Summary: | https://git.freebsd.org SSL connection timeout out over ipv6 | ||||||
---|---|---|---|---|---|---|---|
Product: | Services | Reporter: | void | ||||
Component: | FTP/WWW Sites & Mirrors | Assignee: | Cluster Admin <clusteradm> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Only Me | CC: | bofh, philip | ||||
Priority: | --- | ||||||
Version: | unspecified | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Attachments: |
|
Description
void
2024-03-09 23:25:19 UTC
A speedtest from my location to Secaucus, NY on ipv6: ✓ Test Server: [Custom] [2604:a00:50:14::2]:8080 ✓ Latency: 39.7657ms Jitter: 10.913363ms Min: 36.060171ms Max: 72.505346ms ✓ Download: 50.04Mbps (used: 59.65MB) (latency: 37ms jitter: 1ms min: 36ms max: 39ms) ✓ Upload: 13.07Mbps (used: 15.58MB) (latency: 40ms jitter: 10ms min: 36ms max: 72ms) A workaround at this time for things like freebsd-update that don't have -4 or -6 switches is to set ip6addrctl_policy="ipv4" and reboot. Otherwise freebsd-update won't work in a dual stack environment This works find from here and from a couple of other places on the internet. I suspect a PMTU issue on your end, or somewhere along your path. Could you please capture tcpdump output from this: curl -vk -H 'Host git.freebsd.org' https://gitmir.fra.freebsd.org/ Pay close attention to the MSS values. This mirror has been running with MTU=9000 for a couple of months -- since bringing up the newer site in Sweden. I should bring it back to MTU=1500. Aside: there is no freebsd-update mirror in Frankfurt. If you're seeing timeouts on freebsd-update too, that indicates a wider IPv6 issue. Created attachment 249088 [details]
tcpdump output as plain txt
(In reply to Philip Paeps from comment #2) (In reply to Philip Paeps from comment #2) Hi, I had to use curl -6 because of the modification to rc.conf explained previously. I have attached the tcpdump output (as plain txt rather than a pcap) In the curl terminal, this was the result: curl -6 -vk -H 'Host git.freebsd.org' https://gitmir.fra.freebsd.org/ * Host gitmir.fra.freebsd.org:443 was resolved. * IPv6: 2604:1380:4091:a001::24ca:1 * IPv4: (none) * Trying [2604:1380:4091:a001::24ca:1]:443... * Connected to gitmir.fra.freebsd.org (2604:1380:4091:a001::24ca:1) port 443 * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * Recv failure: Connection reset by peer * OpenSSL SSL_connect: Connection reset by peer in connection to gitmir.fra.freebsd.org:443 * Closing connection curl: (35) Recv failure: Connection reset by peer It seems I send with a MSS value of 1440 and the site replies with a MSS of 8940. Yeah. As I expected: Path MTU Discovery fail. Something along the path is dropping ICMPv6 "Packet Too Big" messages. If you can control that machine, you can fix the problem before I get around to lowering the MTU on our end. ;-) Thanks for letting us know! Yeah. As I expected: Path MTU Discovery fail. Something along the path is dropping ICMPv6 "Packet Too Big" messages. If you can control that machine, you can fix the problem before I get around to lowering the MTU on our end. ;-) Thanks for letting us know! (In reply to Philip Paeps from comment #7) it's working now :D TYVM I'll need to reboot my machine to test freebsd-update, not sure if ipaddrctl can apply changes on the fly mss is now 1440 on update2 so freebsd-update now works TYVM I didn't actually change anything, but glad to hear that whatever middlebox was broken was fixed. ;-) I'll keep this bug open until I get around to lowering the MTU on our Frankfurt mirror though. Jumbograms on the internet are not a recipe for success. spooky! I changed nothing here lol Now the tcpdump says the packets gitmir is sending are mss 1440, which works great (In reply to Philip Paeps from comment #7) Hi, $ host git.freebsd.org | grep IPv6 gitmir.geo.freebsd.org has IPv6 address 2a02:80:0:3ffd::24ca:1 gitmir.geo.freebsd.org has IPv6 address 2604:1380:4091:a001::24ca:1 $ Both have mss of 8940. 2604:1380:4091:a001::24ca:1 works 2a02:80:0:3ffd::24ca:1 doesn't it appears that it's only gitmir.sjb.freebsd.org which has the problem Well, now the middlebox is interfering with your traffic to our mirror in Sweden. ;-) I finally got around to starting a mirror refresh this morning, and taking the opportunity to lower the MTUs of the two EU mirrors. Both mirrors are back to MTU=1500. confirmed it works, TYVM :D |