Instagram Android - Images load initially then time out - IPV6 turned off, conservative mode on



  • Hi,

    Instagram and reddit seem to be doing this. After the first load of images, the scroll then stops loading properly and has to timeout (about 30 seconds) and then loads again for a while and then times out.

    I've tried everything listed here: https://forum.netgate.com/topic/85901/instagram-and-snapchat-not-loading-on-my-android-device/9

    1. IPV6 is disabled on both WAN and LAN
    2. Conservative Mode is selected
    3. UPNP is enabled

    WAN is PPPoE, was direct and didn't work then either.
    Default LAN outbound rules are in place to allow any.
    Did this bone stock. I did a complete reset, put in WAN PPPoE settings and same thing happened.
    Worked fine with Asus router with same APs (unifi)

    Any ideas? What can I do to diagnose?

    Thanks!


  • Netgate Administrator

    Other sites load fine on Android?

    And those sites load fine on other devices?

    UPnP has nothing to do with this and you should disable it unless you really need it.

    Steve



  • Other apps and event the Instagram website in a browser work fine. Reddit has the news feed do the same thing in the app. Web doesn't hang.

    Instagram app on android fails always, I don't have an ios device to test. No windows app really. (just a wrapper of the website)

    I've tried it with upnp off, just turned it on because it's mentioned in other people talking about this issue so I tried it.

    Thanks


  • Netgate Administrator

    Do you see anything blocked in the firewall log when you try to connect and it fails?

    Everything in that other thread looks unlikely to have been anything to do with it. Unless the app is somehow trying to use ancient states that have already closed, which seems unlikely.

    Steve



  • Only thing that looks relevant is these 2 in the firewall log:

    Dec 3 19:30:51	LAN	Block all IPv6 (1000000003)	  [fe80::1b5:a2d7:6876:cf4]:5353	  [ff02::fb]:5353	UDP
    
    
        Dec 3 19:30:55	WAN	Default deny rule IPv4 (1000000103)	  185.156.73.52:47235	  XX.XXX.XXX.XXX:43121	TCP:S
    

    I don't have a rule for lan block all ipv6. nor the Default deny rule IPv4 so I'm at a loss for where they're coming from.


  • Netgate Administrator

    Those both look normal.

    If you don't have Allow IPv6 checked in Sys > Adv > Networking that will block IPv6.

    There is a default deny rule that blocks all inbound traffic unless you pass is which is the second block you're seeing.

    Probably have to capture the traffic coming from the phones IP and see if you can see what's failing.

    Steve



  • Here's the capture for when it happened:

    21:01:03.031548 IP 172.217.11.46.443 > xxx.xxx.xxx.xxx.47674: tcp 56
    21:01:03.031682 IP 172.217.11.46.443 > xxx.xxx.xxx.xxx.47674: tcp 0
    21:01:03.081701 IP 172.217.11.46.443 > xxx.xxx.xxx.xxx.47674: tcp 0
    21:01:03.112191 IP xxx.xxx.xxx.xxx.47674 > 172.217.11.46.443: tcp 0
    21:01:03.112286 IP xxx.xxx.xxx.xxx.47674 > 172.217.11.46.443: tcp 0
    21:01:03.112317 IP xxx.xxx.xxx.xxx.47674 > 172.217.11.46.443: tcp 0
    21:01:04.088940 IP 172.217.6.202.443 > xxx.xxx.xxx.xxx.44310: tcp 0
    21:01:04.175100 IP xxx.xxx.xxx.xxx.44310 > 172.217.6.202.443: tcp 0
    21:01:04.706597 IP 172.217.9.234.443 > xxx.xxx.xxx.xxx.40114: tcp 0
    21:01:04.747583 IP xxx.xxx.xxx.xxx.40114 > 172.217.9.234.443: tcp 0
    21:01:08.876537 IP xxx.xxx.xxx.xxx.39842 > 102.132.98.23.443: tcp 44
    21:01:08.876598 IP xxx.xxx.xxx.xxx.48590 > 102.132.98.63.443: tcp 24
    21:01:08.876622 IP xxx.xxx.xxx.xxx.48590 > 102.132.98.63.443: tcp 0
    21:01:08.876640 IP xxx.xxx.xxx.xxx.48586 > 102.132.98.63.443: tcp 465
    21:01:08.876672 IP xxx.xxx.xxx.xxx.48586 > 102.132.98.63.443: tcp 76
    21:01:08.876698 IP xxx.xxx.xxx.xxx.48586 > 102.132.98.63.443: tcp 75
    21:01:08.887698 IP xxx.xxx.xxx.xxx.48586 > 102.132.98.63.443: tcp 75
    21:01:08.891328 IP 102.132.98.63.443 > xxx.xxx.xxx.xxx.48586: tcp 0
    21:01:08.891843 IP 102.132.98.63.443 > xxx.xxx.xxx.xxx.48586: tcp 61
    21:01:08.893572 IP xxx.xxx.xxx.xxx.48586 > 102.132.98.63.443: tcp 0



  • Here's a different run. Whole pile of these:

    21:11:05.081102 IP 102.132.98.63.443 > xxx.xxx.xxx.xxx.48740: tcp 1388
    
    

  • Netgate Administrator

    That was on the WAN?

    Are those identical, like re-transmits?

    If so check if you see that leaving back out toward the phone on the internal interface. If they are there too then either they are not reaching the phone or it's rejecting them. or perhaps it's reply acks never get back.

    I note those are large packets but not huge. Maybe something is breaking packet fragmentation or there's some MTU issue....

    Steve



  • That's monitored on the lan interface.

    Yes, every one of them is identical.

    Appears to be outgoing from the phone with no response getting back onto the lan segment.

    If it was MTU wouldn't it break always? This only happens after prolonged usage of the app.


  • Netgate Administrator

    @JohnGalt1717 said in Instagram Android - Images load initially then time out - IPV6 turned off, conservative mode on:

    21:11:05.081102 IP 102.132.98.63.443 > xxx.xxx.xxx.xxx.48740: tcp 1388

    That is a reply from an https server at 102.132.98.63 back to what I assumed was your public WAN IP no?

    So that must be on the WAN interface unless you're not using NAT.

    If it only happens after prolonged use it seems like a state timeout but if that was the case I would expect to see traffic blocked in the firewall log on WAN unless default block logging has been disabled.
    Just how prolonged is the use before this happens?

    Steve



  • Yes, that's back to my WAN IP.

    I'd say about 5-7 minutes before it starts giving me the spinner for pictures. Probably 30 seconds or so before it properly loads them finally.

    (none of this happens on cellular data, nor other routers, just pfSense)

    I haven't touched the defaults for logging. How do I turn on default block logging?


  • Netgate Administrator

    It logs those by default so if you're not seeing blocked traffic it's probably not being blocked.

    Run a pcap on the LAN side then to make sure those packets are leaving going back toward the phone.

    Steve


Log in to reply