Bug #22316
closedhttps://docs.ceph.com not well reachable via IPv6
0%
Description
When connecting to e.g. https://docs.ceph.com, I see symptoms of the network path not being able to do path mtu discovery: the connection simply stalls. This is typically caused by blocking too much, e.g. the ICMP PTB packets. See https://altmode.org/2015/01/14/adventures-with-ipv6-path-mtu-discovery/.
Can you check if docs.ceph.com filters the ICMP ptb packets?
Updated by Michel Roelofs over 6 years ago
Hereby a tcpdump. The traffic stops after 7 packets, #6 is a large chunk of data sent by docs.ceph.com, #7 my ack and the remainder are just tcp keepalive packets.
16:26:01.045940 IP6 2a01:670::xx:yy:zz.43774 > 2607:5300:201:2000::3:58b1.80: Flags [S], seq 1637477638, win 28800, options [mss 1440,sackOK,TS val 1811014700 ecr 0,nop,wscale 10], length 0
16:26:01.138708 IP6 2607:5300:201:2000::3:58b1.80 > 2a01:670::xx:yy:zz.43774: Flags [S.], seq 3547754825, ack 1637477639, win 28560, options [mss 1440,sackOK,TS val 3734021574 ecr 1811014700,nop,wscale 7], length 0
16:26:01.138744 IP6 2a01:670::xx:yy:zz.43774 > 2607:5300:201:2000::3:58b1.80: Flags [.], ack 1, win 29, options [nop,nop,TS val 1811014793 ecr 3734021574], length 0
16:26:01.138901 IP6 2a01:670::xx:yy:zz.43774 > 2607:5300:201:2000::3:58b1.80: Flags [P.], seq 1:467, ack 1, win 29, options [nop,nop,TS val 1811014793 ecr 3734021574], length 466: HTTP: GET /docs/giant/rbd/rbd-snapshot/ HTTP/1.1
16:26:01.230578 IP6 2607:5300:201:2000::3:58b1.80 > 2a01:670::xx:yy:zz.43774: Flags [.], ack 467, win 232, options [nop,nop,TS val 3734021597 ecr 1811014793], length 0
16:26:01.421983 IP6 2607:5300:201:2000::3:58b1.80 > 2a01:670::xx:yy:zz.43774: Flags [P.], seq 5713:7016, ack 467, win 232, options [nop,nop,TS val 3734021645 ecr 1811014793], length 1303: HTTP
16:26:01.422009 IP6 2a01:670::xx:yy:zz.43774 > 2607:5300:201:2000::3:58b1.80: Flags [.], ack 1, win 31, options [nop,nop,TS val 1811015076 ecr 3734021597,nop,nop,sack 1 {5713:7016}], length 0
16:26:11.425988 IP6 2a01:670::xx:yy:zz.43774 > 2607:5300:201:2000::3:58b1.80: Flags [.], ack 1, win 31, options [nop,nop,TS val 1811015076 ecr 3734021597,nop,nop,sack 1 {5713:7016}], length 0
16:26:11.517752 IP6 2607:5300:201:2000::3:58b1.80 > 2a01:670::xx:yy:zz.43774: Flags [.], ack 467, win 232, options [nop,nop,TS val 3734024169 ecr 1811015076], length 0
16:26:21.569981 IP6 2a01:670::xx:yy:zz.43774 > 2607:5300:201:2000::3:58b1.80: Flags [.], ack 1, win 31, options [nop,nop,TS val 1811025172 ecr 3734021597,nop,nop,sack 1 {5713:7016}], length 0
16:26:21.662257 IP6 2607:5300:201:2000::3:58b1.80 > 2a01:670::xx:yy:zz.43774: Flags [.], ack 467, win 232, options [nop,nop,TS val 3734026705 ecr 1811015076], length 0
16:26:31.809987 IP6 2a01:670::xx:yy:zz.43774 > 2607:5300:201:2000::3:58b1.80: Flags [.], ack 1, win 31, options [nop,nop,TS val 1811035317 ecr 3734021597,nop,nop,sack 1 {5713:7016}], length 0
16:26:31.902400 IP6 2607:5300:201:2000::3:58b1.80 > 2a01:670::xx:yy:zz.43774: Flags [.], ack 467, win 232, options [nop,nop,TS val 3734029265 ecr 1811015076], length 0
16:26:42.049972 IP6 2a01:670::xx:yy:zz.43774 > 2607:5300:201:2000::3:58b1.80: Flags [.], ack 1, win 31, options [nop,nop,TS val 1811045557 ecr 3734021597,nop,nop,sack 1 {5713:7016}], length 0
16:26:42.141653 IP6 2607:5300:201:2000::3:58b1.80 > 2a01:670::xx:yy:zz.43774: Flags [.], ack 467, win 232, options [nop,nop,TS val 3734031825 ecr 1811015076], length 0
Updated by David Galloway about 6 years ago
- Status changed from New to In Progress
- Assignee set to David Galloway
docs.ceph.com is an Openstack VM and its firewall rules allow ICMP traffic. Anything beyond that, I don't have visibility into.
Is this still an issue?
Updated by Michel Roelofs about 6 years ago
I'm not sure. In the meantime I got another Internet provider, with a larger IPv6 MTU, and now it works well. I will try to create a test setup where I can vary the MTU, this could then show the issue.
Updated by Sage Weil over 4 years ago
- Project changed from www.ceph.com to website
Updated by Kefu Chai about 4 years ago
Suggested by Nico Schottelius (telmich on #ceph-devel):
it actually works on HTTP. it's just HTTPS broken.
The only thing necessary is a "listen [::]:443;" in the nginx configuration on that hostusing curl -I http://docs.ceph.com works in IPv6 only networks, however curl -I https://docs.ceph.com/ returns Failed to connect to docs.ceph.com port 443: Connection refused
As the server signature is nginx, it really only needs a listen directive for IPv6
Updated by David Galloway about 4 years ago
- Status changed from In Progress to Resolved