Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

IPv6 REACHABLE -> STALE after a while, then host looks down

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
dusatvoj
Posts: 3
Joined: 2020-09-04 18:00

IPv6 REACHABLE -> STALE after a while, then host looks down

#1 Post by dusatvoj »

Hello,
I'm using debian 10 in dual stack network but I have a problem with routes/neighbours falling into STALE state.
I thought it was caused by nftables because by nftables tracing a found this:

Code: Select all

trace id b86c9f55 inet firewall input packet: iif "ens192" ether saddr 01:23:45:67:89:ab ether daddr 33:33:00:00:00:01 ip6 saddr fe80::0123:ABC:DEF:GHI ip6 daddr ff02::1 ip6 dscp cs7 ip6 ecn not-ect ip6 hoplimit 255 ip6 flowlabel 0 ip6 nexthdr ipv6-icmp ip6 length 64 icmpv6 type nd-router-advert icmpv6 code no-route icmpv6 parameter-problem 1073743624 @th,64,96 16893106
... when nftables has rule

Code: Select all

ip6 nexthdr icmpv6 accept
After switching to legacy ip{,6}tables I've found the same behavior (After reboot everything works fine and after a while I've found STALE states)

Code: Select all

root@im:~# ip -6 neigh show 
2001:ABC:DEF:::1 dev ens192 lladdr 01:23:45:67:89:ab router STALE
fe80::0123:ABC:DEF:GHI dev ens192 lladdr 01:23:45:67:89:ab router STALE
(IPv6 addresses and MAC addresses were scrambled)

Can somebody help me?
Thank you
Last edited by dusatvoj on 2020-09-06 14:38, edited 1 time in total.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: IPv6 REACHABLE -> STALE after a while

#2 Post by reinob »

and your problem is ...?

a route becomes "stale" after a while, but is there.
Try pinging a "stale" host and you will see that it works (if the host is still up, that is..)

dusatvoj
Posts: 3
Joined: 2020-09-04 18:00

Re: IPv6 REACHABLE -> STALE after a while

#3 Post by dusatvoj »

The problem is when I'm using nftables. Connection is not restored (for example from http://www.ipv6now.com.au/ ipv6 not working anymore).
For being sure: I don't know if it's the nftables issue only or if it's some kernel issue but it seems broken now and I don't know what's wrong.

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: IPv6 REACHABLE -> STALE after a while, then host looks d

#4 Post by p.H »

dusatvoj wrote:The problem is when I'm using nftables.
But you wrote previously that switching to legacy ip6tables did not fix the issue. Also,
dusatvoj wrote:I don't know if it's the nftables issue
So what should we believe ?
If you suspect nftables or ip6tables, disable them completely and check whether the issue still happens.
dusatvoj wrote:for example from http://www.ipv6now.com.au/ ipv6 not working anymore
What do you mean exactly ? Is www.ipv6now.com.au a host in your LAN ? If not, what does it have to do with IPv6 neighbour reachability ? You do not check IPv6 neighbour reachability with a remote web site but with basic commands such as ping6 as indicated by reinob.

cuckooflew
Posts: 677
Joined: 2018-05-10 19:34
Location: Some where out west
Been thanked: 1 time

Re: IPv6 REACHABLE -> STALE after a while, then host looks d

#5 Post by cuckooflew »

I don't understand what the purpose of the link you posted is either, there is nothing there that is of any use, ?
How ever, the key words: ipv6 not working anymore Do yield a lot of results that could be of use. EG:
This problem can occur for a number reasons, depending on various circumstances. To address the issue, you might need to update network drivers, disable the IP helper service, reset IPv6 settings, release and renew your IP configuration, etc. In the guide below, we describe various methods to fix the ipv6 not working anymore problem
OMG FINALLY.

Called Starhub last evening and greeted with support staff who insisted Starhub does not have IPv6. I've been running IPv6 on Starhub reliably untill the outage a few days back. Right now, under my router settings, IPv6 address is blank. Wasted my time last night downgrading my firmware and upgrading it when I realised the fault was with Starhub.
dusatvoj> I don't know if it's the nftables issue only or if it's some kernel issue but it seems broken now and I don't know what's wrong.
I don't know either, but I do not think it is a kernel issue, but considering you do not tell us what kernel, nor Debian version you are using, or anything, Nor what router is involved, eg: the above was "Starhub", and the problem specific to that, .. so any way, maybe some better details would help.
There is a command you can use as well: https://manpages.debian.org/buster/ipro ... .8.en.html
DESCRIPTION
The ip utility can monitor the state of devices, addresses and routes continuously. This option has a slightly different format. Namely, the monitor command is the first in the command line and then the object list follows:
Per:
https://serverfault.com/questions/97060 ... able-linux
Thanks @A.B. I did some reading on ARP flux, and as it turns out, according to the sources I read, we had already set up our sysctl parameters to prevent this issue(arp_announce = 2 and arp_ignore = 1). So I don't think that's what's getting us. Going back to "ip -ts monitor", from the output I see that routes on our system become "STALE", and then are "PROBE"d and set to "REACHABLE", which I'm assuming means they responded to the probe. Would a route be removed if the router didn't respond? What happens if there's heavy traffic and the response packet happens to get dropped?
run instead: ip -ts monitor link , ip -ts monitor address , ip -ts monitor route. stale reachable etc is about ARP (with ip neighbour) and thus not about routes. –
==== for more details, below=====
https://www.startpage.com/do/dsearch?qu ... sion=1.3.0
There are so many things that could be causing this, you will need to just start the process of elimination, check the router, if it is ok, check the firmware , and so on,.....Keep notes on what you check and try, so we don't suggest something you all ready tried.
Please Read What we expect you have already Done
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!

dusatvoj
Posts: 3
Joined: 2020-09-04 18:00

Re: IPv6 REACHABLE -> STALE after a while, then host looks d

#6 Post by dusatvoj »

Many thank's forreply @cuckooflew.
Now I'm using debian 10 on AMD64 with 4.19.0-12 kernel. Routers are Cisco 9000 series (multiple locations, same issue).

I think that switching to ip6tables worked. Routes falling to stale state but recovering (when using nftables it's not recovering when I do ping from other machine but recovering when I do a ping from the selected machine).

I've tried both rule type:

Code: Select all

meta l4proto ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept 
and

Code: Select all

ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
Every behavior gives me error in `nft monitor trace`:

Code: Select all

trace id d6d869ab inet filter input packet: iif "ens18" ether saddr c4:b2:39:14:28:3f ether daddr 33:33:00:00:00:01 ip6 saddr fe80::c6b2:39ff:fe14:283f ip6 daddr ff02::1 ip6 dscp cs7 ip6 ecn not-ect ip6 hoplimit 255 ip6 flowlabel 0 ip6 nexthdr ipv6-icmp ip6 length 64 icmpv6 type nd-router-advert icmpv6 code no-route icmpv6 parameter-problem 1086850824 @th,64,96 16893106

Post Reply