Bug#696808: www.debian.org: http.us.debian.org [2610:148:1f10:3::89] not responding to http queries from 2001:4801:7817:72::
Package: www.debian.org
Severity: important
Tags: ipv6
-- System Information:
Debian Release: 6.0.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-xen-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
I am unable to download packages / updates from http.us.debian.org or ftp.us.debian.org over ipv6.
Both hostnames resolve to 2610:148:1f10:3::89 on my end.
This seems to be limited to the Chicago data center I am using, with a ipv6 subnet of 2001:4801:7817:72::/64.
When I try to wget http.us.debian.org from the Chicago DC the wget (and as such, apt) will hang indefinitely:
root@aptsandbox:~# wget http://[2610:148:1f10:3::89]
--2012-12-27 12:42:53-- http://[2610:148:1f10:3::89]/
Connecting to 2610:148:1f10:3::89:80... connected.
HTTP request sent, awaiting response...
[Hangs]
If left to its own devices wget will time out after a long delay, restart, and go back to this state.
I have reproduced this from 2001:4801:7817:72:28cc:5670:ff10:5954/64 and 2001:4801:7817:72:28cc:5670:ff10:5960/64
in case there are any errors in my subnet math.
The wget succeeds from the Dallas DC, 2001:4800:780e:510::/64
IPv6 is otherwise functional and I can contact/wget from other hosts.
I contacted my network support, and they believe the problem is on Debian's side:
"was also able to successfully perform IPv6 tests with other servers both in and outside of our networks from my ORD Debian server. The problem only exists with 2610:148:1f10:3::89. It would appear that their firewall is blocking HTTP traffic from our ORD ranges. You will need to contact their network administrator, perhaps they can lift the block for you. I was able to successfully ping 2610:148:1f10:3::89 from ORD, so they're not blocking all traffic, just port 80 apparently."
Given that tcptraceroute on 80 succeeds, I'm inclined to agree:
root@aptsandbox:~# traceroute -6 -T http.us.debian.org 80
traceroute to http.us.debian.org (2610:148:1f10:3::89), 30 hops max, 80 byte packets
1 2001:4801:7817:72::a (2001:4801:7817:72::a) 4.187 ms 4.162 ms 4.142 ms
2 core5-aggr1501a-1.ord1.rackspace.net (2001:4801:800:c5:151a:1::) 4.131 ms 4.118 ms 4.094 ms
3 2001:4801:800:cb:c5:: (2001:4801:800:cb:c5::) 2.764 ms 2001:4801:800:ca:c5:: (2001:4801:800:ca:c5::) 4.000 ms 2001:4801:800:cb:c5:: (2001:4801:800:cb:c5::) 2.412 ms
4 edge2.ord1.rackspace.net (2001:4801:800:ca:e2::1) 2.337 ms edge2-coreb-1.ord1.rackspace.net (2001:4801:800:cb:e2::1) 2.315 ms edge2.ord1.rackspace.net (2001:4801:800:ca:e2::1) 2.273 ms
5 xe-1-0-7.ar1.ord6.us.nlayer.net (2001:590::451f:6ef1) 4.439 ms 4.429 ms 4.403 ms
6 ae5-40g.cr2.ord1.us.nlayer.net (2001:590::451f:6efd) 3.874 ms ae5-30g.cr1.ord1.us.nlayer.net (2001:590::451f:6ef9) 2.984 ms 2.948 ms
7 xe-0.equinix.chcgil09.us.bb.gin.ntt.net (2001:504:0:4::2914:1) 3.199 ms 3.164 ms 2.942 ms
8 ae-0.r21.chcgil09.us.bb.gin.ntt.net (2001:418:0:2000::36) 2.219 ms 2.436 ms 2.053 ms
9 ae-4.r21.dllstx09.us.bb.gin.ntt.net (2001:418:0:2000::81) 33.084 ms 33.034 ms 34.026 ms
10 ae-4.r03.atlnga05.us.bb.gin.ntt.net (2001:418:0:2000::37e) 51.783 ms 50.601 ms 48.276 ms
11 xe-3-1-920-2.r03.atlnga05.us.ce.gin.ntt.net (2001:418:0:5000::123) 55.244 ms 52.992 ms 55.045 ms
12 rich-v6-rtr-to-rich-gw-rtr.gatech.edu (2610:148:fe00:d::2) 36.277 ms 36.212 ms 35.832 ms
13 rich-gw-rtr-to-rich-v6-rtr.gatech.edu (2610:148:fe00:d::1) 33.629 ms 35.043 ms 38.378 ms
14 2610:148:fe00:dd::2 (2610:148:fe00:dd::2) 38.064 ms 35.382 ms 33.229 ms
15 2610:148:1f10:3::89 (2610:148:1f10:3::89) 34.898 ms 35.881 ms 38.929 ms
Please look into this and evaluate if our assertions are correct. Thank you.
Reply to: