Hi Jeroen
There were two issues, one has been resolved, which was the routing
issue I was seeing from one of the networks where I tested from.
What remains is that I can't open a successful TCP connection to
www.swisscom.ch on Port 443 when coming from a non-swisscom network.
> Check with a tcpdump, don't forget to include ICMP.
>
> Could also be an MTU issue or something on your side killing it.
>
> Of course the behavior of the "load balancer" says quite a few things...
> sbb.ch is like that too...
>
I tried different ISPs to which I have access and I can't establish a
IPv6 connection to port TCP/443 to neither 2a02:a90:c400:4001::2 nor
2a02:a90:c400:5001::2 which seems the two loadbalancers responsible for
www.swisscom.ch except from a Swisscom Business DSL connection.
Init7 -> fail
UPC Business -> fail
Tineo/Netrics -> fail
NTS -> fail
TCP dump looks like that
tcpdump -v -ni eth1 host 2a02:a90:c400:4001::2
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size
262144 bytes
08:19:41.525301 IP6 (hlim 64, next-header TCP (6) payload length: 40)
2a00:c38:102::194.39622 > 2a02:a90:c400:4001::2.443: Flags [S], cksum
0x7192 (incorrect -> 0xdf6f), seq 788917482, win 28800, options [mss
1440,sackOK,TS val 2090291639 ecr 0,nop,wscale 7], length 0
08:19:42.522914 IP6 (hlim 64, next-header TCP (6) payload length: 40)
2a00:c38:102::194.39622 > 2a02:a90:c400:4001::2.443: Flags [S], cksum
0x7192 (incorrect -> 0xde75), seq 788917482, win 28800, options [mss
1440,sackOK,TS val 2090291889 ecr 0,nop,wscale 7], length 0
08:19:44.526884 IP6 (hlim 64, next-header TCP (6) payload length: 40)
2a00:c38:102::194.39622 > 2a02:a90:c400:4001::2.443: Flags [S], cksum
0x7192 (incorrect -> 0xdc80), seq 788917482, win 28800, options [mss
1440,sackOK,TS val 2090292390 ecr 0,nop,wscale 7], length 0
08:19:48.534889 IP6 (hlim 64, next-header TCP (6) payload length: 40)
2a00:c38:102::194.39622 > 2a02:a90:c400:4001::2.443: Flags [S], cksum
0x7192 (incorrect -> 0xd896), seq 788917482, win 28800, options [mss
1440,sackOK,TS val 2090293392 ecr 0,nop,wscale 7], length 0
08:19:53.528648 IP6 (hlim 51, next-header TCP (6) payload length: 20)
2a02:a90:c400:4001::2.443 > 2a00:c38:102::194.39622: Flags [R.], cksum
0x85fa (correct), seq 0, ack 788917483, win 0, length 0
Sometimes, if I try hard enough I get a TCP connection and something
like a TLS1.3 session but no successul TLS negociation (neither with
wget nor with openssl s_client): then it looks like that:
08:27:26.984895 IP6 (flowlabel 0x76030, hlim 64, next-header TCP (6)
payload length: 20) 2a02:a90:c400:4001::2.443 >
2001:1a88:2200:505::6.53984: Flags [R.], cksum 0xcb4a (correct), seq
448778729, ack 2002587856, win 234, length 0
08:27:32.727483 IP6 (flowlabel 0x90338, hlim 64, next-header TCP (6)
payload length: 40) 2001:1a88:2200:505::6.53988 >
2a02:a90:c400:4001::2.443: Flags [S], cksum 0x9a58 (incorrect ->
0x3075), seq 3336725868, win 64800, options [mss 1440,sackOK,TS val
1531978773 ecr 0,nop,wscale 7], length 0
08:27:32.727864 IP6 (flowlabel 0x53256, hlim 64, next-header TCP (6)
payload length: 32) 2a02:a90:c400:4001::2.443 >
2001:1a88:2200:505::6.53988: Flags [S.], cksum 0x6587 (correct), seq
83163391, ack 3336725869, win 28800, options [mss
1440,nop,nop,sackOK,nop,wscale 7], length 0
08:27:32.727910 IP6 (flowlabel 0x90338, hlim 64, next-header TCP (6)
payload length: 20) 2001:1a88:2200:505::6.53988 >
2a02:a90:c400:4001::2.443: Flags [.], cksum 0x9a44 (incorrect ->
0x14cb), seq 1, ack 1, win 507, length 0
08:27:32.728373 IP6 (flowlabel 0x90338, hlim 64, next-header TCP (6)
payload length: 337) 2001:1a88:2200:505::6.53988 >
2a02:a90:c400:4001::2.443: Flags [P.], cksum 0x9b81 (incorrect ->
0x4bc2), seq 1:318, ack 1, win 507, length 317
08:27:32.728556 IP6 (flowlabel 0x53256, hlim 64, next-header TCP (6)
payload length: 20) 2a02:a90:c400:4001::2.443 >
2001:1a88:2200:505::6.53988: Flags [.], cksum 0x149f (correct), seq 1,
ack 318, win 234, length 0
08:27:44.732866 IP6 (flowlabel 0x53256, hlim 64, next-header TCP (6)
payload length: 20) 2a02:a90:c400:4001::2.443 >
2001:1a88:2200:505::6.53988: Flags [R.], cksum 0x149b (correct), seq 1,
ack 318, win 234, length 0
I'm by no means a tcpdump expert:
Those incorrect checksums: are my systems generating incorrect checksums
or is it the swisscom side? It seems weird that different systems with
different OS at different customers would all start making wrong tcp
checksums.
Best Regards
Jean-Pierre
--
HILOTEC Engineering + Consulting AG - Langnau im Emmental
IT für KMUs: Netzwerke, Server, PCs, Linux, Telefonanlagen,
VOIP, Hosting, Datenbanken, Entwicklung, WLAN, Cloud, Firewalls
Tel: +41 34 408 01 00 - https://www.hilotec.com/
___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog