Solved: Re: Troubleshooting 6to4

Gerald Vogt · ‎06-21-2011

Hi!

I am trying to setup my 1812 with 15.1(4)M to do 6to4 tunneling through the anycast address 192.88.99.1 but can't get it working.

Config extract:

ipv6 general-prefix my-prefix 6to4 FastEthernet0

ipv6 unicast-routing

ipv6 cef

!

interface Tunnel0

no ip address

no ip redirects

ipv6 address my-prefix ::1/64

ipv6 enable

ipv6 mtu 1280

tunnel source FastEthernet0

tunnel mode ipv6ip 6to4

tunnel path-mtu-discovery

!

interface FastEthernet0

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

!

interface Vlan10

no ip address

bridge-group 10

bridge-group 10 spanning-disabled

!

interface BVI10

ip address 192.168.22.1 255.255.255.0

no ip redirects

no ip proxy-arp

ip nat inside

ip virtual-reassembly in

ipv6 address my-prefix ::1:0:0:0:1/64

ipv6 enable

!

ipv6 route 2002::/16 Tunnel0

ipv6 route ::/0 2002:C058:6301::

The prefix my-prefix gets correctly derived from the IPv4 address of FastEthernet0. Tunnel0 and BVI10 both set the correct 6to4 IPv6 address. So I think everything is set up as it supposed to be. However, I can't get anything out: any ping or traceroute from the router to an IPv6 address like ipv6.google.com times out. From all computers inside the LAN it doesn't work either.

The 6to4 relay seems to work. I can ping 192.88.99.1 from the router. I can also connect a computer directly to the internet line and get 6to4 from the computer through 192.88.99.1. So it seems to me as if the router isn't tunneling traffic as it should but I don't find how to troubleshoot this. There don't seem to be any debug commands for 6to4 or similar tunnels so I am short of doing packet captures...

Any idea how to find what goes wrong?

Thanks, Gerald

Andrew Yourtchenko · ‎06-23-2011

"I found the problem: it's the 6to4 relay."

Gerald, this is precisely at least one of the main reasons why 6to4 anycast use is being deprecated by the IETF. I'd suggest grab a tunnel at he.net. After asking your ISP about their IPv6 plans, of course.

View solution in original post

lgijssel · ‎06-22-2011

The tunnel must have a 6t04 address:

interface Tunnel0

no ip address

no ip redirects

ipv6 address 2002:C0A8:102::/128

tunnel source FastEthernet0/1

tunnel mode ipv6ip 6to4

Otherwise, your config looks ok.

regards,

Leo

Gerald Vogt · ‎06-22-2011

The tunnel has a 6to4 address. my-prefix is the 6to4 prefix.

lgijssel · ‎06-22-2011

But then you are also using it on your internal network? (BVI0)

The v6 address block to be tunneled should be a global unicast range, not a 6to4 range.

This block must be assigned by (or known to) the 6to4 provider because he must set the route back to you.

Perhaps this can be done automatically after you have registered an address block with the provider but it cannot be a 6to4 range. (2002::/16)

regards,

Leo

Gerald Vogt · ‎06-22-2011

I don't understand. I use the 6to4 prefix in the LAN and in the tunnel.

Let's say 17.18.19.20 is the IP address on FastEthernet 0 assigned by DHCP from the ISP.

my-prefix is thus 2002:1112:1314::/48

The ipv6 address on tunnel 0 is 2002:1112:1314:0::1/64.

The ipv6 address on BVI10 is 2002:1112:1314:1::1/64.

The LAN subnet is 2002:1112:1314:1::/64. This is announced by the router. LAN devices correctly configure an ipv6 address in this LAN subnet.

Why would I need a global unicast range to get this working?

See here

Gerald

lgijssel · ‎06-22-2011

Yes, you are right. According to RFC 3056 2002: /48 is the prefix you can use.

Sorry to confuse you.

Perhaps the problem is related to the creation of dns entries in order to route back.

See RFC3056.

regards,

Leo

Laurent Aubert · ‎06-22-2011

HI,

Could you try with a /128 mask instead of a /64 for the tunnel ipv6 address ?

Thanks,

Laurent.

Gerald Vogt · ‎06-22-2011

/128 instead of /64 doesn't make a difference.

Laurent Aubert · ‎06-22-2011

Could you try pinging an IPv6 address from the router and see if the output counter of the tunnel interface increases ?

I tried a config very close to yours but on a different platform with a different release and it's working. Only differences are I'm using a VLAN interface instead of BVI, my public IPv4 address is static and I control the 6to4 relay config. Everything else is similar.

Otherwise, open a Service-Request with the TAC as there is nothing wrong with your config.

Thanks,

Laurent.

Gerald Vogt · ‎06-22-2011

Now I know why they generally recommend NOT to use IPv6 tunnel through 6to4 due to lack of quality or stability.

I found the problem: it's the 6to4 relay.

I have checked the interface counters on the tunnel 0 and fastethernet 0. They increased in sync while sending.

I have checked incoming from the internet: works. The router received pings through the tunnel interface.

Then I started doing a packet capture on the 1812 (monitor capture) of the 6to4 encapsulated IPv4 traffic. Looks perfectly correct.

Thus, assuming the router would actually send out the packets I have captured on the fastethernet 0 interface it would be the 6to4 relay of my ISP.

It works when I use my computer directly on the internet connection. It did not with the router. Main difference: they get a different IP address in a different subnet from the ISP.

Thus, I have released the DHCP lease on the router for a couple of minutes and then renewed to get a new, different IP address: surprise! It works with the exact same configuration on the router.

So it seems the 6to4 relay can't be used from some IP addresses of my ISP or traffic goes into a different relay which doesn't operate correctly (I didn't keep the traceroutes to the relay...). With 6to4 there is no way to tell whether the relay is working correctly or not unless you know that it worked before and you didn't change anything.

Anyway, thanks for all your answers.

Now it's time to set up the zone firewall for IPv6...

Thanks,

Gerald

Andrew Yourtchenko · ‎06-23-2011

"I found the problem: it's the 6to4 relay."

Gerald, this is precisely at least one of the main reasons why 6to4 anycast use is being deprecated by the IETF. I'd suggest grab a tunnel at he.net. After asking your ISP about their IPv6 plans, of course.

Gerald Vogt · ‎06-23-2011

I fully agree with you. It was not meant to be a permantent thing. But who would think that if you connect the computer first, everything works perfectly fine, and later your connect another device and it doesn't work simply because it's a different source IP address while still the same ISP. The 6to4 anycast seemed like the fastest and easiest way for a quick starter. At least it looked so easy when I have enabled 6to4 on my Mac. ;-)

I guess any IPv6 tunneling is difficult to troubleshoot if it's a problem with the relay as you don't get any feedback in case the relay isn't forwarding the traffic.

My ISP plans IPv6 rollout this year. I hope it's not another half a year until they really do...

Either way this helped me to learn about packet capturing in IOS which can be extremely useful sometimes.