# ipV6 SYN_RECV hang (after BIOS update ?)

## toralf

Suddenly (tm) the IPv6 at my server won't work anymore. The only change so far is the replacement of the RAM and a BIOS upgrade.

The picture after booting the server is now :

```
ms-magpie ~ # netstat -6 -p -W -n

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp6       0      0 2a01:4f8:190:514a::2:5222 2a01:4f8:0:a101::6:3:43837 SYN_RECV    -

tcp6       0      0 5.9.158.75:5222         94.242.246.23:24237     ESTABLISHED 1633/beam

tcp6       0      0 2a01:4f8:190:514a::2:443 2001:638:a000:4140::ffff:189:55898 SYN_RECV    -

tcp6       0      0 5.9.158.75:5222         94.242.246.23:44793     ESTABLISHED 1633/beam

tcp6       0      0 5.9.158.75:5269         146.255.57.226:37717    ESTABLISHED 1633/beam

tcp6       0      0 2a01:4f8:190:514a::2:443 2001:858:2:2:aabb:0:563b:1526:54739 SYN_RECV    -

tcp6       0      0 5.9.158.75:5269         208.68.163.218:46377    ESTABLISHED 1633/beam

tcp6       0      0 2a01:4f8:190:514a::2:5269 2001:6f8:126f:11::26:37387 ESTABLISHED 1633/beam

tcp6       0      0 2a01:4f8:190:514a::2:443 2a01:4f8:0:a101::6:3:52584 SYN_RECV    -

```

No ping6 from outside is possible (I do have a monitor from my ISP which ping6 me every 3 min), no ping6 goes out.

If I comment out the line "$IPT -P INPUT   DROP" of my firewall script 

```
#!/bin/sh

IPT="/sbin/ip6tables"

startFirewall() {

  $IPT -P INPUT   DROP

  $IPT -P FORWARD DROP

  $IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

  $IPT -A INPUT -i lo -j ACCEPT

  $IPT -A INPUT --source ::1 -j ACCEPT

  $IPT -A INPUT -m conntrack --ctstate INVALID -j DROP

  $IPT -A INPUT -s fe80::/10  -p ipv6-icmp                            -j ACCEPT

  $IPT -A INPUT               -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT

...

```

and restart the firewall then it works.

What's wrong ?

UpdateThis change solved/circumvent it, but why it is now needed ? :

```
  #$IPT -A INPUT               -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT

  $IPT -A INPUT               -p ipv6-icmp                            -j ACCEPT

```

Last edited by toralf on Sat Mar 19, 2016 6:35 pm; edited 1 time in total

----------

## Ant P.

How does your server get its IPv6 routes configured?

----------

## toralf

 *Ant P. wrote:*   

> How does your server get its IPv6 routes configured?

 

```
tfoerste@ms-magpie ~ $ sudo su -

ms-magpie ~ # route -n -6

Kernel IPv6 routing table

Destination                    Next Hop                   Flag Met Ref Use If

::1/128                        ::                         Un   0   8    20 lo

2a01:4f8:190:514a::2/128       ::                         Un   0   9924591 lo

2a01:4f8:190:514a::/64         ::                         U    256 0     0 enp3s0

fe80::3285:a9ff:feed:1cb/128   ::                         Un   0   1     0 lo

fe80::/64                      ::                         U    256 0     0 enp3s0

ff00::/8                       ::                         U    256 0     0 enp3s0

::/0                           fe80::1                    UG   2   8917516 enp3s0

::/0                           ::                         !n   -1  1    25 lo

ms-magpie ~ # route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         5.9.158.65      0.0.0.0         UG    2      0        0 enp3s0

5.9.158.64      0.0.0.0         255.255.255.224 U     0      0        0 enp3s0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

ms-magpie ~ # cat /etc/conf.d/net

config_enp3s0="5.9.158.75/27

2a01:4f8:190:514a::2/64

"

routes_enp3s0="default via 5.9.158.65

default via fe80::1

"

# prefer IPv6

#

dns_servers_enp3s0="127.0.0.1 2a01:4f8:0:a0a1::add:1010 2a01:4f8:0:a102::add:9999 2a01:4f8:0:a111::add:9898 213.133.98.98 213.133.99.99 213.133.100.100"

dns_domain_enp3s0="zwiebeltoralf.de"

```

----------

## Ant P.

Everything looks consistent there. IPv6 uses ICMP for a lot more compared to IPv4 than ping requests though, it's generally a bad idea to block it.

----------

## toralf

 *Ant P. wrote:*   

> Everything looks consistent there. IPv6 uses ICMP for a lot more compared to IPv4 than ping requests though, it's generally a bad idea to block it.

 Thx Ant - but the question remains, why this don't work anow - worked here since 3/4 year. I tested older kernels too - the BIOS upgrade seems to be the trigger ...

Update

FWIW, looking into https://www.cert.org/downloads/IPv6/ip6table_rules.txt and allow 2 more ICMPv6 types makes it instead open it for all: 

```
  $IPT -A INPUT -s fe80::/10  -p ipv6-icmp -j ACCEPT

  # Allow some other types in the INPUT chain, but rate limit.

  #

  $IPT -A INPUT -p icmpv6 --icmpv6-type echo-request  -m limit --limit 900/min -j ACCEPT

  $IPT -A INPUT -p icmpv6 --icmpv6-type echo-reply    -m limit --limit 900/min -j ACCEPT

  

  # Allow others ICMPv6 types but only if the hop limit field is 255.

  #

  $IPT -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT

```

And what's worth to mention: with the old config a ping6 from the server out to another works fine till a ping6 arrived from outside (usually from the monitoring solution of by AS). From that point in time the ping6 from the server to the remote lost 100% of it packages.

----------

## Duncan Mac Leod

Today I had IPv6 trouble, too!

I did not change anything for weeks.

I noticed that I could not ping anything, even the default gateway. A reboot solved the problem, for now...

Never had this before! Using gentoo-sources -> 4.1.15-gentoo-r1

Anyone else with IPv6 problems recently?

----------

