Cisco IOS FW on ipv6 tunnel - issues with Google Chrome?

[lobotiger]

I'm running 12.4(24)T4 Advanced IP Services.  Was running T3 for most of 2010 and was having the problem with that version when I upgraded to T4 last night but still seeing the same issue.

BTW, I've noticed this issue on different machines running Windows 7 64/32 bit and Ubuntu but again only with Chrome and only when the firewall is enabled.

LoboTiger

[lobotiger]

No, I see no logs being generated from the firewall portion or the access-list.  Very odd.

Lobo

[lobotiger]

Well, interesting turn of events.  IPv6 traffic is working normally again with Chrome and with the IOS FW enabled on the tunnel.   

The old, "I swear I didn't touch a thing" adage is true here.  I didn't make any changes at all and was using Firefox over the weekend instead.  I decided to try Chrome again the sites were coming up blazingly fast and not the trickle like a dialup account.  The speed that the sites load up is equivalent to what I had before.  Could there have been an update to Chrome over the weekend?

Lobo

P.S. Curious to hear about the drawbacks for versions greater than 12.4(15)T.

[antillie]

I am rather interested in the drawbacks for versions prior to 12.4(15)T as well.

I haven't seen any issues with Chrome or Firefox over my tunnel. Although I am running 12.4(25d) instead of a "T" release so that might have something to do with it. I also have an MTU limit set on my router's LAN facing interface in an attempt to prevent MTU issues due to the tunneling overhead:

ipv6 mtu 1480

Since the IPv4 header added by the tunnel is 20 bytes in length I figure that limiting the IPv6 MTU on the LAN facing interface to 1480 will cause my local hosts to fragment their outbound IPv6 traffic right off the bat instead of waiting for an ICMPv6 "packet too big" reply from some far away remote host. That way the resulting IPv4 encapsulated packet will be 1500 bytes and traverse the network to HE's tunnel server without any issues.

I haven't seen any problems yet but there aren't exactly zillions of IPv6 enabled sites out there to test with.

[pbrutsch]

antillie, The reason I'm specific about the IOS version is due to the bugginess and the availability of those bug fixes. IOS 15.0M fixed numerous bugs for me that were introduced after IOS 12.4(15)T and have not been fixed in the 12.4(20)T -> 12.4(24)T maintenance rebuilds. Heck, even 12.4(15)T introduced bugs that haven't been fixed.

Additionally IOS 12.4T releases are generally considered beta quality, or otherwise not production-ready. Your 12.4(25d) release is a MUCH better choice than any 12.4T release, provided you don't desire features that were introduced in the 12.4T releases.

Regarding the MTU issue, you should ALWAYS try to avoid sending internet traffic over any sort of tunnel that doesn't provide fragmentation. It's not just the hosts on your LAN that can be a problem, it's the ones out in the world that don't realize you have a smaller MTU and try to send you 1500-byte packets. PMTUD (path MTU discovery) is generally pretty broken in practice.

In the IPv4 Cisco world you can do TCP MSS adjustment (or TCP MSS clamping, as some operating systems call it), but that feature doesn't seem to have a IPv6 equivalent in Cisco-land.