[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#696808: www.debian.org: http.us.debian.org [2610:148:1f10:3::89] not responding to http queries from 2001:4801:7817:72::

Package: www.debian.org
Severity: important
Tags: ipv6

-- System Information:
Debian Release: 6.0.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-xen-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

I am unable to download packages / updates from http.us.debian.org or ftp.us.debian.org over ipv6.
Both hostnames resolve to 2610:148:1f10:3::89 on my end.
This seems to be limited to the Chicago data center I am using, with a ipv6 subnet of 2001:4801:7817:72::/64.
When I try to wget http.us.debian.org from the Chicago DC the wget (and as such, apt) will hang indefinitely:

root@aptsandbox:~# wget http://[2610:148:1f10:3::89]
--2012-12-27 12:42:53--  http://[2610:148:1f10:3::89]/
Connecting to 2610:148:1f10:3::89:80... connected.
HTTP request sent, awaiting response... 

If left to its own devices wget will time out after a long delay, restart, and go back to this state.
I have reproduced this from 2001:4801:7817:72:28cc:5670:ff10:5954/64 and 2001:4801:7817:72:28cc:5670:ff10:5960/64
in case there are any errors in my subnet math.
The wget succeeds from the Dallas DC, 2001:4800:780e:510::/64

IPv6 is otherwise functional and I can contact/wget from other hosts.
I contacted my network support, and they believe the problem is on Debian's side:

"was also able to successfully perform IPv6 tests with other servers both in and outside of our networks from my ORD Debian server. The problem only exists with 2610:148:1f10:3::89. It would appear that their firewall is blocking HTTP traffic from our ORD ranges. You will need to contact their network administrator, perhaps they can lift the block for you. I was able to successfully ping 2610:148:1f10:3::89 from ORD, so they're not blocking all traffic, just port 80 apparently."

Given that tcptraceroute on 80 succeeds, I'm inclined to agree:

root@aptsandbox:~# traceroute -6 -T http.us.debian.org 80
traceroute to http.us.debian.org (2610:148:1f10:3::89), 30 hops max, 80 byte packets
 1  2001:4801:7817:72::a (2001:4801:7817:72::a)  4.187 ms  4.162 ms  4.142 ms
 2  core5-aggr1501a-1.ord1.rackspace.net (2001:4801:800:c5:151a:1::)  4.131 ms  4.118 ms  4.094 ms
 3  2001:4801:800:cb:c5:: (2001:4801:800:cb:c5::)  2.764 ms 2001:4801:800:ca:c5:: (2001:4801:800:ca:c5::)  4.000 ms 2001:4801:800:cb:c5:: (2001:4801:800:cb:c5::)  2.412 ms
 4  edge2.ord1.rackspace.net (2001:4801:800:ca:e2::1)  2.337 ms edge2-coreb-1.ord1.rackspace.net (2001:4801:800:cb:e2::1)  2.315 ms edge2.ord1.rackspace.net (2001:4801:800:ca:e2::1)  2.273 ms
 5  xe-1-0-7.ar1.ord6.us.nlayer.net (2001:590::451f:6ef1)  4.439 ms  4.429 ms  4.403 ms
 6  ae5-40g.cr2.ord1.us.nlayer.net (2001:590::451f:6efd)  3.874 ms ae5-30g.cr1.ord1.us.nlayer.net (2001:590::451f:6ef9)  2.984 ms  2.948 ms
 7  xe-0.equinix.chcgil09.us.bb.gin.ntt.net (2001:504:0:4::2914:1)  3.199 ms  3.164 ms  2.942 ms
 8  ae-0.r21.chcgil09.us.bb.gin.ntt.net (2001:418:0:2000::36)  2.219 ms  2.436 ms  2.053 ms
 9  ae-4.r21.dllstx09.us.bb.gin.ntt.net (2001:418:0:2000::81)  33.084 ms  33.034 ms  34.026 ms
10  ae-4.r03.atlnga05.us.bb.gin.ntt.net (2001:418:0:2000::37e)  51.783 ms  50.601 ms  48.276 ms
11  xe-3-1-920-2.r03.atlnga05.us.ce.gin.ntt.net (2001:418:0:5000::123)  55.244 ms  52.992 ms  55.045 ms
12  rich-v6-rtr-to-rich-gw-rtr.gatech.edu (2610:148:fe00:d::2)  36.277 ms  36.212 ms  35.832 ms
13  rich-gw-rtr-to-rich-v6-rtr.gatech.edu (2610:148:fe00:d::1)  33.629 ms  35.043 ms  38.378 ms
14  2610:148:fe00:dd::2 (2610:148:fe00:dd::2)  38.064 ms  35.382 ms  33.229 ms
15  2610:148:1f10:3::89 (2610:148:1f10:3::89)  34.898 ms  35.881 ms  38.929 ms

Please look into this and evaluate if our assertions are correct.  Thank you.

Reply to: