firefox has a specific configuration option with which to disable IPv6 DNS queries (I recently came across Firefox on Linux Mint v12 being configured this way). The option can be displayed by entering the following url into firefox:


 about:config


Accept the warning about dragons, and then in the filter bar enter:


 ipv6


The resulting list should now show an entry:


 network.dns.disableIPv6


If this entry is set to true then double click on the entry to change its sense to FALSE. Then try again!


WINDOWS 7 RESPONSES

A correctly configured Windows 7 machine shows the following responses:


ipv6.chappell-family.com has two DNS entries (AAAA and A records) and consequently returns two addresses:


 nslookup ipv6.chappell-family.com
 
 Server:  server.example.com
 Address:  192.168.33.1
 
 Non-authoritative answer:
 Name:    ipv6.chappell-family.com
 Addresses:  2001:470:1f08:185c::2
             212.159.122.74


www6.ipv6.chappell-family.com has a single AAAA DNS record:


 nslookup www6.ipv6.chappell-family.com
   
 Server:  server.example.com
 Address:  192.168.33.1
 
 Name:    www6.ipv6.chappell-family.com
 Address:  2001:470:1f08:185c::2


Assuming these work correctly then a ping should also resolve:

 ping www6.ipv6.chappell-family.com
 
 Pinging www6.ipv6.chappell-family.com [2001:470:1f08:185c::2] with 32 bytes of data:
 Reply from 2001:470:1f08:185c::2: time<1ms
 Reply from 2001:470:1f08:185c::2: time<1ms
 Reply from 2001:470:1f08:185c::2: time<1ms
 Reply from 2001:470:1f08:185c::2: time<1ms
 
 Ping statistics for 2001:470:1f08:185c::2:
     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
 Approximate round trip times in milli-seconds:
     Minimum = 0ms, Maximum = 0ms, Average = 0ms


and finally pointing your web browser towards my IPv6-only port scanner should also work.




<adsense>1</adsense>