HTTP timeout on ipv6

kostropak · February 16, 2021, 12:00pm

My problem is when I try to open on my notebook webpage from my server in local network, my 99% requests fail with timeout but 1% works correctly. To better understand I will describe my LAN network:

All devices have ipv4 and ipv6 (scope global)

ISP - provides single NAT ipv4 and full ipv6 scope global.
Router0 - ISP router which is connected by wire to Router1 and Internet
Router1 - is my main router in my local network. To this router are connected my all devices like smartphones, PCs, notebooks etc. by wire or wireless.
Server - host with Fedora Server which is connected by wire to Router1, by Apache it serve two virtualservers as aaaa.mydomain.org and bbbbb.mydomain.org. For connections (IPv4) from outside of LAN it got VPN, for connections by IPv6 it got opened ports in Router0 and Router1. DNS records are properly configured IP for v4 and v6.
PC - normal host with Windows, everything works good. I can open aaaa and bbbb webpage by local IPv4 and global IPv6.
Notebook - with Fedora 33 KDE, with this device I have problem to open webpage bbbb domain on IPv6, by IPv4 it is possible. aaaa domain works normal without problems.
smartphones - Android devices without problems open aaaa and bbbb domain webpage.

My first conclusion was that problem is in Router1 or Server, firewall is blocking or port is closed or Apache configuration is wrong. But everything looks good, any other devices do not have any problems like notebook. So I started to test notebook.

connection by wire or wireless to Router1 didn’t change anything. Still aaaa domain works and bbbb do not.
when I connect notebook to Router0 by wire or wireless both domains works.
changing web browser do not help
connected to Router1, when I run curl -vk4 https://bbbb.domain.org it works but when I run curl -vk6 https://bbbb.mydomain.org curl hangs on Client hello:

curl -kv6 https://bbbb.mydomain.org
*   Trying ipv6here:443...
* Connected to aaaa.mydomain.org (*****) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):

Certificate is wildcard to mydomain.org by certbot.

I run livecd Fedora on notebook and above curl request work so problem is with installed Fedora. I do not know why.

vgaetera · February 16, 2021, 12:27pm

Decrease MTU on the client or add a TCP MSS to PMTU clamping firewall rule for IPv6 traffic.

kostropak · February 16, 2021, 1:37pm

I tried on notebook

nmcli connection modify id wifiname 802-11-wireless.mtu 1000

and

firewall-cmd --direct --add-passthrough ipv6 -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

It didn’t help

vgaetera · February 16, 2021, 2:02pm

Verify the settings.

ip link show

The MSS clamping rule should be applied on the router.
Or, on the host system if you are using virtualization with NAT/routed networking.

ip6tables-save -t mangle

In addition, IPv6 heavily relies on ICMPv6, so make sure to allow it:

ICMPv6 input and output on both client and server.
ICMPv6 forward on routers in both directions.

kostropak · February 17, 2021, 9:06am

I don’t think that’s problem is in router. I see slight improvement but still is horrible.
I got ICMPv6 allowed but to be sure I disabled firewall on both sides, with no effect. I sniffed with Wireshark but I do not really know how to read packets.
When there is problem with getting data I see after TLSv1 Client Hello pocket many tcp retransmission and TCP Dup ACK. No idea what is going on.