Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 41 replies
  • Subscribers 0 subscribers
  • Views 22834 views
  • Users 0 members are here
Options
Suggested

[8.920][BUG] IPv6 connection issues (was: Proxy does not handle dual stack servers!)

sjorge
Since swapping my ASG v8 with v9 beta I'm having problems accessing dual-stack enabled servers.

Servers like my own (blackdot.be) or even astaro.org time out when using the HTTP Proxy. If I disable the IPv6 DNS entry it works fine. So I know it is IPv6 related.

2012:04:10-23:12:16 inertia httpproxy[10369]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="2001:6f8:1480:15:11a8:c2f0:eb92[:D]869" dstip="2a02:788:12:38::5" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2850" request="0x841e5c8" url="http://www.astaro.com/sites/all/themes/yaml/layouts/yaml_astaro/images/en-int/myastaro.png" exceptions="" error="Connection to server timed out"
2012:04:10-23:12:16 inertia httpproxy[10369]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="2001:6f8:1480:15:11a8:c2f0:eb92[:D]869" dstip="2a02:788:12:38::5" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2746" request="0x836ccf0" url="http://www.astaro.com/elqNow/elqCfg.js" exceptions="" error="Connection to server timed out"
2012:04:10-23:12:16 inertia httpproxy[10369]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="2001:6f8:1480:15:11a8:c2f0:eb92[:D]869" dstip="2a02:788:12:38::5" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2746" request="0x836cb88" url="http://www.astaro.com/elqNow/elqImg.js" exceptions="" error="Connection to server timed out"
2012:04:10-23:12:33 inertia httpproxy[10369]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="2001:6f8:1480:15:11a8:c2f0:eb92[:D]869" dstip="2a02:788:12:38::5" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2836" request="0xbcd35198" url="http://www.astaro.com/sites/all/themes/yaml/layouts/yaml_astaro/css/navigations.css" exceptions="" error="Connection to server timed out"
2012:04:10-23:12:33 inertia httpproxy[10369]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="2001:6f8:1480:15:11a8:c2f0:eb92[:D]869" dstip="2a02:788:12:38::5" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2742" request="0xbcd06768" url="http://www.astaro.com/misc/jquery.js" exceptions="" error="Connection to server timed out"
2012:04:10-23:12:33 inertia httpproxy[10369]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="2001:6f8:1480:15:11a8:c2f0:eb92[:D]869" dstip="2a02:788:12:38::5" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2850" request="0x830fb68" url="http://www.astaro.com/sites/all/themes/yaml/layouts/yaml_astaro/images/en-int/myastaro.png" exceptions="" error="Connection to server timed out"
2012:04:10-23:12:34 inertia httpproxy[10369]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="2001:6f8:1480:15:11a8:c2f0:eb92[:D]869" dstip="2a02:788:12:38::5" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2746" request="0x834f060" url="http://www.astaro.com/elqNow/elqCfg.js" exceptions="" error="Connection to server timed out"
2012:04:10-23:12:34 inertia httpproxy[10369]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="2001:6f8:1480:15:11a8:c2f0:eb92[:D]869" dstip="2a02:788:12:38::5" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2746" request="0x830fe38" url="http://www.astaro.com/elqNow/elqImg.js" exceptions="" error="Connection to server timed out"
2012:04:10-23:13:34 inertia httpproxy[10369]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="2001:6f8:1480:15:11a8:c2f0:eb92[:D]869" dstip="2a02:788:12:38::5" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2742" request="0x830fb68" url="http://www.astaro.com/misc/jquery.js" exceptions="" error="Connection to server timed out"
2012:04:10-23:14:14 inertia httpproxy[10369]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="2001:6f8:1480:15:11a8:c2f0:eb92[:D]869" dstip="2001:1938:81:164::2" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2708" request="0x834f768" url="http://blackdot.be/" exceptions="" error="Connection to server timed out"
2012:04:10-23:14:35 inertia httpproxy[10369]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="2001:6f8:1480:15:11a8:c2f0:eb92[:D]869" dstip="2a02:788:12:38::5" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2746" request="0x834f060" url="http://www.astaro.com/elqNow/elqCfg.js" exceptions="" error="Connection to server timed out"
2012:04:10-23:14:35 inertia httpproxy[10369]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="2001:6f8:1480:15:11a8:c2f0:eb92[:D]869" dstip="2a02:788:12:38::5" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2850" request="0x830fb68" url="http://www.astaro.com/sites/all/themes/yaml/layouts/yaml_astaro/images/en-int/myastaro.png" exceptions="" error="Connection to server timed out"
2012:04:10-23:14:43 inertia httpproxy[10369]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="172.16.15.111" dstip="2001:1938:81:164::2" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2708" request="0x83a3300" url="http://www.blackdot.be/" exceptions="" error="Connection to server timed out" 
  • 0 in reply to da_merlin

    So could you enable IPS again and try again?
    1 Anything in ips.log while you try to establish a IPv6 connection
    2 See if IPv6 in IPv4 traffic is leaving the ASG: tcpdump -n -i any proto 41


    1. I did the following:
    ssh to my server -> all OK
    enable IPS... wait for it to start... (until I was the decoding raw... line) ssh to my server... nothing.
    ips.log 2012:04:12-17:40:38 inertia snort[7965]: Enabling inline operation 2012:04:12-1 - Pastebin.com (pastbin so i can give you the complete one... nothing.)

    2. here is the output, there is some traffic it seems but all is from a established connection to an IRC server, nothing of ssh shows up.

    inertia:/root # tcpdump -n -i any proto 41
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
    17:47:45.609767 IP 212.100.184.146 > 91.176.210.18: IP6 2001:4860:4860::8844.53 > 2001:6f8:1480:30::2.1755: [|domain]
    17:47:45.611160 IP 91.176.210.18 > 212.100.184.146: IP6 2001:6f8:1480:30::2 > 2001:4860:4860::8844: ICMP6, destination unreachable[|icmp6]
    17:47:45.622502 IP 212.100.184.146 > 91.176.210.18: IP6 2001:4860:4860::8888.53 > 2001:6f8:1480:30::2.1755: [|domain]
    17:47:45.623711 IP 91.176.210.18 > 212.100.184.146: IP6 2001:6f8:1480:30::2 > 2001:4860:4860::8888: ICMP6, destination unreachable[|icmp6]
    17:47:46.036316 IP 212.100.184.146 > 91.176.210.18: IP6 2001:6f8:334:0:5054:ff:fe8c:fdf8.6667 > 2001:6f8:1480:30::25.41405: [|tcp]
    17:47:46.037698 IP 91.176.210.18 > 212.100.184.146: IP6 2001:6f8:1480:30::25.41405 > 2001:6f8:334:0:5054:ff:fe8c:fdf8.6667: [|tcp]
    17:47:46.087712 IP 212.100.184.146 > 91.176.210.18: IP6 2001:6f8:334:0:5054:ff:fe8c:fdf8.6667 > 2001:6f8:1480:30::25.41405: [|tcp]
    17:47:55.443332 IP 212.100.184.146 > 91.176.210.18: IP6 2001:6b0:e:2018::172.7000 > 2001:6f8:1480:30::25.61687: [|tcp]
    17:47:55.555440 IP 91.176.210.18 > 212.100.184.146: IP6 2001:6f8:1480:30::25.61687 > 2001:6b0:e:2018::172.7000: [|tcp]
    17:48:02.492251 IP 212.100.184.146 > 91.176.210.18: IP6 2001:6b0:e:2018::172.7000 > 2001:6f8:1480:30::25.61687: [|tcp]
    17:48:02.605651 IP 91.176.210.18 > 212.100.184.146: IP6 2001:6f8:1480:30::25.61687 > 2001:6b0:e:2018::172.7000: [|tcp]
    17:48:03.678556 IP 212.100.184.146 > 91.176.210.18: IP6 2001:6b0:e:2018::172.7000 > 2001:6f8:1480:30::25.61687: [|tcp]
    17:48:03.795737 IP 91.176.210.18 > 212.100.184.146: IP6 2001:6f8:1480:30::25.61687 > 2001:6b0:e:2018::172.7000: [|tcp]
    17:48:09.162827 IP 212.100.184.146 > 91.176.210.18: IP6 2001:6b0:e:2018::172.7000 > 2001:6f8:1480:30::25.61687: [|tcp]
    17:48:09.556607 IP 212.100.184.146 > 91.176.210.18: IP6 2001:6b0:e:2018::172.7000 > 2001:6f8:1480:30::25.61687: [|tcp]
    17:48:10.355859 IP 212.100.184.146 > 91.176.210.18: IP6 2001:6b0:e:2018::172.7000 > 2001:6f8:1480:30::25.61687: [|tcp]
    17:48:11.956846 IP 212.100.184.146 > 91.176.210.18: IP6 2001:6b0:e:2018::172.7000 > 2001:6f8:1480:30::25.61687: [|tcp]
    17:48:14.136773 IP 212.100.184.146 > 91.176.210.18: IP6 2001:6f8:202:3e1::1 > 2001:6f8:202:3e1::2: ICMP6, echo request, seq 14353, length 988
    17:48:15.157453 IP 212.100.184.146 > 91.176.210.18: IP6 2001:6b0:e:2018::172.7000 > 2001:6f8:1480:30::25.61687: [|tcp]
    17:48:21.556568 IP 212.100.184.146 > 91.176.210.18: IP6 2001:6b0:e:2018::172.7000 > 2001:6f8:1480:30::25.61687: [|tcp]
    17:48:26.349527 IP 91.176.210.18 > 212.100.184.146: IP6 2001:6f8:1480:30::2.43105 > 2001:4860:4860::8888.53: [|domain]
    17:48:26.349628 IP 91.176.210.18 > 212.100.184.146: IP6 2001:6f8:1480:30::2.43105 > 2001:4860:4860::8844.53: [|domain]
    17:48:26.396077 IP 212.100.184.146 > 91.176.210.18: IP6 2001:4860:4860::8888.53 > 2001:6f8:1480:30::2.43105: [|domain]
    17:48:26.403559 IP 91.176.210.18 > 212.100.184.146: IP6 2001:6f8:1480:30::2 > 2001:4860:4860::8888: ICMP6, destination unreachable[|icmp6]
    17:48:26.408049 IP 212.100.184.146 > 91.176.210.18: IP6 2001:4860:4860::8844.53 > 2001:6f8:1480:30::2.43105: [|domain]
    17:48:26.415167 IP 91.176.210.18 > 212.100.184.146: IP6 2001:6f8:1480:30::2 > 2001:4860:4860::8844: ICMP6, destination unreachable[|icmp6]
    17:48:34.356773 IP 212.100.184.146 > 91.176.210.18: IP6 2001:6b0:e:2018::172.7000 > 2001:6f8:1480:30::25.61687: [|tcp]
    17:48:34.477417 IP 91.176.210.18 > 212.100.184.146: IP6 2001:6f8:1480:30::25.61687 > 2001:6b0:e:2018::172.7000: [|tcp]
    17:48:34.540065 IP 212.100.184.146 > 91.176.210.18: IP6 2001:6b0:e:2018::172.7000 > 2001:6f8:1480:30::25.61687: [|tcp]
    17:48:34.666422 IP 91.176.210.18 > 212.100.184.146: IP6 2001:6f8:1480:30::25.61687 > 2001:6b0:e:2018::172.7000: [|tcp]
    17:48:36.815858 IP 212.100.184.146 > 91.176.210.18: IP6 2001:6b0:e:2018::172.7000 > 2001:6f8:1480:30::25.61687: [|tcp]
    17:48:36.966437 IP 91.176.210.18 > 212.100.184.146: IP6 2001:6f8:1480:30::25.61687 > 2001:6b0:e:2018::172.7000: [|tcp]
    17:49:14.141012 IP 212.100.184.146 > 91.176.210.18: IP6 2001:6f8:202:3e1::1 > 2001:6f8:202:3e1::2: ICMP6, echo request, seq 14354, length 988
    17:49:14.147003 IP 91.176.210.18 > 212.100.184.146: IP6 2001:6f8:202:3e1::2 > 2001:6f8:202:3e1::1: ICMP6, echo reply, seq 14354, length 988
    17:49:20.453878 IP 91.176.210.18 > 212.100.184.146: IP6 2001:6f8:1480:30::2.61346 > 2001:4860:4860::8844.53: [|domain]
    17:49:20.453974 IP 91.176.210.18 > 212.100.184.146: IP6 2001:6f8:1480:30::2.61346 > 2001:4860:4860::8888.53: [|domain]
    17:49:20.500414 IP 212.100.184.146 > 91.176.210.18: IP6 2001:4860:4860::8844.53 > 2001:6f8:1480:30::2.61346: [|domain]
    17:49:20.502504 IP 212.100.184.146 > 91.176.210.18: IP6 2001:4860:4860::8888.53 > 2001:6f8:1480:30::2.61346: [|domain]
    17:49:20.508686 IP 91.176.210.18 > 212.100.184.146: IP6 2001:6f8:1480:30::2 > 2001:4860:4860::8844: ICMP6, destination unreachable[|icmp6]
    17:49:20.512911 IP 91.176.210.18 > 212.100.184.146: IP6 2001:6f8:1480:30::2 > 2001:4860:4860::8888: ICMP6, destination unreachable[|icmp6]
    17:49:29.243487 IP 212.100.184.146 > 91.176.210.18: IP6 2001:6b0:e:2018::172.7000 > 2001:6f8:1480:30::25.61687: [|tcp]
    17:49:29.365924 IP 91.176.210.18 > 212.100.184.146: IP6 2001:6f8:1480:30::25.61687 > 2001:6b0:e:2018::172.7000: [|tcp]
    17:49:39.064161 IP 212.100.184.146 > 91.176.210.18: IP6 2001:6b0:e:2018::172.7000 > 2001:6f8:1480:30::25.61687: [|tcp]
    17:49:39.072253 IP 91.176.210.18 > 212.100.184.146: IP6 2001:6f8:1480:30::25.61687 > 2001:6b0:e:2018::172.7000: [|tcp]
    17:49:39.135725 IP 212.100.184.146 > 91.176.210.18: IP6 2001:6b0:e:2018::172.7000 > 2001:6f8:1480:30::25.61687: [|tcp]
    17:49:47.168884 IP 212.100.184.146 > 91.176.210.18: IP6 2001:6f8:334:0:5054:ff:fe8c:fdf8.6667 > 2001:6f8:1480:30::25.41405: [|tcp]
    17:49:47.176019 IP 91.176.210.18 > 212.100.184.146: IP6 2001:6f8:1480:30::25.41405 > 2001:6f8:334:0:5054:ff:fe8c:fdf8.6667: [|tcp]
    17:49:47.226698 IP 212.100.184.146 > 91.176.210.18: IP6 2001:6f8:334:0:5054:ff:fe8c:fdf8.6667 > 2001:6f8:1480:30::25.41405: [|tcp


    Since this is just my home network... I could provide you with access to the gateway and a RDP (HTML VPN) to a test box if you like?
  • 0
    don't know.  I had ipv6 going(6to4 via comcast) and sometimes disabling hte proxy worked but i always had to restart the ips to regain full connectivity.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0
    I'm seeing the same thing with 8.930.  No IPv6 with IPS and Web Proxy on.  Exception rule doesn't alleviate the issue and nothing in the IPS log.  If I disable IPS, IPv6 works again.  I'm using Hurricane Electric as my tunnel broker.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0
    Thanks for reporting. We are now tracking this as Mantis ID #21067
  • 0
    Ok can reproduce this issue with either activated 6to4 or SixXS in IPv6inIPv4 mode (enter "ip link show dev aiccu" via console, you should see "link/sit").
  • 0 in reply to Astaro Beta Bot
    Not fixed in 8.940013?
    I f it should have been fixed, still having problems. If not, ignore this.
  • 0
    This should be released via pattern up2date.
    Whats the output of the following console command:
    rpm -q -a|grep u2d-ipsbundle
  • 0 in reply to da_merlin
    This should be released via pattern up2date.
    Whats the output of the following console command: 
    rpm -q -a|grep u2d-ipsbundle


    Sorry for the slow replies, I'm messing with my old nas because it is dying so I was/am distracted.

    Simple test, connections been online for a few hours... doing a simple wget on ipv6.google.com
    sjorge@mass /tmp $ wget Google
    --2008-01-01 03:01:30--  Google
    Resolving ipv6.google.com... 2a00:1450:4007:804::1012
    Connecting to ipv6.google.com|2a00:1450:4007:804::1012|:80... failed: Connection timed out.
    Retrying.

    --2008-01-01 03:02:34--  (try: 2)  Google
    Connecting to ipv6.google.com|2a00:1450:4007:804::1012|:80...


    loginuser@inertia:/home/login > rpm -q -a|grep u2d-ipsbundle
    u2d-ipsbundle-9-37



    Just hangs, this is the case for every ipv6 server or dualstack server.

    Again, ping still works fine:
    sjorge@mass /tmp $ date; ping6 ipv6.google.com
    Tue Jan  1 03:12:01 CET 2008
    PING ipv6.google.com(par08s09-in-x11.1e100.net) 56 data bytes
    64 bytes from par08s09-in-x11.1e100.net: icmp_seq=1 ttl=52 time=46.7 ms
    64 bytes from par08s09-in-x11.1e100.net: icmp_seq=2 ttl=52 time=47.3 ms
    64 bytes from par08s09-in-x11.1e100.net: icmp_seq=3 ttl=52 time=47.0 ms
    64 bytes from par08s09-in-x11.1e100.net: icmp_seq=4 ttl=52 time=48.0 ms
    ^C
    --- ipv6.google.com ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3004ms
    rtt min/avg/max/mdev = 46.711/47.311/48.094/0.510 ms


    So nothing seems to have changed with as far as I can tell all updates installed.
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?