NGINX SSL does not respond over IPv6

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












On a Debian server with nginx, I get no response from a web server over HTTPS and IPv6. HTTP works fine.



  • netstat reports port 443 listening on IPv6 address

  • firewall is opened, ipv6scanner.com reports port 443 open

  • locally (over terminal) wget and curl receives a correct response, so nginx configuration is OK

  • no sign of error from nginx error.log

  • no record in access.log, when it fails, so the communication probably does not reach the web server

  • DNS is fine. Translation works, and the connection does not work even when the IP address is accessed directly

Every attempt to connect from "outside" (meaning outside of the network, from the internet) fails (web browser, telnet, ipv6-test.com, curl...). There is no response at all.



Can be tested on www.ekasparova.eu . I am clueless. What else can I check?



edit:



the output of traceroute6 --mtu www.google.com is following:



traceroute to www.google.com (2a00:1450:4014:800::2004), 30 hops max, 65000 byte packets
1 * F=1500 * *
2 * * *
~
30 * * *


So it never reaches the end...










share|improve this question









New contributor




j.kaspar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • Outside = Outside the network on a seperate LAN segment, or from a computer sitting on the same LAN segment?
    – IceMage
    16 mins ago






  • 1




    @IceMage Outside means from the internet. Outside of the network. I am going to edit the question to clarify
    – j.kaspar
    14 mins ago










  • Have you configured a firewall on the server? If the server is running Linux, then the output of ip6table-save would be relevant.
    – kasperd
    5 mins ago














up vote
2
down vote

favorite












On a Debian server with nginx, I get no response from a web server over HTTPS and IPv6. HTTP works fine.



  • netstat reports port 443 listening on IPv6 address

  • firewall is opened, ipv6scanner.com reports port 443 open

  • locally (over terminal) wget and curl receives a correct response, so nginx configuration is OK

  • no sign of error from nginx error.log

  • no record in access.log, when it fails, so the communication probably does not reach the web server

  • DNS is fine. Translation works, and the connection does not work even when the IP address is accessed directly

Every attempt to connect from "outside" (meaning outside of the network, from the internet) fails (web browser, telnet, ipv6-test.com, curl...). There is no response at all.



Can be tested on www.ekasparova.eu . I am clueless. What else can I check?



edit:



the output of traceroute6 --mtu www.google.com is following:



traceroute to www.google.com (2a00:1450:4014:800::2004), 30 hops max, 65000 byte packets
1 * F=1500 * *
2 * * *
~
30 * * *


So it never reaches the end...










share|improve this question









New contributor




j.kaspar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • Outside = Outside the network on a seperate LAN segment, or from a computer sitting on the same LAN segment?
    – IceMage
    16 mins ago






  • 1




    @IceMage Outside means from the internet. Outside of the network. I am going to edit the question to clarify
    – j.kaspar
    14 mins ago










  • Have you configured a firewall on the server? If the server is running Linux, then the output of ip6table-save would be relevant.
    – kasperd
    5 mins ago












up vote
2
down vote

favorite









up vote
2
down vote

favorite











On a Debian server with nginx, I get no response from a web server over HTTPS and IPv6. HTTP works fine.



  • netstat reports port 443 listening on IPv6 address

  • firewall is opened, ipv6scanner.com reports port 443 open

  • locally (over terminal) wget and curl receives a correct response, so nginx configuration is OK

  • no sign of error from nginx error.log

  • no record in access.log, when it fails, so the communication probably does not reach the web server

  • DNS is fine. Translation works, and the connection does not work even when the IP address is accessed directly

Every attempt to connect from "outside" (meaning outside of the network, from the internet) fails (web browser, telnet, ipv6-test.com, curl...). There is no response at all.



Can be tested on www.ekasparova.eu . I am clueless. What else can I check?



edit:



the output of traceroute6 --mtu www.google.com is following:



traceroute to www.google.com (2a00:1450:4014:800::2004), 30 hops max, 65000 byte packets
1 * F=1500 * *
2 * * *
~
30 * * *


So it never reaches the end...










share|improve this question









New contributor




j.kaspar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











On a Debian server with nginx, I get no response from a web server over HTTPS and IPv6. HTTP works fine.



  • netstat reports port 443 listening on IPv6 address

  • firewall is opened, ipv6scanner.com reports port 443 open

  • locally (over terminal) wget and curl receives a correct response, so nginx configuration is OK

  • no sign of error from nginx error.log

  • no record in access.log, when it fails, so the communication probably does not reach the web server

  • DNS is fine. Translation works, and the connection does not work even when the IP address is accessed directly

Every attempt to connect from "outside" (meaning outside of the network, from the internet) fails (web browser, telnet, ipv6-test.com, curl...). There is no response at all.



Can be tested on www.ekasparova.eu . I am clueless. What else can I check?



edit:



the output of traceroute6 --mtu www.google.com is following:



traceroute to www.google.com (2a00:1450:4014:800::2004), 30 hops max, 65000 byte packets
1 * F=1500 * *
2 * * *
~
30 * * *


So it never reaches the end...







nginx ssl ipv6






share|improve this question









New contributor




j.kaspar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




j.kaspar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 13 mins ago





















New contributor




j.kaspar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 2 hours ago









j.kaspar

1115




1115




New contributor




j.kaspar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





j.kaspar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






j.kaspar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











  • Outside = Outside the network on a seperate LAN segment, or from a computer sitting on the same LAN segment?
    – IceMage
    16 mins ago






  • 1




    @IceMage Outside means from the internet. Outside of the network. I am going to edit the question to clarify
    – j.kaspar
    14 mins ago










  • Have you configured a firewall on the server? If the server is running Linux, then the output of ip6table-save would be relevant.
    – kasperd
    5 mins ago
















  • Outside = Outside the network on a seperate LAN segment, or from a computer sitting on the same LAN segment?
    – IceMage
    16 mins ago






  • 1




    @IceMage Outside means from the internet. Outside of the network. I am going to edit the question to clarify
    – j.kaspar
    14 mins ago










  • Have you configured a firewall on the server? If the server is running Linux, then the output of ip6table-save would be relevant.
    – kasperd
    5 mins ago















Outside = Outside the network on a seperate LAN segment, or from a computer sitting on the same LAN segment?
– IceMage
16 mins ago




Outside = Outside the network on a seperate LAN segment, or from a computer sitting on the same LAN segment?
– IceMage
16 mins ago




1




1




@IceMage Outside means from the internet. Outside of the network. I am going to edit the question to clarify
– j.kaspar
14 mins ago




@IceMage Outside means from the internet. Outside of the network. I am going to edit the question to clarify
– j.kaspar
14 mins ago












Have you configured a firewall on the server? If the server is running Linux, then the output of ip6table-save would be relevant.
– kasperd
5 mins ago




Have you configured a firewall on the server? If the server is running Linux, then the output of ip6table-save would be relevant.
– kasperd
5 mins ago










1 Answer
1






active

oldest

votes

















up vote
3
down vote













You have an MTU problem.



I tested wget -O /dev/null https://www.ekasparova.eu while observing the traffic with tcpdump. This is what I saw:



19:56:57.048361 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [S], seq 262121609, win 28800, options [mss 1440,sackOK,TS val 298423713 ecr 0,nop,wscale 7], length 0
19:56:57.087457 IP6 2a04:f310:100:3:f816:3eff:fea3:4553.443 > 2001:db8::1.47386: Flags [S.], seq 2396216876, ack 262121610, win 28560, options [mss 1440,sackOK,TS val 82836580 ecr 298423713,nop,wscale 7], length 0
19:56:57.087490 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [.], ack 1, win 225, options [nop,nop,TS val 298423723 ecr 82836580], length 0
19:56:57.087692 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [P.], seq 1:322, ack 1, win 225, options [nop,nop,TS val 298423723 ecr 82836580], length 321
19:56:57.126190 IP6 2a04:f310:100:3:f816:3eff:fea3:4553.443 > 2001:db8::1.47386: Flags [.], ack 322, win 232, options [nop,nop,TS val 82836590 ecr 298423723], length 0
19:56:57.141224 IP6 2a04:f310:100:3:f816:3eff:fea3:4553.443 > 2001:db8::1.47386: Flags [P.], seq 2857:3678, ack 322, win 232, options [nop,nop,TS val 82836594 ecr 298423723], length 821
19:56:57.141301 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [.], ack 1, win 248, options [nop,nop,TS val 298423736 ecr 82836590,nop,nop,sack 1 2857:3678], length 0


The first 3 packets is the handshake. Both ends announce mss 1440 which means they are capable of receiving packets with 1440 bytes of TCP payload, counting headers as well it totals to 1500 bytes of IP traffic, which is what Ethernet commonly supports.



The next 2 packets is client hello and acknowledgement it was received by the server.



The final 2 packets is where things get interesting. By default tcpdump shows relative sequence numbers, which in this case make the capture easier to read. In the packet from the server this is the interesting part seq 2857:3678. We see a jump from 1 to 2857 which means there is a gap of 2856 bytes which the client did not yet receive. 2856 bytes corresponds to two packets of 1428 bytes. The difference between 1440 and 1428 is the size of a timestamp option.



So, the server sent the server hello split across 3 packets. But the first two were too large for the network and were not delivered to the client.



In the final packet from client to server we see this sack 1 2857:3678. This is a selective acknowledgement sent by the client informing the server that there is a gap in the data it has received this far.



Likely the server keeps sending the two lost packets over and over again. But no matter how many times it retransmits the same two packets they remain too large for the network. And probably a router on the path sends an error message back to the server informing it the packets are too large and need to be retransmitted in smaller packets.



If the server received those error messages, it would retransmit the packets smaller as needed. And it would remember the smaller PMTU such that on subsequent requests it does not have to repeat this discovery step.



A possible explanation for all of this is that you have a misconfigured firewall which drops all of the error messages informing your server it needs to retransmit the data in smaller packets.






share|improve this answer


















  • 1




    Interesting. Thank you! Those error messages - I guess it is ICMP protocol... Is there a way to test it? The firewall on the server, and the firewall between the server and the internet, should be open for all ICMP communication.
    – j.kaspar
    54 mins ago










  • @j.kaspar What are the firewalls? How are they configured? How did you test them?
    – Michael Hampton♦
    48 mins ago










  • @MichaelHampton there is iptables firewall installed directly on the server. The second one belongs to the datacenter and I am able to manage it's rules. I don't really know how to test the ICMP. But the rules on both are set to anywhere<->anywhere allowed for ICMP
    – j.kaspar
    43 mins ago











  • @j.kaspar On a Linux server, try traceroute6 --mtu www.google.com and look for F=#### inserted into the output lines, or output lines where no response comes back at all. On second thought, just run it and edit your question with the output.
    – Michael Hampton♦
    33 mins ago










  • @MichaelHampton Done. However I am not sure how to interpret the result. Does that mean, that the communication doesn't pass the second hop at all?
    – j.kaspar
    9 mins ago










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);






j.kaspar is a new contributor. Be nice, and check out our Code of Conduct.









 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f935802%2fnginx-ssl-does-not-respond-over-ipv6%23new-answer', 'question_page');

);

Post as a guest






























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
3
down vote













You have an MTU problem.



I tested wget -O /dev/null https://www.ekasparova.eu while observing the traffic with tcpdump. This is what I saw:



19:56:57.048361 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [S], seq 262121609, win 28800, options [mss 1440,sackOK,TS val 298423713 ecr 0,nop,wscale 7], length 0
19:56:57.087457 IP6 2a04:f310:100:3:f816:3eff:fea3:4553.443 > 2001:db8::1.47386: Flags [S.], seq 2396216876, ack 262121610, win 28560, options [mss 1440,sackOK,TS val 82836580 ecr 298423713,nop,wscale 7], length 0
19:56:57.087490 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [.], ack 1, win 225, options [nop,nop,TS val 298423723 ecr 82836580], length 0
19:56:57.087692 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [P.], seq 1:322, ack 1, win 225, options [nop,nop,TS val 298423723 ecr 82836580], length 321
19:56:57.126190 IP6 2a04:f310:100:3:f816:3eff:fea3:4553.443 > 2001:db8::1.47386: Flags [.], ack 322, win 232, options [nop,nop,TS val 82836590 ecr 298423723], length 0
19:56:57.141224 IP6 2a04:f310:100:3:f816:3eff:fea3:4553.443 > 2001:db8::1.47386: Flags [P.], seq 2857:3678, ack 322, win 232, options [nop,nop,TS val 82836594 ecr 298423723], length 821
19:56:57.141301 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [.], ack 1, win 248, options [nop,nop,TS val 298423736 ecr 82836590,nop,nop,sack 1 2857:3678], length 0


The first 3 packets is the handshake. Both ends announce mss 1440 which means they are capable of receiving packets with 1440 bytes of TCP payload, counting headers as well it totals to 1500 bytes of IP traffic, which is what Ethernet commonly supports.



The next 2 packets is client hello and acknowledgement it was received by the server.



The final 2 packets is where things get interesting. By default tcpdump shows relative sequence numbers, which in this case make the capture easier to read. In the packet from the server this is the interesting part seq 2857:3678. We see a jump from 1 to 2857 which means there is a gap of 2856 bytes which the client did not yet receive. 2856 bytes corresponds to two packets of 1428 bytes. The difference between 1440 and 1428 is the size of a timestamp option.



So, the server sent the server hello split across 3 packets. But the first two were too large for the network and were not delivered to the client.



In the final packet from client to server we see this sack 1 2857:3678. This is a selective acknowledgement sent by the client informing the server that there is a gap in the data it has received this far.



Likely the server keeps sending the two lost packets over and over again. But no matter how many times it retransmits the same two packets they remain too large for the network. And probably a router on the path sends an error message back to the server informing it the packets are too large and need to be retransmitted in smaller packets.



If the server received those error messages, it would retransmit the packets smaller as needed. And it would remember the smaller PMTU such that on subsequent requests it does not have to repeat this discovery step.



A possible explanation for all of this is that you have a misconfigured firewall which drops all of the error messages informing your server it needs to retransmit the data in smaller packets.






share|improve this answer


















  • 1




    Interesting. Thank you! Those error messages - I guess it is ICMP protocol... Is there a way to test it? The firewall on the server, and the firewall between the server and the internet, should be open for all ICMP communication.
    – j.kaspar
    54 mins ago










  • @j.kaspar What are the firewalls? How are they configured? How did you test them?
    – Michael Hampton♦
    48 mins ago










  • @MichaelHampton there is iptables firewall installed directly on the server. The second one belongs to the datacenter and I am able to manage it's rules. I don't really know how to test the ICMP. But the rules on both are set to anywhere<->anywhere allowed for ICMP
    – j.kaspar
    43 mins ago











  • @j.kaspar On a Linux server, try traceroute6 --mtu www.google.com and look for F=#### inserted into the output lines, or output lines where no response comes back at all. On second thought, just run it and edit your question with the output.
    – Michael Hampton♦
    33 mins ago










  • @MichaelHampton Done. However I am not sure how to interpret the result. Does that mean, that the communication doesn't pass the second hop at all?
    – j.kaspar
    9 mins ago














up vote
3
down vote













You have an MTU problem.



I tested wget -O /dev/null https://www.ekasparova.eu while observing the traffic with tcpdump. This is what I saw:



19:56:57.048361 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [S], seq 262121609, win 28800, options [mss 1440,sackOK,TS val 298423713 ecr 0,nop,wscale 7], length 0
19:56:57.087457 IP6 2a04:f310:100:3:f816:3eff:fea3:4553.443 > 2001:db8::1.47386: Flags [S.], seq 2396216876, ack 262121610, win 28560, options [mss 1440,sackOK,TS val 82836580 ecr 298423713,nop,wscale 7], length 0
19:56:57.087490 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [.], ack 1, win 225, options [nop,nop,TS val 298423723 ecr 82836580], length 0
19:56:57.087692 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [P.], seq 1:322, ack 1, win 225, options [nop,nop,TS val 298423723 ecr 82836580], length 321
19:56:57.126190 IP6 2a04:f310:100:3:f816:3eff:fea3:4553.443 > 2001:db8::1.47386: Flags [.], ack 322, win 232, options [nop,nop,TS val 82836590 ecr 298423723], length 0
19:56:57.141224 IP6 2a04:f310:100:3:f816:3eff:fea3:4553.443 > 2001:db8::1.47386: Flags [P.], seq 2857:3678, ack 322, win 232, options [nop,nop,TS val 82836594 ecr 298423723], length 821
19:56:57.141301 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [.], ack 1, win 248, options [nop,nop,TS val 298423736 ecr 82836590,nop,nop,sack 1 2857:3678], length 0


The first 3 packets is the handshake. Both ends announce mss 1440 which means they are capable of receiving packets with 1440 bytes of TCP payload, counting headers as well it totals to 1500 bytes of IP traffic, which is what Ethernet commonly supports.



The next 2 packets is client hello and acknowledgement it was received by the server.



The final 2 packets is where things get interesting. By default tcpdump shows relative sequence numbers, which in this case make the capture easier to read. In the packet from the server this is the interesting part seq 2857:3678. We see a jump from 1 to 2857 which means there is a gap of 2856 bytes which the client did not yet receive. 2856 bytes corresponds to two packets of 1428 bytes. The difference between 1440 and 1428 is the size of a timestamp option.



So, the server sent the server hello split across 3 packets. But the first two were too large for the network and were not delivered to the client.



In the final packet from client to server we see this sack 1 2857:3678. This is a selective acknowledgement sent by the client informing the server that there is a gap in the data it has received this far.



Likely the server keeps sending the two lost packets over and over again. But no matter how many times it retransmits the same two packets they remain too large for the network. And probably a router on the path sends an error message back to the server informing it the packets are too large and need to be retransmitted in smaller packets.



If the server received those error messages, it would retransmit the packets smaller as needed. And it would remember the smaller PMTU such that on subsequent requests it does not have to repeat this discovery step.



A possible explanation for all of this is that you have a misconfigured firewall which drops all of the error messages informing your server it needs to retransmit the data in smaller packets.






share|improve this answer


















  • 1




    Interesting. Thank you! Those error messages - I guess it is ICMP protocol... Is there a way to test it? The firewall on the server, and the firewall between the server and the internet, should be open for all ICMP communication.
    – j.kaspar
    54 mins ago










  • @j.kaspar What are the firewalls? How are they configured? How did you test them?
    – Michael Hampton♦
    48 mins ago










  • @MichaelHampton there is iptables firewall installed directly on the server. The second one belongs to the datacenter and I am able to manage it's rules. I don't really know how to test the ICMP. But the rules on both are set to anywhere<->anywhere allowed for ICMP
    – j.kaspar
    43 mins ago











  • @j.kaspar On a Linux server, try traceroute6 --mtu www.google.com and look for F=#### inserted into the output lines, or output lines where no response comes back at all. On second thought, just run it and edit your question with the output.
    – Michael Hampton♦
    33 mins ago










  • @MichaelHampton Done. However I am not sure how to interpret the result. Does that mean, that the communication doesn't pass the second hop at all?
    – j.kaspar
    9 mins ago












up vote
3
down vote










up vote
3
down vote









You have an MTU problem.



I tested wget -O /dev/null https://www.ekasparova.eu while observing the traffic with tcpdump. This is what I saw:



19:56:57.048361 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [S], seq 262121609, win 28800, options [mss 1440,sackOK,TS val 298423713 ecr 0,nop,wscale 7], length 0
19:56:57.087457 IP6 2a04:f310:100:3:f816:3eff:fea3:4553.443 > 2001:db8::1.47386: Flags [S.], seq 2396216876, ack 262121610, win 28560, options [mss 1440,sackOK,TS val 82836580 ecr 298423713,nop,wscale 7], length 0
19:56:57.087490 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [.], ack 1, win 225, options [nop,nop,TS val 298423723 ecr 82836580], length 0
19:56:57.087692 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [P.], seq 1:322, ack 1, win 225, options [nop,nop,TS val 298423723 ecr 82836580], length 321
19:56:57.126190 IP6 2a04:f310:100:3:f816:3eff:fea3:4553.443 > 2001:db8::1.47386: Flags [.], ack 322, win 232, options [nop,nop,TS val 82836590 ecr 298423723], length 0
19:56:57.141224 IP6 2a04:f310:100:3:f816:3eff:fea3:4553.443 > 2001:db8::1.47386: Flags [P.], seq 2857:3678, ack 322, win 232, options [nop,nop,TS val 82836594 ecr 298423723], length 821
19:56:57.141301 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [.], ack 1, win 248, options [nop,nop,TS val 298423736 ecr 82836590,nop,nop,sack 1 2857:3678], length 0


The first 3 packets is the handshake. Both ends announce mss 1440 which means they are capable of receiving packets with 1440 bytes of TCP payload, counting headers as well it totals to 1500 bytes of IP traffic, which is what Ethernet commonly supports.



The next 2 packets is client hello and acknowledgement it was received by the server.



The final 2 packets is where things get interesting. By default tcpdump shows relative sequence numbers, which in this case make the capture easier to read. In the packet from the server this is the interesting part seq 2857:3678. We see a jump from 1 to 2857 which means there is a gap of 2856 bytes which the client did not yet receive. 2856 bytes corresponds to two packets of 1428 bytes. The difference between 1440 and 1428 is the size of a timestamp option.



So, the server sent the server hello split across 3 packets. But the first two were too large for the network and were not delivered to the client.



In the final packet from client to server we see this sack 1 2857:3678. This is a selective acknowledgement sent by the client informing the server that there is a gap in the data it has received this far.



Likely the server keeps sending the two lost packets over and over again. But no matter how many times it retransmits the same two packets they remain too large for the network. And probably a router on the path sends an error message back to the server informing it the packets are too large and need to be retransmitted in smaller packets.



If the server received those error messages, it would retransmit the packets smaller as needed. And it would remember the smaller PMTU such that on subsequent requests it does not have to repeat this discovery step.



A possible explanation for all of this is that you have a misconfigured firewall which drops all of the error messages informing your server it needs to retransmit the data in smaller packets.






share|improve this answer














You have an MTU problem.



I tested wget -O /dev/null https://www.ekasparova.eu while observing the traffic with tcpdump. This is what I saw:



19:56:57.048361 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [S], seq 262121609, win 28800, options [mss 1440,sackOK,TS val 298423713 ecr 0,nop,wscale 7], length 0
19:56:57.087457 IP6 2a04:f310:100:3:f816:3eff:fea3:4553.443 > 2001:db8::1.47386: Flags [S.], seq 2396216876, ack 262121610, win 28560, options [mss 1440,sackOK,TS val 82836580 ecr 298423713,nop,wscale 7], length 0
19:56:57.087490 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [.], ack 1, win 225, options [nop,nop,TS val 298423723 ecr 82836580], length 0
19:56:57.087692 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [P.], seq 1:322, ack 1, win 225, options [nop,nop,TS val 298423723 ecr 82836580], length 321
19:56:57.126190 IP6 2a04:f310:100:3:f816:3eff:fea3:4553.443 > 2001:db8::1.47386: Flags [.], ack 322, win 232, options [nop,nop,TS val 82836590 ecr 298423723], length 0
19:56:57.141224 IP6 2a04:f310:100:3:f816:3eff:fea3:4553.443 > 2001:db8::1.47386: Flags [P.], seq 2857:3678, ack 322, win 232, options [nop,nop,TS val 82836594 ecr 298423723], length 821
19:56:57.141301 IP6 2001:db8::1.47386 > 2a04:f310:100:3:f816:3eff:fea3:4553.443: Flags [.], ack 1, win 248, options [nop,nop,TS val 298423736 ecr 82836590,nop,nop,sack 1 2857:3678], length 0


The first 3 packets is the handshake. Both ends announce mss 1440 which means they are capable of receiving packets with 1440 bytes of TCP payload, counting headers as well it totals to 1500 bytes of IP traffic, which is what Ethernet commonly supports.



The next 2 packets is client hello and acknowledgement it was received by the server.



The final 2 packets is where things get interesting. By default tcpdump shows relative sequence numbers, which in this case make the capture easier to read. In the packet from the server this is the interesting part seq 2857:3678. We see a jump from 1 to 2857 which means there is a gap of 2856 bytes which the client did not yet receive. 2856 bytes corresponds to two packets of 1428 bytes. The difference between 1440 and 1428 is the size of a timestamp option.



So, the server sent the server hello split across 3 packets. But the first two were too large for the network and were not delivered to the client.



In the final packet from client to server we see this sack 1 2857:3678. This is a selective acknowledgement sent by the client informing the server that there is a gap in the data it has received this far.



Likely the server keeps sending the two lost packets over and over again. But no matter how many times it retransmits the same two packets they remain too large for the network. And probably a router on the path sends an error message back to the server informing it the packets are too large and need to be retransmitted in smaller packets.



If the server received those error messages, it would retransmit the packets smaller as needed. And it would remember the smaller PMTU such that on subsequent requests it does not have to repeat this discovery step.



A possible explanation for all of this is that you have a misconfigured firewall which drops all of the error messages informing your server it needs to retransmit the data in smaller packets.







share|improve this answer














share|improve this answer



share|improve this answer








edited 26 mins ago

























answered 1 hour ago









kasperd

25k104996




25k104996







  • 1




    Interesting. Thank you! Those error messages - I guess it is ICMP protocol... Is there a way to test it? The firewall on the server, and the firewall between the server and the internet, should be open for all ICMP communication.
    – j.kaspar
    54 mins ago










  • @j.kaspar What are the firewalls? How are they configured? How did you test them?
    – Michael Hampton♦
    48 mins ago










  • @MichaelHampton there is iptables firewall installed directly on the server. The second one belongs to the datacenter and I am able to manage it's rules. I don't really know how to test the ICMP. But the rules on both are set to anywhere<->anywhere allowed for ICMP
    – j.kaspar
    43 mins ago











  • @j.kaspar On a Linux server, try traceroute6 --mtu www.google.com and look for F=#### inserted into the output lines, or output lines where no response comes back at all. On second thought, just run it and edit your question with the output.
    – Michael Hampton♦
    33 mins ago










  • @MichaelHampton Done. However I am not sure how to interpret the result. Does that mean, that the communication doesn't pass the second hop at all?
    – j.kaspar
    9 mins ago












  • 1




    Interesting. Thank you! Those error messages - I guess it is ICMP protocol... Is there a way to test it? The firewall on the server, and the firewall between the server and the internet, should be open for all ICMP communication.
    – j.kaspar
    54 mins ago










  • @j.kaspar What are the firewalls? How are they configured? How did you test them?
    – Michael Hampton♦
    48 mins ago










  • @MichaelHampton there is iptables firewall installed directly on the server. The second one belongs to the datacenter and I am able to manage it's rules. I don't really know how to test the ICMP. But the rules on both are set to anywhere<->anywhere allowed for ICMP
    – j.kaspar
    43 mins ago











  • @j.kaspar On a Linux server, try traceroute6 --mtu www.google.com and look for F=#### inserted into the output lines, or output lines where no response comes back at all. On second thought, just run it and edit your question with the output.
    – Michael Hampton♦
    33 mins ago










  • @MichaelHampton Done. However I am not sure how to interpret the result. Does that mean, that the communication doesn't pass the second hop at all?
    – j.kaspar
    9 mins ago







1




1




Interesting. Thank you! Those error messages - I guess it is ICMP protocol... Is there a way to test it? The firewall on the server, and the firewall between the server and the internet, should be open for all ICMP communication.
– j.kaspar
54 mins ago




Interesting. Thank you! Those error messages - I guess it is ICMP protocol... Is there a way to test it? The firewall on the server, and the firewall between the server and the internet, should be open for all ICMP communication.
– j.kaspar
54 mins ago












@j.kaspar What are the firewalls? How are they configured? How did you test them?
– Michael Hampton♦
48 mins ago




@j.kaspar What are the firewalls? How are they configured? How did you test them?
– Michael Hampton♦
48 mins ago












@MichaelHampton there is iptables firewall installed directly on the server. The second one belongs to the datacenter and I am able to manage it's rules. I don't really know how to test the ICMP. But the rules on both are set to anywhere<->anywhere allowed for ICMP
– j.kaspar
43 mins ago





@MichaelHampton there is iptables firewall installed directly on the server. The second one belongs to the datacenter and I am able to manage it's rules. I don't really know how to test the ICMP. But the rules on both are set to anywhere<->anywhere allowed for ICMP
– j.kaspar
43 mins ago













@j.kaspar On a Linux server, try traceroute6 --mtu www.google.com and look for F=#### inserted into the output lines, or output lines where no response comes back at all. On second thought, just run it and edit your question with the output.
– Michael Hampton♦
33 mins ago




@j.kaspar On a Linux server, try traceroute6 --mtu www.google.com and look for F=#### inserted into the output lines, or output lines where no response comes back at all. On second thought, just run it and edit your question with the output.
– Michael Hampton♦
33 mins ago












@MichaelHampton Done. However I am not sure how to interpret the result. Does that mean, that the communication doesn't pass the second hop at all?
– j.kaspar
9 mins ago




@MichaelHampton Done. However I am not sure how to interpret the result. Does that mean, that the communication doesn't pass the second hop at all?
– j.kaspar
9 mins ago










j.kaspar is a new contributor. Be nice, and check out our Code of Conduct.









 

draft saved


draft discarded


















j.kaspar is a new contributor. Be nice, and check out our Code of Conduct.












j.kaspar is a new contributor. Be nice, and check out our Code of Conduct.











j.kaspar is a new contributor. Be nice, and check out our Code of Conduct.













 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f935802%2fnginx-ssl-does-not-respond-over-ipv6%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?