SSH through IPv6 times out

Posted October 9, 2017 14.3k views
IPv6Ubuntu 16.04

I first noticed the problem that whenever I would try to ssh into my droplet using the domain name, it would take about two minutes. When I used ssh -vvv, I found that it was the IPv6 causing the problem– It would time out when trying the IPv6 address, then fall to the IPv4 and work fine–

debug1: Connecting to [****:****:***:**::****:8001] port 22.
debug1: connect to address ****:****:***:**::****:**** port 22: Connection timed out
debug1: Connecting to [***.***.**.240] port 22.
debug1: Connection established.

(I generalized the message. It’s not exactly a secret site, though.)

And when I try to connect using only the IPv6 address instead of the domain, it fails. (Works fine with IPv4 address.)

I went through the DO SSH troubleshooting article, but it didn’t make any difference. Where can I go to try to troubleshoot this?

(If it’s relevant, I’m using nginx on this server. I have another server that uses nginx, but it doesn’t have this problem.)

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
7 answers

You probably just got the DNS AAAA record wrong. Check the IPv6 address you put in the DNS AAAA record. That is, make sure it matches whatever the IPv6 address actually is on your ‘droplet’.

And nginx has nothing to do with it.

  • It also doesn’t work when I use the IPv6 address directly (in either ssh or the browser).

    Update: I guess it’s not supposed to through the browser.

    Update: It’s also not responding to ping6 through the CLI, either, but my other servers are.

Also realize that your ip6tables is separate from your iptables (which is IPv4-only), so make sure that any filters allow SSH.

In addition to the other update, I’ve discovered that the “inet6 addr” displayed in ifconfig does not match the ipv6 address listed in the droplets dashboard. [CORRECTION: It’s just missing altogether. What’s listed is the Scope:Link; Scope:Global just isn’t there.] Neither responds to ping6. The one in the dashboard has a 100% packet loss, and the one listed in ifconfig says “connect: Invalid argument.”

Update: And refreshing the page doesn’t work, but just simply going to it does. :\ This is really weird.

  • OK so something is wrong, maybe something is broken in your droplet. You should not have needed to manually set the IPv6 address or IPv6 route, but since something is broken just set them manually inside your droplet (not in the dashboard).

    You should see the same global IPv6 address in the output of ‘ifconfig’ or 'ip -6 addr’ as you get in the dashboard. You should also get the same IPv6 default gateway in the output of 'ip -6 route’ as you get in the dashboard.

  • Sounds like you did some manual reconfiguration that broke their automatic stuff. Anyway, once you use the addresses they gave you and make sure the dns entries match those addresses, you should be able to reach the droplet via IPv4 or IPv6. You should have no problem ssh'ing directly in as root via IPv6.

Assuming you have a debian-based linux droplet (like ubuntu) then your IPv4 and IPv6 static network settings should be in /etc/network/interfaces. Make sure you set the entries there to match whatever the dashboard says they should be.

Well, I’m at the point now where I just need to destroy the droplet and restart. I can no longer SSH at all anymore, and I can’t log in through the console, either. Thanks for the help, though.

I know this is old, but I’ve spent the better part of 4 days trying to figure out why none of my three Fedora instances would connect over ipv6. It would try to connect, get ‘no route to host’ and then fail over to IPV4. Which is fine, it just caused the connection step to hang a bit.

For whatever reason, if I copied /etc/sysconfig/network-scripts/ifcfg-eth0* to home and then deleted them, rebooted, and then copied them back and rebooted again, everything would work again.

I can’t explain it, but hope it helps someone. I suspect that something got them all out of sync and then the reboot with no connection “reset” whatever was wrong and then it works.

I am posting here because it looks like I may have the same problem as the original question.

My droplet suddenly stopped accepting IPv6 connections. The OS on this droplet (Debian 9) has over 270 days of continuous uptime and has never had problems with IPv6 connections in the past. What could have changed?

I can’t ssh into the server and can’t ping it, over IPv6. But if I force IPv4, I have no problem connecting.

I have made no configuration changes over the past few days, and my DNS records appear to be set up correctly (I also haven’t changed them in a while).