lan clients periodically drop ipv6 connectivity

gambit100

@JKnott I see ICMPv6 traffic on both the lan and wan. I'm not a SLACC or RA pro. I've attached a file with a packet capture on the wan (adding it as text gets flagged as spam by akismet for some reason].ICMPv6.txt

JKnott

@gambit100

That file is really not usefull, as it doesn't show the contents.

I ran Wireshark, filtering on ICMP6. Here's a list of the packets received, with the RA in the top row:

Here is the contents of that frame, showing the relevant info. Several items can be expanded further:

This is the sort of thing you need to understand network problems. You can use Packet Capture, in pfSense, but I find Wireshark is much better. Even if you capture with Packet Capture, you're still better off examining the capture with Wireshark.

Now, if you look at the options, you'll see things like assigned addresses and DNS.

gambit100

Sorry about the delay...spectrum was having trouble keeping the network up in this area.

Here is the summary of messages when I connect a client to the LAN

After the client connects, it appears to have the correct network info but can't reach any Ipv6 sites. I then bring the router's WAN interface down and then back up. The client is now able to reach ipv6 sites.

The contents of some of the messages are below.

a6a6ff34-1607-49ee-9cb6-520abf3d2a28-101 RS.png
3b965758-a6e8-4458-9a80-4054a962a6ea-102 NS.png
2eb77f10-f024-4c77-ac8d-2b2e91a16737-104 MLR.png
58133235-b272-4fa6-9c10-11aab94c6e01-105 NA.png
44c97159-5a49-4517-8362-058e6b365bd6-109 MLR.png
1003542a-6e6f-422e-b354-371129c1457d-110 NS.png

JKnott

Please do a capture of ICMP6, with at least one router advertisement. Then post the capture file, not just it's contents.

gambit100

@JKnott attached is a packet capture from pfsense on the WAN which includes a RA at record #231. I've also included a wireshark capture on the LAN for the same time period (approximately).
This capture is over the time frame where I bring an android client back on the LAN (WIFI). Before and after the capture period, the client has lost IPV6 connectivity but has IPV4 connectivity before I took it off the LAN and also once brought back on the LAN. The client had IPV6 connectivity a few hours before this but lost that connectivity sometime between that check and a few hours later when I checked again.
Client IPV6:
fe80::20e0:1065:c8e0:d799
2603:9001:7c00:253d:90d9:29d8:f822:ed20
2603:9001:7c00:253d:9c7a:de1f:50ee:52e8

packetcapture LAN.pcapng packetcapture WAN.pcap

gambit100

@JKnott here is another wireshark capture on the LAN that has RA packets from the pfsense router: packetcapture LAN with RA.pcapng

JKnott

@gambit100 said in lan clients periodically drop ipv6 connectivity:

Packet capture shows the ping going out the wan but no response is received.

This sounds similar to a problem I had almost 7 years ago, but mine didn't correct. There was a problem with my ISP, where they were giving me a bad prefix. My WAN address worked but nothing on my LAN. I tested by using my my notebook computer tethered to my cell phone and set up a data tap to monitor my WAN port. When I pinged from my LAN, I could see it going out, but nothing coming back. When I pinged from my notebook & phone, I didn't see anything coming in. I was able to demonstrate to my ISPs tech support what was happening and he agreed it was a problem at my ISP. Later on, a senior tech came to my home, with his own computer & modem and found the same problem. He then went to the ISPs office and tried with 4 different CMTS and found it worked with 3, but not the one I was connected to. The network guys finally got around to fixing the problem after that, even though I had identified the failing CMTS in my testing earlier.

When the LAN clients lose connectivity, is that totally? Or just to the Internet? Does the LAN prefix change when it fails? If you're getting a bad prefix, as I was, it would certainly cause problems.

It sounds like the problem is with Spectrum, especially since you said they have other problems.

gambit100

@JKnott Currently, my android client has the same /64 prefix as my windows 11 client. My android client cannot connect (ping or http) to ipv6.google.com but can reach other lan clients via ipv6 (ping and http). My windows 11 client can reach other lan clients as will as ipv6.google.com.
When I release and renew the WAN connection via pfsense, I get the same prefix (at least since I've been researching this issue). After the WAN reset, the android client can reach ipv6.google.com by both ping and http.
I'm a bit reluctant to reach out to spectrum as past help attempts haven't been too helpful and involve a lot of steps that aren't usually related to the issue but I guess it's about time I do so.
Initially, I was having ipv6 issues with all lan clients but only the android client is having issues now. Either there was a broader issue that affected all ipv6 clients earlier or it requires more time before the other clients fail and my periodic wan reset restarts the timer on the other clients as well.

Not related to this issue (I assume) but although the spectrum ISP connection is stable now I'm seeing a lot of weird traffic from the WAN now. Malformed packets against my vpn and weird NS packets coming from the spectrum gateway for addresses that don't exist on my network.
13:46:45.736687 IP6 fe80::2bc:60ff:fe92:4419 > ff02::1:ffd7:2: ICMP6, neighbor solicitation, who has 2603:9001:7cf0:d720:0:1062:fd7:2, length 32
13:46:45.758670 IP6 fe80::2bc:60ff:fe92:4419 > ff02::1:ff23:5: ICMP6, neighbor solicitation, who has 2603:9001:7cf0:2350:0:1062:f23:5, length 32
13:46:45.856525 IP6 fe80::2bc:60ff:fe92:4419 > ff02::1:ff48:1: ICMP6, neighbor solicitation, who has 2603:9001:7cf0:4810:0:1062:f48:1, length 32
13:46:45.960992 IP6 fe80::2bc:60ff:fe92:4419 > ff02::1:ff5b:0: ICMP6, neighbor solicitation, who has 2603:9001:7cf0:5b00:0:1062:f5b:0, length 32
13:46:46.028662 IP6 fe80::2bc:60ff:fe92:4419 > ff02::1:ff2a:0: ICMP6, neighbor solicitation, who has 2603:9001:7cf0:2a00:0:1062:f2a:0, length 32
13:46:46.150729 IP6 fe80::2bc:60ff:fe92:4419 > ff02::1:ff7e:1: ICMP6, neighbor solicitation, who has 2603:9001:7cf0:7e10:0:1062:f7e:1, length 32
13:46:46.776291 IP6 fe80::2bc:60ff:fe92:4419 > ff02::1:ffd7:2: ICMP6, neighbor solicitation, who has 2603:9001:7cf0:d720:0:1062:fd7:2, length 32

JKnott

@gambit100 said in lan clients periodically drop ipv6 connectivity:

When I release and renew the WAN connection via pfsense, I get the same prefix (at least since I've been researching this issue). After the WAN reset, the android client can reach ipv6.google.com by both ping and http.

That sounds like when you do that, you remind them you're there. It sounds like a routing issue. Also, the only Android issue I'm aware of is it doesn't support DHCP6, but that wouldn't apply if you're using SLAAC.

There is one thing you can try. That is run without pfSense and use the modem's router. If it fails again, then it's definitely an ISP problem. This was also the case here. When it failed, my next door neighbour also failed and he uses only the modem router. I also know ISPs will not do much to resolve issues if you're using your own router. How often does this issue happen? I hope you're not stuck without pfSense for too long. As I mentioned, the problem still happened when the tech took his modem & computer to the office and it still failed there, when connected to the CMTS I was on.
BTW, do any of your neighbours have this problem?

Here's the error message I was getting when it failed and identified the failing CMTS.

Status code
Option: Status code (13)
Length: 56
Value: 00064e6f2070726566697820617661696c61626c65206f6e...
Status Code: NoPrefixAvail (6)
Status Message: No prefix available on Link 'CMTS89.WLFDLE-BNDL1-GRP3'

I used Wireshark to capture this on the WAN interface, when I captured the DHCP6 sequence, using the data tap I made. Of course, since you can clear your problem, it would be difficult to do this. You'd have to capture all the DHCP6 packets until it failed.

BTW, a few years later, I was doing some work in my ISP's local office and found that CMTS89!

SteveITS

@JKnott

sounds like a routing issue

That was my thought but OP says it works on Windows the entire time.

JKnott

@SteveITS

That doesn't make sense. He said reconnecting the WAN side clears it, but that shouldn't have anything to do with Windows vs Android.

I just noticed something curious, but I don't know if it has anything to do with this. In his router advertisement, in his DNS search list, he has home.com. That used to be an email provider that some ISPs used to use before it went bust. My ISP Rogers was one of them. He shouldn't be using real domain names for that. If he doesn't have an appropriate one, then he should be using one of those dummy top level domain names. I don't recall what they were, as I have my own registered domain name, which I use.

When Rogers was using @home, I created a joke account "the_lights_are_on_but_no_ones@home.com".

SteveITS

@JKnott said in lan clients periodically drop ipv6 connectivity:

That doesn't make sense

That was also one of my thoughts. :)