Dual-Stack Monitoring

I recently got one of those shiny new domain under one of those new TLDs (has something to do with my first and last name ;-).

I added the BIND configuration by copying another zone file and the replaced the relevant parts. I also created a new Apache vhost, restarted both services and tested from my computer. Everything worked.

Well not everything. I only tested using IPv6 and not v4. I had a wrong IPv4 address in my zone file. :-(

If you run dual-stacked services always test and monitor both protocols. If your using Icinga / Nagios take a look at check_v46 .

If you have both A and AAAA record for the host you are monitoring check_v6 will run a plugin for both address types:


root@mon:/usr/lib/nagios/plugins# ./check_v46 ./check_http -H blog.quux.de
OK: IPv6/blog.quux.de OK, IPv4/blog.quux.de OK | ipv6_a1_time=4.708759s;;;0.000000 ipv6_a1_size=26086B;;;0 ipv4_a1_time=2.244641s;;;0.000000 ipv4_a1_size=26061B;;;0
Status details:
IPv6/blog.quux.de:
HTTP OK: HTTP/1.1 200 OK - 26086 bytes in 4.709 second response time
IPv4/blog.quux.de:
HTTP OK: HTTP/1.1 200 OK - 26061 bytes in 2.245 second response time

If you only have A or AAAA only there will be only one check:


root@mon:/usr/lib/nagios/plugins# ./check_v46 ./check_http -H www.wordpress.org
OK: IPv4/www.wordpress.org OK | ipv4_a1_time=0.383439s;;;0.000000 ipv4_a1_size=275B;;;0
Status details:
IPv4/www.wordpress.org:
HTTP OK: HTTP/1.1 301 Moved Permanently - 275 bytes in 0.383 second response time

More IPv6 problems (I)

Several talks at last weeks IPv6 Kongress in Frankfurt mentioned the problems you encounter when your provider does only DS-Lite. DS-Lite means you have native IPv6 and IPv4 is tunneled via Ipv6 and NATed at your providers edge. This way your provider saves IPv4 addresses. This is the case with most (all?) German cable TV ISPs. So if you get a new connection (new customer, upgrade, or your just moving) you’ll end up with IPv6 and a IPv4 address shared with X other customers. Other provider may leave out the IPv6 part, assign you a private IPv4 address and let you share a public IPv4 address with others.

There are some problems with that:

1. Some applications won’t work. Most likely your NAS box at home (or in my case it would be an ssh connection to my home lab), VPNs, SIP and some games will break. For SIP there is a Blog post by SIPGATE (a large German SIP provider) (in German). To summaries: They complain that cable ISPs suddenly introduced this new IPv6 protocol. This was a total surprise. There are many comment attached to this post telling SIPGATE that they should have started implementing IPv6 some time ago.

2. If your ISP hides too many users behind one public IP address things will break: Missing parts on Google maps are one thing ((see this presentation)). I did some test for customers and in one case I managed too loose the search field on the customers web page (which is essential if you are selling used cars) and in another case I managed to get rid of the login fields on the web page of an insurance company (which people might be using to log into their accounts to buy new contracts, file insurances claims, …)

One of the questions asked last week: “Is there a workaround?” – Yes there is! Implement IPv6 on your internet facing side of your business now. You should have done a year or two ago but that’s your problem.

Looking at the Google statistics about 8 percent of the users in Germany access Google via IPv6. Be aware that you will make mistakes implementing IPv6 The question is: How many of your users will notice? 10%, 15%, 20%, 25%, …?

If you still refuse to implement IPv6 you are not alone. And I don’t mind. The longer you wait, the higher my hourly rates will be. And not only mine, there is a limited number of IPv6 literates out there. And if suddenly all people decide that they need new routing, switching and firewall equipment, they’ll notice that it takes your favorite (and all other) vendor some weeks to deliver.

BTW: If you want to test if your provider is using CGN this test might help.

IPv6 problem

Today is stumbled over another IPv6 Layer-8 problem.

I tried to access the customers WLAN. As usual with many WLAN setups there is a captive portal where you have to enter some credentials and after that you can access the network. Instead of a captive portal I saw the staring page of my locally installed Apache. Digging a little deeper:


host protal.example.com
protal.example.com has address 192.0.2.10
protal.example.com has IPv6 address ::1

[x] Captive portal is IPv6 enabled!

I think I was wearing the right T-Shirt at last weeks IPv6 Kongress in Frankfurt.

v6 only Puppet master (on Debian Wheezy)

On my server I’m running out of vintage IPv4 addresses. So I have to run some servers IPv6 only. One of my first choices was to migrate my puppet master to v6-only.

On Debian Wheezy (and probably others) you have to add

bindaddress = ::

to the master section of your puppet.conf

(Thanks to yath on #debian.de)

Almost add free surfing

You don’t need any browser plugins. When you are using Windows 7 just run netsh interface ipv4 uninstall. ;-) Yes, the number of web pages you can access is rather limited. But that’s not my fault. I’m telling people for ages.

(As always you should know what your doing before running any commands you find on the Internet).

Moved

It took more than a year but I finally moved all services to my new server(s).

The “new” server has 4 Cores, 16GB of RAM, a /28 IPv4 and a /48 IPv6.The new setup is based Debian, preseed, libvirt / kvm and some puppet. I’ll add some OpenVSwitch to the mix soon.

Thinks on my todo list:

- write a libvirt plugin for Icinga (Nagios)
- automatically set up DNS records when creating a new VM
- more puppet
- move some services (like the puppet master) to v6 only. IPv4 addresses are scares.

Basic Linux Troubleshooting

When a service suddenly stopped working do some basic troubleshooting first. Checking for free disk space is always a good idea (especially when you don’t look at your monitoring system).

So before removing and reinstalling packages run df -h and df -i too see if there is enough free space and enough free inodes.

No, not my system. I was just asked to help.