[outages] HE IPv6 tunnel PMTU issues with juniper.net

Mark Felder feld at feld.me
Wed Oct 1 11:09:49 EDT 2014 


On Wed, Oct 1, 2014, at 09:37, Chuck Anderson via Outages wrote:
> On Wed, Oct 01, 2014 at 02:17:01PM +0000, Gary Gapinski via Outages
> wrote:
> > On 10/01/2014 01:50 PM, Chuck Anderson via Outages wrote:
> > >While on my Hurricane Electric IPv6 tunnel, I cannot access
> > >juniper.net unless I change my local interface MTU.  1500 fails, but
> > >1280 works.  I noticed this a few days ago.  Before that I had no
> > >problems with a 1500 MTU.  Is anyone else seeing this issue?
> > 
> > No, but if your are using a 6in4 tunnel, the MTU should be 1480 (not 1500).
> > 
> > (I just successfully went to www.juniper.net via IPv6 with that MTU 1480.)
> 
> My tunnel router has a 1280 MTU on the henet interface:
> 
> 6in4-henet Link encap:IPv6-in-IPv4  
>           inet6 addr: 2001:470:xxxx:xxxx::2/64 Scope:Global
>           inet6 addr: fe80::xxxx:xxxx/128 Scope:Link
>           UP POINTOPOINT RUNNING NOARP  MTU:1280  Metric:1
>           RX packets:17148418 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:12347808 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0 
>           RX bytes:2660258163 (2.4 GiB)  TX bytes:2833651623 (2.6 GiB)
> 
> But the LAN interface of that router has an MTU of 1500, as does my
> desktop system.  I believe the issue is that the juniper.net web
> server has an MTU of 1500 and their network or somewhere along the
> path is blocking ICMP Packet Too Big messages that would be sent by
> the HE.net tunnel router.
> 
> Like I said, I changed nothing on my end, and it was working before.
> I don't know if juniper.net just added IPv6 to their website, or if
> something else changed in the path.
>

It's nearly a requirement to lower your MTU / enable mss-clamping when
doing ipv6 tunnels. It's possible some connectivity of yours was broken
and you just didn't notice it until now. I had to do this on my J series
and I also have to do it on my OpenBSD firewall -- 

# mss clamping down to 1280. 1220 + 60 for ipv6 header
match on egress all scrub (random-id no-df max-mss 1220)

The whole fragmentation situation with IPv6 is kind of a joke

http://en.wikipedia.org/wiki/IPv6_packet#Fragmentation

More information about the Outages mailing list