SSH through IPv6 times out

October 9, 2017 118 views
IPv6 Ubuntu 16.04

I first noticed the problem that whenever I would try to ssh into my droplet using the domain name, it would take about two minutes. When I used ssh -vvv, I found that it was the IPv6 causing the problem-- It would time out when trying the IPv6 address, then fall to the IPv4 and work fine--

debug1: Connecting to [****:****:***:**::****:8001] port 22.
debug1: connect to address ****:****:***:**::****:**** port 22: Connection timed out
debug1: Connecting to [***.***.**.240] port 22.
debug1: Connection established.

(I generalized the message. It's not exactly a secret site, though.)

And when I try to connect using only the IPv6 address instead of the domain, it fails. (Works fine with IPv4 address.)

I went through the DO SSH troubleshooting article, but it didn't make any difference. Where can I go to try to troubleshoot this?

(If it's relevant, I'm using nginx on this server. I have another server that uses nginx, but it doesn't have this problem.)

4 Answers

You probably just got the DNS AAAA record wrong. Check the IPv6 address you put in the DNS AAAA record. That is, make sure it matches whatever the IPv6 address actually is on your 'droplet'.

And nginx has nothing to do with it.

  • It also doesn't work when I use the IPv6 address directly (in either ssh or the browser).

    Update: I guess it's not supposed to through the browser.

    Update: It's also not responding to ping6 through the CLI, either, but my other servers are.

Also realize that your ip6tables is separate from your iptables (which is IPv4-only), so make sure that any filters allow SSH.

In addition to the other update, I've discovered that the "inet6 addr" displayed in ifconfig does not match the ipv6 address listed in the droplets dashboard. [CORRECTION: It's just missing altogether. What's listed is the Scope:Link; Scope:Global just isn't there.] Neither responds to ping6. The one in the dashboard has a 100% packet loss, and the one listed in ifconfig says "connect: Invalid argument."

Update: And refreshing the page doesn't work, but just simply going to it does. :\ This is really weird.

  • OK so something is wrong, maybe something is broken in your droplet. You should not have needed to manually set the IPv6 address or IPv6 route, but since something is broken just set them manually inside your droplet (not in the dashboard).

    You should see the same global IPv6 address in the output of 'ifconfig' or 'ip -6 addr' as you get in the dashboard. You should also get the same IPv6 default gateway in the output of 'ip -6 route' as you get in the dashboard.

  • Sounds like you did some manual reconfiguration that broke their automatic stuff. Anyway, once you use the addresses they gave you and make sure the dns entries match those addresses, you should be able to reach the droplet via IPv4 or IPv6. You should have no problem ssh'ing directly in as root via IPv6.

Assuming you have a debian-based linux droplet (like ubuntu) then your IPv4 and IPv6 static network settings should be in /etc/network/interfaces. Make sure you set the entries there to match whatever the dashboard says they should be.

Have another answer? Share your knowledge.