[Shorewall-users] diagnosing IPv6 connection loss -- why's this ping6 failing?

Wed, 12 Nov 2014 16:27:30 -0800 

I'm starting to troubleshoot loss of tunnelbroker-provided IPv6 on an edge, 
shorewall6-lite box; need a hand.

On the shorewall machine, @eth0, the external interface,

        ifconfig eth0 | grep "inet6 addr" | grep "Scope:Global"
                inet6 addr: 2001:XXX:XXX4:XXX::2/64 Scope:Global

and

        shorewall6-lite show routing | egrep "^2001|^default"
                2001:XXX:XXX5:XXX::/64 dev eth1 proto kernel metric 256
                2001:XXX:XXX4:XXX::/64 dev sit1 proto kernel metric 256
                2001:XXX:XXX4:XXX::/64 dev eth0 proto kernel metric 256
                default via 2001:XXX:XXX4:XXX::1 dev sit1 metric 1024

In my shorewall6-lite rules, I have added

        Ping(ACCEPT)   net:[2001:XXX:XXX4:XXX::2]/64,[2001:XXX:XXX5:XXX::]/64   
all
        Ping(ACCEPT)   net                                                      
all   -   -   -   -   5/sec:100

On the shorewall machine, ping6 to self

        ping6 -c1 2001:XXX:XXX4:XXX::2
                PING 2001:XXX:XXX4:XXX::2(2001:XXX:XXX4:XXX::2) 56 data bytes
                64 bytes from 2001:XXX:XXX4:XXX::2: icmp_seq=1 ttl=64 
time=0.157 ms

                --- 2001:XXX:XXX4:XXX::2 ping statistics ---
                1 packets transmitted, 1 received, 0% packet loss, time 0ms
                rtt min/avg/max/mdev = 0.157/0.157/0.157/0.000 ms

but, to the other end of the tunnel

        ping6 -c1 2001:XXX:XXX4:XXX::1
                PING 2001:XXX:XXX4:XXX::1(2001:XXX:XXX4:XXX::1) 56 data bytes
                From 2001:XXX:XXX4:XXX::2 icmp_seq=1 Destination unreachable: 
Address unreachable

                --- 2001:XXX:XXX4:XXX::1 ping statistics ---
                0 packets transmitted, 0 received, +1 errors

and in shorewall log

        ...
        Nov 12 15:47:38 test kernel: [  976.493756] SW:[P6]OUTPUT:REJECT IN= 
OUT=eth0 SRC=2001:0XXX:XXX4:XXX0:0000:0000:0000:0002 
DST=2001:0XXX:XXX4:XXX0:0000:0000:0000:0001 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 
PROTO=ICMPv6 TYPE=128 CODE=0 ID=3994 SEQ=1
        ...

To my read, the "Ping(ACCEPT)" above should be allowing that traffic, not 
REJECTing it.  I can't manage to see the problem.

What's wrong here?  What additional diagnostic can/should I look at?

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to