-
Notifications
You must be signed in to change notification settings - Fork 618
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API SSL error with some ipv6 addresses #556
Comments
For me api.telegram.org resolves to 2001:67c:4e8:f004::9, which isn't in the mentioned network. |
Exactly, but why I didn't get full answer with IPv6 belonging to the above /48 range ? |
Why should you receive an answer from the 2001:67c:1298::/48 IP address, if api.telegram.org resolves to another address? |
OK, seems I didn't explain clearly: my IP is from 2001:67c:1298::/48 range. My other IP is from 2a01:4f8:210::/48 range. Connecting to api using the IP from this second range is OK but when I use the other IP from the first range I see some traffic with tcpdump, outgoing and incoming, which means both servers are connected and exchanging datas but nothing else, it finish with a timeout in terminal mode or error 28 SSL inside Librenms. Hope you now understand the problematic ;) |
This looks like an Internet connectivity issue, which happens much more often with IPv6 networks. You can try to use |
I don't think so: from the same IP range other computer I have the same problem. Also this server is ONLY ipv6 and running 24h/24h (backups, web server, emails aso) so I would not put 1 cent of the connectivity. Server is in a DC with other of our servers, no one is showing a problem. And remember, Librenms is running on it watching our servers in various countries, not any alert about such a failure. |
mtr report 17ms avg time with 0% loss for 100 packets sent |
|
Please, dont't try to explain me how mtr/icmp/... works. Generally we all use ICMP/ICMPv6 to check connectivity. If you feel out of idea, just tell it. Remember with one IP range it's OK the other one not, both using the same Internet provider till a certain point. |
If site works from one network and doesn't work from another, then this is very likely to be a network connectivity issue. The used protocol for data transfer is of utmost importance in the case of such network issues. For api.telegram.org there is no difference from which IPv6 address the request is received. |
I opened a case on peering partner. I ran a tcptraceroute6 and got for port 80
and for port 443
In verbose mode
Nothing more So like icmpv6, tcp6 seems OK but still in error. Banging my head :) |
Could you also try |
Could you also try from some other IP address from the |
Same with all 2001:67c:1298::/64 range (I use this /64 and 2001:67c:1298:10::/64 from this /48 range) root@zone-s:/tmp# mtr --tcp -P 443 --report-wide api.telegram.org I downloaded with curl from various repos including debian-netinstall.iso, everything like expected. |
First packets output of tcpdump from failing IP: 11:33:41.430289` ens1 Out IP6 2001:67c:1298::ff04.60280 > 2001:67c:4e8:f004::9.https: Flags [S], seq 2294335465, win 64800, options [mss 1440,sackOK,TS val 2421837041 ecr 0,nop,wscale 7], length 0 11:33:41.443297 ens1 In IP6 2001:67c:4e8:f004::9.https > 2001:67c:1298::ff04.60280: Flags [S.], seq 3879809308, ack 2294335466, win 28560, options [mss 1440,sackOK,TS val 3435357583 ecr 2421837041,nop,wscale 10], length 0 As you can notice, the before last line is a seq:5525:5698, ack 518 followed by a new ack1. Now the output of a working IP: 11:43:41.211636 ens1 Out IP6 2a01:4f8:120:1104::70:12.49804 > 2001:67c:4e8:f004::9.443: Flags [S], seq 3848103319, win 64800, options [mss 1440,sackOK,TS val 2764072909 ecr 0,nop,wscale 7], length 0 Here the before last line is seq1:1429 followed by the ack 1429 line which does the sequences continuing as they should. Question now is why in the first case I receive a false seq number with P flag ? |
Thank you for the additional information. Could you run |
|
It's really strange that you are able to receive the answer from api.telegram.org through another IPv6 address, but not through the default one. This could mean that someone in the middle intentionally blocks HTTPS to the specififc IPv6 address. Also, it can be seen from |
Do you really meant ipv6 2001:67c:4e8:f004::8 and not ::9 ? Output in verbose mode (tried with both IPs)
|
I have to add that against ipv6 ending with ::8 I get the same result -above one- with both IPs. If I do the test against ::9, only the "good" ipv6 shows the same result, the failing one giving curl -v --resolve api.telegram.org:443:[2001:67c:4e8:f004::9] https://api.telegram.org/bot123456789:AAAAAAAA/getme
That's all. To summarize: curl --resolve api.telegram.org:443:[2001:67c:4e8:f004::8] https://api.telegram.org/bot123456789:AAAAAAAA/getme {"ok":false,"error_code":401,"description":"Unauthorized"} Gives the same result with both IPs as curl --resolve api.telegram.org:443:[2001:67c:4e8:f004::9] https://api.telegram.org/bot123456789:AAAAAAAA/getme {"ok":false,"error_code":401,"description":"Unauthorized"} fail on IP src 2001:67c:1298::ff04 |
Yes. We wanted to test with the same server with a different IPv6 address. |
So as I get same result with my both ipv6 IPs against ::8 it means that something is wrong with ::9 |
Up ? |
Did you receive response from the peering partner? |
They say they are not involved, which seems to be right for me. Connecting to ::8 is OK to ::9 not, so they are in the pass on both IPs and don't fail with ::8 |
::8 has connected you with a server that is available with ::9, so there are no issues with TCP, IPv6, or Telegram servers. TCP with ::9 also works, so there is a specific issue with using HTTPS from your server to ::9. |
I have the same issue for the telegram API when using IPv6! Sometimes its just working but most of time its not. v4 always fine.
Any other IPv6 server with curl tests just fine and always works. |
I fully confirm that there is still a bug:
|
@around84 This is still looks like an Internet connectivity issue, which happens much more often with IPv6 networks, or a block by government/Internet provider. |
Got this issue too. |
What if try to set MTU lower then 1500 on ipv6 interface? |
No changes on my side. Link to pcap capture https://tdrive.tootai.net/s/GNGzJWr7NQwdkMX |
i have the same issue, after 10 tries it randomly works |
Hi list,
I use Telegram bot on a Debian12 ipv6 server running librenms and Transport being Telegram. I also wrote a script to send messages to a group. Since those last days I didn't receive any alert from Librenms and I discover that curl fail with error 28 SSL connection timeout when testing from Librenms. An error occurs too after 2 minutes when I run curl from command line like
curl https://api.telegram.org/bot/sendMessage?chat_id=&text=Is%20not,%20functional%20yet
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:02:01 --:--:-- 0
curl: (35) Recv failure: Connection reset by peer
Running curl -4 ... and the job is done. api.telegram.org is resolved in ipv4 and ipv6, nc -v <api.telegram.org ipv6> 443 succeeded as well as a mtr to the IP.
I discovered that with another ipv6 address, from the same server, it's OK ! What's going on here ? The failing ipv6 address being from the IP range 2001:67c:1298::/48.
Thanks for your support
The text was updated successfully, but these errors were encountered: