<div dir="ltr">Hey Michael,<div><br></div><div>Given the fact that the TCP 3-way handshake is established, sounds like some Path MTU blackholing happening. Due to it happening during TLS handshake it's likely from the server towards you.</div><div><br></div><div>2a04:4e42::272 and 2a04:4e42:2f::272 belong to Fastly (AS54113) as they host a share of <a href="http://images-na.ssl-images-amazon.com" target="_blank">images-na.ssl-images-amazon.com</a>. Looking at a tcpdump, the first large packet in the flow is from the server. I have a full-sized native ipv6 connection so large packets are received:</div><div><br></div><div>00:10:28.921224 IP6 (flowlabel 0x4901f, hlim 54, next-header TCP (6) payload length: 1460) 2a04:4e42:2f::272.443 > 2600:1f18:2fe:904:4341:3edf:79e3:de1d.42114: Flags [.], cksum 0xc122 (correct), seq 1:1429, ack 518, win 131, options [nop,nop,TS val 3517605680 ecr 572934936], length 1428<br></div><div><br></div><div>Using <a href="https://github.com/falling-sky/mtu1280d">https://github.com/falling-sky/mtu1280d</a> to emulate a smaller MTU, in response to the large packet (#1) we send back an icmpv6 packet too big response (#2), triggering Fastly to send smaller packets (#3):</div><div><br></div><div>00:11:22.179423 IP6 (flowlabel 0xa9776, hlim 53, next-header TCP (6) payload length: 1460) 2a04:4e42:2f::272.443 > 2600:1f18:2fe:904:4341:3edf:79e3:de1d.42116: Flags [.], cksum 0xc7f0 (correct), seq 1:1429, ack 518, win 131, options [nop,nop,TS val 3934482883 ecr 572988194], length 1428<br>00:11:22.179527 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 1240) 2600:1f18:2fe:904:4341:3edf:79e3:de1d > 2a04:4e42:2f::272: [icmp6 sum ok] ICMP6, packet too big, mtu 1280<br>00:11:22.180175 IP6 (flowlabel 0xa9776, hlim 53, next-header TCP (6) payload length: 1236) 2a04:4e42:2f::272.443 > 2600:1f18:2fe:904:4341:3edf:79e3:de1d.42116: Flags [.], cksum 0x8c51 (correct), seq 1:1205, ack 518, win 131, options [nop,nop,TS val 3934482884 ecr 572988196], length 1204<br></div><div><br></div><div>Either your system does not send back an ICMPv6 packet too big reply, or something drops it on the way and it never reaches Fastly. You should check your firewall settings in the path to ensure you don't block ICMP and ICMPv6 packets.<br></div><div><br></div><div>Regards,</div><div>Andras</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Feb 20, 2021 at 7:11 AM Michael Crapse <<a href="mailto:michael@wi-fiber.io" target="_blank">michael@wi-fiber.io</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I would like to know as well who best to reach out to. We are experiencing ipv6 related issues with AWS, unable to load even <a href="http://amazon.com" target="_blank">amazon.com</a> completely when any of our customers have ipv6 connectivity<br><br>curl -vvv <a href="https://images-na.ssl-images-amazon.com/images/I/11EIQ5IGqaL._RC%7C01ZTHTZObnL.css" target="_blank">https://images-na.ssl-images-amazon.com/images/I/11EIQ5IGqaL._RC%7C01ZTHTZObnL.css</a><br>* Trying 2a04:4e42::272...<br>* TCP_NODELAY set<br>* Connected to <a href="http://images-na.ssl-images-amazon.com" target="_blank">images-na.ssl-images-amazon.com</a> (2a04:4e42::272) port 443 (#0)<br>* schannel: SSL/TLS connection with <a href="http://images-na.ssl-images-amazon.com" target="_blank">images-na.ssl-images-amazon.com</a> port 443 (step 1/3)<br>* schannel: checking server certificate revocation<br>* schannel: sending initial handshake data: sending 202 bytes...<br>* schannel: sent initial handshake data: sent 202 bytes<br>* schannel: SSL/TLS connection with <a href="http://images-na.ssl-images-amazon.com" target="_blank">images-na.ssl-images-amazon.com</a> port 443 (step 2/3)<br>* schannel: failed to receive handshake, SSL/TLS connection failed<br>* Closing connection 0<br>* schannel: shutting down SSL/TLS connection with <a href="http://images-na.ssl-images-amazon.com" target="_blank">images-na.ssl-images-amazon.com</a> port 443<br>* Send failure: Connection was reset<br>* schannel: failed to send close msg: Failed sending data to the peer (bytes written: -1)<br>* schannel: clear security context handle<br>curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed<br><br clear="all"><div><div dir="ltr"><div dir="ltr"><img src="https://docs.google.com/uc?export=download&id=1AEUUwXTnyNij5Et96dGbgqYAoqjnf-Lv&revid=0B1peeD8iTk0RanB0SHg2V0U3aDRHb3VBZmQ2bng0YU9tam1BPQ" width="420" height="238"><br></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 26 Jan 2021 at 11:00, Josh Baird <<a href="mailto:joshbaird@gmail.com" target="_blank">joshbaird@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Are you sure it's not due to the Verizon outage? As a non-customer, your options for contacting support are limited.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 26, 2021 at 12:55 PM Justin Wilson (Lists) <<a href="mailto:lists@mtin.net" target="_blank">lists@mtin.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> What is the best avenue for contacting support for AWS? I have several ISPs experiencing reachability issues with AWS hosted sites. These are from different backbones, different gear, etc. The common denominator is AWS. <br>
<br>
Been googling around and can’t seem to find a contact.<br>
<br>
<br>
<br>
Justin Wilson<br>
<a href="mailto:j2sw@mtin.net" target="_blank">j2sw@mtin.net</a><br>
<br>
—<br>
<a href="https://j2sw.com" rel="noreferrer" target="_blank">https://j2sw.com</a> - All things jsw (AS209109)<br>
<a href="https://blog.j2sw.com" rel="noreferrer" target="_blank">https://blog.j2sw.com</a> - Podcast and Blog<br>
<br>
</blockquote></div>
</blockquote></div>
</blockquote></div>