I have an Ubuntu 14.04 droplet with ipv6 enabled that’s been running fine for several months on kernel 3.13.0-43-generic.

I decided to update to get latest security fixes so I ran

# apt-get update && apt-get upgrade

A handful of packages were kept back so I did a

# apt-get dist-upgrade

All looked fine: packages upgraded and kernel upgraded to 3.13.0-63-generic
I powered off, selected new kernel from the web UI and powered on.

Now, when the droplet comes up, ipv6 connectivity is fine for about a minute or so. Then it stops being able to ping the gateway (but can still ping itself):

# ping6 -c 4 2a03:b0c0:1:d0::1
PING 2a03:b0c0:1:d0::1(2a03:b0c0:1:d0::1) 56 data bytes
From 2a03:b0c0:1:d0::31e:5001 icmp_seq=1 Destination unreachable: Address unreachable
From 2a03:b0c0:1:d0::31e:5001 icmp_seq=2 Destination unreachable: Address unreachable
From 2a03:b0c0:1:d0::31e:5001 icmp_seq=3 Destination unreachable: Address unreachable
From 2a03:b0c0:1:d0::31e:5001 icmp_seq=4 Destination unreachable: Address unreachable

--- 2a03:b0c0:1:d0::1 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3014ms

ipv4 pings look fine:

# ping -c 30 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=2.47 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=1.87 ms
...

I think I’ve narrowed the cause down to iptables: if I flush the rules and allow all incoming traffic I can ping the gateway again:

# ip6tables -F
# ip6tables -P INPUT ACCEPT
# ping6 -c 4 2a03:b0c0:1:d0::1
PING 2a03:b0c0:1:d0::1(2a03:b0c0:1:d0::1) 56 data bytes
64 bytes from 2a03:b0c0:1:d0::1: icmp_seq=1 ttl=64 time=5.23 ms
64 bytes from 2a03:b0c0:1:d0::1: icmp_seq=2 ttl=64 time=0.986 ms
64 bytes from 2a03:b0c0:1:d0::1: icmp_seq=3 ttl=64 time=2.58 ms
64 bytes from 2a03:b0c0:1:d0::1: icmp_seq=4 ttl=64 time=3.81 ms

--- 2a03:b0c0:1:d0::1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 0.986/3.153/5.230/1.564 ms

My /etc/iptables/rules.v6 is:

# Generated by ip6tables-save v1.4.21 on Mon Mar  9 09:54:32 2015
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j ACCEPT
-A INPUT -m recent --update --seconds 600 --hitcount 8 --rttl --name SSH --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8041 -j ACCEPT
COMMIT
# Completed on Mon Mar  9 09:54:32 2015

I suspect the rate-limit has something to do with it, but that’s only supposed to affect ssh (on port 2222). Can anyone spot the issue here?