Frame errors in IPv6-in-IPv4 tunnel interface (!)

[Mario Galindez]

folks,

I have a LIX container running in Proxmox 4.4-24. My container is:

Linux mybox 4.4.134-1-pve #1 SMP PVE 4.4.134-112 (Thu, 05 Jul 2018 12:39:16 +0000) i686 athlon i686 GNU/Linux.

This container has multiple IPv6-in-IPv4 tunnels. Some of them work okay. But there is one that doesn't. After debugging the problem, it turns out that packets received on the tunnel interface are marked as having "frame errors", and hence the packets are blackholed:

ipv6-tun: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1480
inet6 2001:470:aaaf:201::1111 prefixlen 128 scopeid 0x0<global>
inet6 fe80::4cef:6524 prefixlen 64 scopeid 0x20<link>
sit txqueuelen 1 (IPv6-in-IPv4)
RX packets 0 bytes 0 (0.0 B)
RX errors 503 dropped 0 overruns 0 frame 503
TX packets 921 bytes 99339 (99.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Curiously enough, if I run tcpdump on the virtual ethernet card (as opposed to the tunnel interface), I can see the IPv6-in-IPv4 packets, with valid checksums, etc.

Any clues regarding what might be going on, and how to solve the problem?

thanks,
- m

 

[Stoiko Ivanov]

Proxmox 4.4-24.

* PVE 4.x has been EOL for more than 1 year - please do consider upgrading to 6.0 (loads of changes and fixes included).

do iproute2 utils show a more sensible explanation:
* `ip -detail -stat link`
* or `netstat -in` (since you have ifconfig still installed it should be available)

My first guess is that it might be MTU related

 

[Mario Galindez]

Hello!

Thanks for your response! -- Inline...

* PVE 4.x has been EOL for more than 1 year - please do consider upgrading to 6.0 (loads of changes and fixes included).

do iproute2 utils show a more sensible explanation:
* `ip -detail -stat link`
* or `netstat -in` (since you have ifconfig still installed it should be available)

My first guess is that it might be MTU related

It's not really MTU-related. Among other reasons, the tunnel fails even for default ICMPv6 echo packets, which are way smaller than even the minimum MTU. Also, please note that packets do get out of the interface, and the responses do arrive. It is just that received packets are "marked" as having frame errors, and subsequently discarded. If there were MTU problems, packets would be blackholed somewhere -- but that's not the case.

The output of the relevant ip comand is:

9: ipv6-tun@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/sit 90.90.90.90 peer 18.18.18.18 promiscuity 0
sit ip6ip remote 18.18.18.18 local 90.90.90.90 ttl 255 pmtudisc 6rd-prefix 2002::/16 addrgenmode eui64 numtxqueues 1 numrxqueues 1
RX: bytes packets errors dropped overrun mcast
0 0 4657 0 0 0
TX: bytes packets errors dropped carrier collsns
7007134 40461 0 0 0 0

Any clues?

Thanks!
- m

 

[Stoiko Ivanov]

could you post the complete ip output? (anonymize the ip's if necessary!)
Since I'm not sure - what is a LIX container? and how do you configure the tunnels?

else - I would try to do a tcpdump on all possible interfaces:
* inside the container
* on the tap-interface linked to the container on the node veth<VMID>i0 (for the first interface)
* if you have the firewall enabled on that container there are other interfaces as well (just grep for the VMID in the ip link output)
* on the bridge the interface is connected to
* on the physical port the bridge is connected to
* on the switch

If you have the firewall enabled - you could also try without

Hope this helps!