Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to do a IPv6 connection to piwik.org #3597

Closed
anonymous-matomo-user opened this issue Dec 6, 2012 · 26 comments
Closed

Unable to do a IPv6 connection to piwik.org #3597

anonymous-matomo-user opened this issue Dec 6, 2012 · 26 comments
Labels
Bug For errors / faults / flaws / inconsistencies etc. c: Website matomo.org For issues related to our matomo.org website. Critical Indicates the severity of an issue is very critical and the issue has a very high priority. worksforme The issue cannot be reproduced and things work as intended.

Comments

@anonymous-matomo-user
Copy link

Since some time it is not possible to connect to the website piwik.org from any computer inside our Campus Network at the University of Bern, Switzerland.

As the Network-Administrator told me, the piwik.org webserver doesn't handle IPv6 Traffic correctly.
Any computer in our network connects to http over a proxy. Each request to your site ends with a time-out interupt by the proxy giving the following information (in german):

The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: http://www.piwik.org/

Connection to 2001:41d0:8:307b::1 failed.

The system returned: (110) Connection timed out

The remote host or network may be down. Please try the request again.

Your cache administrator is ...

Generated Tue, 04 Dec 2012 13:44:17 GMT by proxy.unibe.ch (squid)
@cbay
Copy link
Contributor

cbay commented Dec 6, 2012

What's your IPv6 address? Could you provide a traceroute/mtr to piwik.org (IPv6 and IPv4)?

@anonymous-matomo-user
Copy link
Author

I can't provide the IPv6 address of our proxy, as I'm not an administrator there. As well I can't do an IPv6 traceroute.
The FQDN of the server, trying to contact piwik.org in vain is: proxy.unibe.ch.
It's administrator can be contacted with the following email: proxy@unibe.ch.
Myself I can do only an IPv4 traceroute:

Tracing route to piwik.org [176.31.58.94]
over a maximum of 30 hops:

1 3 ms <1 ms <1 ms 130.92.62.1
2 <1 ms <1 ms <1 ms toscanini.unibe.ch [130.92.253.1]
3 <1 ms <1 ms <1 ms cerberus.unibe.ch [130.92.244.1]
4 <1 ms <1 ms <1 ms swibe2-10ge-1-2.switch.ch [195.176.0.137]
5 1 ms 1 ms 1 ms swiba2-10ge-1-2.switch.ch [130.59.37.110]
6 2 ms 2 ms 2 ms swiez2-10ge-5-4.switch.ch [130.59.37.105]
7 55 ms 162 ms 172 ms swiix2-10ge-3-1.switch.ch [130.59.36.250]
8 3 ms 2 ms 2 ms swiix1-10ge-1-4.switch.ch [130.59.36.41]
9 3 ms * 2 ms eqx.zur.ovh.net [194.42.48.30]
10 * * 10 ms fra-5-6k.fr.eu [94.23.122.145]
11 18 ms 17 ms 17 ms rbx-g2-a9.fr.eu [178.33.100.254]
12 * 17 ms 17 ms vss-8a-6k.fr.eu [91.121.215.187]
13 17 ms 17 ms 17 ms 176.31.58.94

Trace complete.

@cbay
Copy link
Contributor

cbay commented Dec 6, 2012

proxy.unibe.ch doesn't resolve to an IPv6 address:
http://www.dnswatch.info/dns/dnslookup?la=en&host=proxy.unibe.ch&type=AAAA&submit=Resolve

Can you go to http://test-ipv6.com/ using your proxy and get its IPv6 address from here?

@anonymous-matomo-user
Copy link
Author

test-ipv6.com says:

  • Ihre IPv4 Internet-Adresse ist hchstwahrscheinlich 130.92.9.57
    Proxied, Via: 1.1 bifor.unibe.ch (squid)
  • Ihre IPv6 Internet-Adresse ist hchstwahrscheinlich 2001:620:400:9::57
    Proxied, Via: 1.1 bifor.unibe.ch (squid)

So the address seems to be 2001:620:400:9::57
..and yes, I rembember: proxy.unibe.ch is only a loadbalancer address, the 'real' proxies have other names, like bifor.unibe.ch . But also this one is not found on www.dnswatch.info....

@cbay
Copy link
Contributor

cbay commented Dec 6, 2012

Well 2001:620:400:9::57 cannot be reached. I've tested it on:

http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-ping.php
http://mebsd.com/ipv6-ping-and-traceroute

@anonymous-matomo-user
Copy link
Author

I forwarded the question to the proxy administrator and included the link to this ticket. I have to wait what he says. I have to say, I'm not very familiar with IPv6...

@mattab
Copy link
Member

mattab commented Dec 13, 2012

I forwarded the question to the proxy administrator and included the link to this ticket. I have to wait what he says. I have to say, I'm not very familiar with IPv6...

Any update?

@anonymous-matomo-user
Copy link
Author

My ticket was closed (although I was first ;-) ), so I'm answering here.
I'm not behind a proxy and I have a properly configured IPv4 + IPv6 system (I'm sure, because I have a lot of visitors on that server coming through IPv6).

From that server I still can't connect to piwik.org. Address is resolved to 2001:41d0:8:307b::1, but not a single ping returns.
Then I tried pinging other IPv6-enabled servers ("ping6 google.com", "ping6 k12maths.com" and "ping6 heise.de") and all succeeded.
When using this test: http://ipv6-test.com/validate.php to validate "piwik.org", the validation is successful. Also this site: http://www.ipv6now.com.au/pingme.php, allows pinging my server and piwik.org.
On the other hand: tracing the IPv6 route to piwik.org leads just to "???":
http://www.ipv6now.com.au/traceme.php

Maybe this is the problem, no correct routing to the end point (ipv6 web server)?

@cbay
Copy link
Contributor

cbay commented Dec 13, 2012

soerennb: what's your IPv6 address? Can you give us a traceroute to piwik.org? As you said, both tests report that piwik.org is successfully available over IPv6.

@anonymous-matomo-user
Copy link
Author

My inet6-Address: 2a01:4f8:161:1343::8.

Here's the trace route:

xxx@webserver02:~$ traceroute6 piwik.org
traceroute to piwik.org (2001:41d0:8:307b::1), 30 hops max, 80 byte packets
 1  2a01:4f8:161:1343::2 (2a01:4f8:161:1343::2)  1006.464 ms  1006.430 ms  1006.398 ms
 2  2a01:4f8:161:1340::1 (2a01:4f8:161:1340::1)  5.626 ms  5.600 ms  5.562 ms
 3  2a01:4f8:0:16:1:0:16:1 (2a01:4f8:0:16:1:0:16:1)  1.595 ms 2a01:4f8:0:16:2:0:16:1 (2a01:4f8:0:16:2:0:16:1)  1.562 ms 2a01:4f8:0:16:4:0:16:2 (2a01:4f8:0:16:4:0:16:2)  1.529 ms
 4  2a01:4f8:0:2::b:4 (2a01:4f8:0:2::b:4)  3.968 ms  3.954 ms  3.915 ms
 5  r1nue1.core.init7.net (2001:1620:1000::1a9)  7.616 ms  7.593 ms  7.554 ms
 6  r1nue2.core.init7.net (2001:1620:2::f2)  7.500 ms  12.292 ms  7.015 ms
 7  r1fra2.core.init7.net (2001:1620:2::fd)  7.328 ms  7.027 ms  7.105 ms
 8  decix.routers.ovh.net (2001:7f8::3f94:0:1)  7.132 ms * *
 9  rbx-g2-a9.fr.eu (2001:41d0::9b2)  17.626 ms  17.963 ms  17.909 ms
10  rbx-g2-a9.fr.eu (2001:41d0::173)  17.455 ms * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

@cbay
Copy link
Contributor

cbay commented Dec 13, 2012

Thanks, I'll investigate.

@halfdan
Copy link
Member

halfdan commented Dec 13, 2012

Works for me:

 1  2a03:2900::2 (2a03:2900::2)  2.764 ms  2.740 ms  2.754 ms
 2  2a03:2900::1 (2a03:2900::1)  0.235 ms  0.252 ms  0.233 ms
 3  2001:4d88:1ff0:501::2 (2001:4d88:1ff0:501::2)  9.250 ms  9.250 ms  9.288 ms
 4  2001:4d88:1ff0:501::1 (2001:4d88:1ff0:501::1)  10.099 ms  10.201 ms  10.148 ms
 5  2001:4d88:ffff:15::155 (2001:4d88:ffff:15::155)  9.678 ms  10.001 ms  10.062 ms
 6  2001:4d88:ffff:100::229 (2001:4d88:ffff:100::229)  9.825 ms  9.910 ms  9.934 ms
 7  2001:4d88:ffff:fffe::2 (2001:4d88:ffff:fffe::2)  9.339 ms  24.047 ms  23.494 ms
 8  xae0-2002.fra10.core-backbone.com (2a01:4a0:0:2002::3)  12.761 ms  12.225 ms  12.243 ms
 9  ae51-3356.edge7.Frankfurt1.Level3.net (2001:1900:5:2:2::75)  15.505 ms  15.465 ms  15.261 ms
10  vl-90.edge4.Frankfurt1.Level3.net (2001:1900:104:8::9)  15.458 ms vl-60.edge4.Frankfurt1.Level3.net (2001:1900:104:5::9)  38.295 ms vl-80.edge4.Frankfurt1.Level3.net (2001:1900:104:7::9)  15.412 ms
11  vl-4060.car1.Dusseldorf1.Level3.net (2001:1900:5:1::212)  19.343 ms  19.210 ms  19.267 ms
12  vl-4080.car1.Dusseldorf1.Level3.net (2001:1900:5:1::111)  19.242 ms  19.201 ms  18.963 ms
13  vl-4040.edge3.Amsterdam1.Level3.net (2001:1900:5:1::20d)  22.312 ms  22.158 ms  22.104 ms
14  vl-4081.edge4.Amsterdam1.Level3.net (2001:1900:5:1::10e)  22.237 ms vl-4081.edge3.Amsterdam1.Level3.net (2001:1900:5:1::10a)  22.224 ms vl-4081.edge4.Amsterdam1.Level3.net (2001:1900:5:1::10e)  22.187 ms
15  vl-4060.edge4.London1.Level3.net (2001:1900:5:1::205)  29.912 ms  29.789 ms  29.901 ms
16  vl-4080.edge4.London1.Level3.net (2001:1900:5:1::105)  29.868 ms  29.833 ms vl-4080.edge3.London1.Level3.net (2001:1900:5:1::101)  30.638 ms
17  * * *
18  * ams-1-6k.nl.eu (2001:41d0::be2)  29.721 ms *
19  * * ams-5-6k.nl.eu (2001:41d0::8d1)  29.633 ms
20  rbx-g2-a9.fr.eu (2001:41d0::ab1)  33.372 ms  33.356 ms  33.333 ms
21  * * rbx-g2-a9.fr.eu (2001:41d0::173)  36.337 ms
22  2001:41d0:8:307b::1 (2001:41d0:8:307b::1)  29.618 ms  29.328 ms  29.342 ms

Server is located in Aachen, Germany.

@cbay
Copy link
Contributor

cbay commented Dec 13, 2012

We're in touch with our network provider to have this issue solved. The server cannot be reached from a few IPv6 networks.

@ptobler
Copy link

ptobler commented Dec 17, 2012

Replying to Cyril:

We're in touch with our network provider to have this issue solved. The server cannot be reached from a few IPv6 networks.

It doesn't seem to be a (routing) problem tied to the client network, but rather to some middlebox like a load balancer which does its routing decisions based on a hash - that's at least what we guess after some testing from different machines and OSes. Below the traceroute results from two machines on the same subnet.

$ traceroute6 -I -l -q1 piwik.org
traceroute6 to piwik.org (2001:41d0:8:307b::1) from 2001:620:400:8::24, 64 hops max, 16 byte packets
 1  2001:620:400:8::2 (2001:620:400:8::2)  0.589 ms
 2  6mithrandir (2001:620:400:254::1)  0.476 ms
 3  2001:620:400:f000::1 (2001:620:400:f000::1)  1.056 ms
 4  swibe2-10ge-1-2.switch.ch (2001:620:0:ffed::1)  1.066 ms
 5  swiba2-10ge-1-2.switch.ch (2001:620:0:c075::1)  2.149 ms
 6  swiba1-10ge-3-1.switch.ch (2001:620:0:c073::1)  2.065 ms
 7  swips2-10ge-3-1.switch.ch (2001:620:0:c01e::2)  2.804 ms
 8  swizh2-10ge-3-3.switch.ch (2001:620:0:c0bf::1)  3.510 ms
 9  swiix1-10ge-3-3.switch.ch (2001:620:0:c015::1)  3.204 ms
10  eqx.zur.ovh.net (2001:7f8:c:8235:194:42:48:30)  3.595 ms
11  fra-5-6k.fr.eu (2001:41d0::671)  10.510 ms
12  rbx-g2-a9.fr.eu (2001:41d0::9b2)  19.037 ms
13  rbx-g2-a9.fr.eu (2001:41d0::173)  25.844 ms
14  2001:41d0:8:307b::1 (2001:41d0:8:307b::1)  18.212 ms

$ traceroute to piwik.org (2001:41d0:8:307b::1) from 2001:620:400:8::35, 30 hops max, 80 byte packets
 1  2001:620:400:8::2 (2001:620:400:8::2)  0.716 ms
 2  6mithrandir.unibe.ch (2001:620:400:254::1)  1.054 ms
 3  2001:620:400:f000::1 (2001:620:400:f000::1)  1.754 ms
 4  swibe2-10ge-1-2.switch.ch (2001:620:0:ffed::1)  2.141 ms
 5  swiba2-10ge-1-2.switch.ch (2001:620:0:c075::1)  2.508 ms
 6  swiez2-10ge-5-4.switch.ch (2001:620:0:c074::1)  3.468 ms
 7  swiix2-10ge-3-1.switch.ch (2001:620:0:c00a::2)  67.651 ms
 8  swiix1-10ge-1-4.switch.ch (2001:620:0:c008::1)  3.351 ms
 9  eqx.zur.ovh.net (2001:7f8:c:8235:194:42:48:30)  4.159 ms
10  *
11  rbx-g2-a9.fr.eu (2001:41d0::7e1)  18.993 ms
12  rbx-g2-a9.fr.eu (2001:41d0::173)  19.088 ms
13  *
14  *
15  *
16  *
17  *
18  *
19  *
20  *
21  *
22  *
23  *
24  *
25  *
26  *
27  *
28  *
29  *
30  *

@cbay
Copy link
Contributor

cbay commented Dec 17, 2012

There's no load balancer or anything like that. It's definitely a routing issue that's been acknowledged by our provider.

@halfdan
Copy link
Member

halfdan commented Jan 26, 2013

Any update on this?

@anonymous-matomo-user
Copy link
Author

Seems as if the last hop in the trace route has changed, but the problem is still there.
The last package is received from "vss-8b-6k.fr.eu" now, not from "rbx-g2-a9.fr.eu".
No ping nor download possible via IPv6.

>traceroute6 piwik.org
traceroute to piwik.org (2001:41d0:8:307b::1), 30 hops max, 80 byte packets
 1  2a01:4f8:161:1343::2 (2a01:4f8:161:1343::2)  1008.606 ms  1008.583 ms  1008.                546 ms
 2  2a01:4f8:161:1340::1 (2a01:4f8:161:1340::1)  3.121 ms  3.107 ms  3.080 ms
 3  hos-tr2.juniper1.rz16.hetzner.de (2a01:4f8:0:16:2:0:16:1)  1.266 ms hos-tr3.                juniper2.rz16.hetzner.de (2a01:4f8:0:16:3:0:16:2)  1.634 ms  1.619 ms
 4  hos-bb2.juniper4.rz2.hetzner.de (2a01:4f8:0:2::b:4)  3.867 ms  3.853 ms  3.8                25 ms
 5  r1nue1.core.init7.net (2001:1620:1000::1a9)  15.713 ms  3.954 ms  16.333 ms
 6  r1nue2.core.init7.net (2001:1620:2::f2)  3.895 ms  3.162 ms  3.133 ms
 7  r1fra2.core.init7.net (2001:1620:2::fd)  13.316 ms  12.021 ms  11.981 ms
 8  decix.routers.ovh.net (2001:7f8::3f94:0:1)  7.749 ms  7.864 ms *
 9  rbx-g2-a9.fr.eu (2001:41d0::7e1)  16.545 ms  16.484 ms  16.440 ms
10  vss-8b-6k.fr.eu (2001:41d0::173)  16.129 ms vss-8a-6k.fr.eu (2001:41d0::169)                  15.336 ms *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

@cbay
Copy link
Contributor

cbay commented Jan 31, 2013

It's fixed. The issue is due to a Cisco IOS bug that will be fixed in the next few weeks. In the meantime, a temporary fix has been applied. Please let me know if it happens again.

@mattab
Copy link
Member

mattab commented Mar 11, 2013

This problem should be fixed. pls reopen if you have some issues.

@halfdan
Copy link
Member

halfdan commented Mar 11, 2013

There is an issue with secure connections to piwik.org over IPv6. It's not possible to access https://piwik.org when using IPv6 as default - switching to IPv4 works however. Quick check showed that the webserver of piwik.org doesn't have an open https port on IPv6.

@mattab
Copy link
Member

mattab commented Mar 11, 2013

unfortunately our host doesn't yet handle IPV6 on both normal and ssl port. But it should be available in a few months. Stay tuned ;-)

@ptobler
Copy link

ptobler commented Mar 12, 2013

In that case, I'd recommend to remove the IPv6 AAAA record from the DNS:

$ dig AAAA piwik.org +short
2001:41d0:8:307b::1

@mattab
Copy link
Member

mattab commented Mar 13, 2013

Why? is it not useful to have ipv6 on http alone?

@ptobler
Copy link

ptobler commented Mar 13, 2013

I guess I misunderstood you - I thought that IPv6 didn't work at all...
However, when there is an AAAA record in the DNS, a dualstack client will, according to the standard, always try IPv6 first. So in my opinion, a host should either accept connections over IPv6 on all the same ports as over IPv4 or not have an AAAA record at all.

@mattab
Copy link
Member

mattab commented Jul 26, 2013

Note: SSL should now work on IPv4 and IPv6 at https://piwik.org

@ptobler
Copy link

ptobler commented Jul 29, 2013

Works perfectly...

@anonymous-matomo-user anonymous-matomo-user added this to the Community and Marketing milestone Jul 8, 2014
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug For errors / faults / flaws / inconsistencies etc. c: Website matomo.org For issues related to our matomo.org website. Critical Indicates the severity of an issue is very critical and the issue has a very high priority. worksforme The issue cannot be reproduced and things work as intended.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@halfdan @mattab @cbay @ptobler @anonymous-matomo-user