Instagram Android - Images load initially then time out - IPV6 turned off, conservative mode on

JohnGalt1717

Other apps and event the Instagram website in a browser work fine. Reddit has the news feed do the same thing in the app. Web doesn't hang.

Instagram app on android fails always, I don't have an ios device to test. No windows app really. (just a wrapper of the website)

I've tried it with upnp off, just turned it on because it's mentioned in other people talking about this issue so I tried it.

Thanks

stephenw10

Do you see anything blocked in the firewall log when you try to connect and it fails?

Everything in that other thread looks unlikely to have been anything to do with it. Unless the app is somehow trying to use ancient states that have already closed, which seems unlikely.

Steve

JohnGalt1717

Only thing that looks relevant is these 2 in the firewall log:

Dec 3 19:30:51	LAN	Block all IPv6 (1000000003)	  [fe80::1b5:a2d7:6876:cf4]:5353	  [ff02::fb]:5353	UDP


    Dec 3 19:30:55	WAN	Default deny rule IPv4 (1000000103)	  185.156.73.52:47235	  XX.XXX.XXX.XXX:43121	TCP:S

I don't have a rule for lan block all ipv6. nor the Default deny rule IPv4 so I'm at a loss for where they're coming from.

stephenw10

Those both look normal.

If you don't have Allow IPv6 checked in Sys > Adv > Networking that will block IPv6.

There is a default deny rule that blocks all inbound traffic unless you pass is which is the second block you're seeing.

Probably have to capture the traffic coming from the phones IP and see if you can see what's failing.

Steve

JohnGalt1717

Here's the capture for when it happened:

21:01:03.031548 IP 172.217.11.46.443 > xxx.xxx.xxx.xxx.47674: tcp 56
21:01:03.031682 IP 172.217.11.46.443 > xxx.xxx.xxx.xxx.47674: tcp 0
21:01:03.081701 IP 172.217.11.46.443 > xxx.xxx.xxx.xxx.47674: tcp 0
21:01:03.112191 IP xxx.xxx.xxx.xxx.47674 > 172.217.11.46.443: tcp 0
21:01:03.112286 IP xxx.xxx.xxx.xxx.47674 > 172.217.11.46.443: tcp 0
21:01:03.112317 IP xxx.xxx.xxx.xxx.47674 > 172.217.11.46.443: tcp 0
21:01:04.088940 IP 172.217.6.202.443 > xxx.xxx.xxx.xxx.44310: tcp 0
21:01:04.175100 IP xxx.xxx.xxx.xxx.44310 > 172.217.6.202.443: tcp 0
21:01:04.706597 IP 172.217.9.234.443 > xxx.xxx.xxx.xxx.40114: tcp 0
21:01:04.747583 IP xxx.xxx.xxx.xxx.40114 > 172.217.9.234.443: tcp 0
21:01:08.876537 IP xxx.xxx.xxx.xxx.39842 > 102.132.98.23.443: tcp 44
21:01:08.876598 IP xxx.xxx.xxx.xxx.48590 > 102.132.98.63.443: tcp 24
21:01:08.876622 IP xxx.xxx.xxx.xxx.48590 > 102.132.98.63.443: tcp 0
21:01:08.876640 IP xxx.xxx.xxx.xxx.48586 > 102.132.98.63.443: tcp 465
21:01:08.876672 IP xxx.xxx.xxx.xxx.48586 > 102.132.98.63.443: tcp 76
21:01:08.876698 IP xxx.xxx.xxx.xxx.48586 > 102.132.98.63.443: tcp 75
21:01:08.887698 IP xxx.xxx.xxx.xxx.48586 > 102.132.98.63.443: tcp 75
21:01:08.891328 IP 102.132.98.63.443 > xxx.xxx.xxx.xxx.48586: tcp 0
21:01:08.891843 IP 102.132.98.63.443 > xxx.xxx.xxx.xxx.48586: tcp 61
21:01:08.893572 IP xxx.xxx.xxx.xxx.48586 > 102.132.98.63.443: tcp 0

JohnGalt1717

Here's a different run. Whole pile of these:

21:11:05.081102 IP 102.132.98.63.443 > xxx.xxx.xxx.xxx.48740: tcp 1388

stephenw10

That was on the WAN?

Are those identical, like re-transmits?

If so check if you see that leaving back out toward the phone on the internal interface. If they are there too then either they are not reaching the phone or it's rejecting them. or perhaps it's reply acks never get back.

I note those are large packets but not huge. Maybe something is breaking packet fragmentation or there's some MTU issue....

Steve

JohnGalt1717

That's monitored on the lan interface.

Yes, every one of them is identical.

Appears to be outgoing from the phone with no response getting back onto the lan segment.

If it was MTU wouldn't it break always? This only happens after prolonged usage of the app.

stephenw10

@JohnGalt1717 said in Instagram Android - Images load initially then time out - IPV6 turned off, conservative mode on:

21:11:05.081102 IP 102.132.98.63.443 > xxx.xxx.xxx.xxx.48740: tcp 1388

That is a reply from an https server at 102.132.98.63 back to what I assumed was your public WAN IP no?

So that must be on the WAN interface unless you're not using NAT.

If it only happens after prolonged use it seems like a state timeout but if that was the case I would expect to see traffic blocked in the firewall log on WAN unless default block logging has been disabled.
Just how prolonged is the use before this happens?

Steve

JohnGalt1717

Yes, that's back to my WAN IP.

I'd say about 5-7 minutes before it starts giving me the spinner for pictures. Probably 30 seconds or so before it properly loads them finally.

(none of this happens on cellular data, nor other routers, just pfSense)

I haven't touched the defaults for logging. How do I turn on default block logging?

stephenw10

It logs those by default so if you're not seeing blocked traffic it's probably not being blocked.

Run a pcap on the LAN side then to make sure those packets are leaving going back toward the phone.

Steve