Unable to reach some IPv6?

[sunny75016]

Ivan and Team, I am a long time happy user of Hardenize. Thanks! I notice today that the IPv6 connection to domain (beatquantum.com) is giving unreachable error via IPv6 on Hardenize. However, these websites are accessible via browers and tested using https://ipv6-test.com/validate.php - Would you mind (a) flushing your DNS cache just in case that is stuck with older IP's and (b) checking your outbound IPv6 connectivity? Thanks.

[mikehardenize]

Hi. You're right in that our server can not connect to 2a09:cd40:f:4255::1 on port 80. It can not ping it either. It can however ping and connect to other IPv6 hosts. The server that our traffic is coming from is an Amazon EC2 instance. We have another server at Vultr which has the exact same problem when talking to 2a09:cd40:f:4255::1. However, I've tested from an unrelated and lesser known network, and the traffic from there reaches your server fine...

I don't suppose you have any network filtering in place that might block traffic from certain Cloud/VPS ranges? I know that some organisations block web traffic from places like AWS to try and prevent bot traffic...

[mikehardenize]

Additionally, I just tested your IP address using https://tools.keycdn.com/ipv6-ping and I'm seeing various locations are not able to reach it. When I test a v6 address under our control that tester is able to reach from all of its locations.

[mikehardenize]

Additionally (and I don't know why I didn't do this first), we have a monitoring network with 10 hosts spread geographically across the World. Only 4 out of those 10 hosts are able to ping your v6 address.

[drwetter]

Try traceroute -6 -T -O info -p 443 beatquantum.com to figure out where the culprit is

(It seems not related but I would never use ping in the first place. Often people block echo request or response. )

[sunny75016]

Apology the server was down for maintenance when you tried. I have used the suggested (traceroute -6 -T -O info -p 443 beatquantum.com) and it reaches the server fine. I have used the suggested (https://tools.keycdn.com/ipv6-ping) which reaches the server within milliseconds. However, I still get Hardenize error (attached picture). Thanks again Mike and drwetter - both of you have been fantastic.

[mikehardenize]

https://tools.keycdn.com/ipv6-ping consistently shows me that their New York, Tokyo and Dallas locations can not reach www.beatquantum.com.

We can successfully talk to your web server at that IP from Frankfurt, London, Sydney and Bahrain, but we can not from Sao Paulo, Singapore, San Jose, Tokyo, Miama or Atlanta.

You're either having network issues or you're blocking the traffic.

[sunny75016]

I have not enabled geofencing and the firewall allows 443/tcp. Hardenize is able to reach my server on IPv4 but not IPv6. It could be just an issue that the time-out in the test script could be shorter than the connection for the route between respective servers. I am happy to you to close the issue, as all other aspects for (beatquantum.com) have been successfully measured except the IPv6 TLS. Thanks for trying anyway, much appreciated.

[drwetter]

We can successfully talk to your web server at that IP from Frankfurt, London, Sydney and Bahrain, but we can not from Sao Paulo, Singapore, San Jose, Tokyo, Miama or Atlanta.

have you @mikehardenize tried traceroute -6 -T -O info -p 443 beatquantum.com from Sao Paulo, Singapore, San Jose, Tokyo, Miama or Atlanta?

To me it sounds more like a routing problem. That's why I recommended to use the traceroute command above.

[sunny75016]

Update from my side - I moved the hosting to another Cloud VPS provider with better control over IPv6 settings. Here is the result!. https://www.hardenize.com/report/beatquantum.com/1593633829

I think the mta-sts will get sorted after the DNS propagation is completed. Thank you both. I am happy for Mike to close this entry once he had a chance to look at this.

[ivanr]

For what it's worth, I took a quick look at traceroute last night (sorry, I didn't keep the traces as I thought we'd do it again today) and it was indeed a routing issue upstream. There were issues with AWS, Rackspace, and Vultr. So overall, I'd say good call to change the provider.

[sunny75016]

Thanks Ivan - If this additional information is useful - I am now using Linode, and the IPv6 connections between Hardenize and my server are working just fine.