Testing IPv6 using test-ipv6.com

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

Testing IPv6 using test-ipv6.com

I'm unable to successfully complete test-ipv6.com (10 out of 10) without doing either 'Any' application or adding unknown-tcp as an application.

When I do just web-browsing, I get denies on 'unknown-tcp'.

Is there something different I can do without allowing wide open browsing for IPv6?   Is this a deficiency in the Applications list or the way web-browsing is detected over IPv6?

Is there a custom App-ID I can add?

Test completes 10/10:

Application: Any; Service: service-http

or

Application: web-browsing, unknown-tcp; Service: service-http

Test fails with 1/10:

Application: web-browsing; Service: application-default

Device is a 2020 running 4.1.7 standalone.

Anti-virus DB: 831-1143

Application and Threat DB: 327-1497

URL DB:  3936

Tags (1)

Accepted Solutions
Highlighted
L2 Linker

Upgraded the 2020 to 5.0.0.

All browsers now pass the test 10/10.

View solution in original post


All Replies
Highlighted
L6 Presenter

I have done this test on my device and it worked fine ( Test completed 10/10) with web-browsing and service: application-default. I have the same app version 327-1497, panos 4.1.7 and my sessions are getting identified as web-browsing, I am not sure what we are missing here.

Highlighted
L2 Linker

I'm using a Hurricane Electric tunnel for my IPv6 connectivity; terminated on a router on the public side of the 2020.

Tests Failed:

Test for Dual Stack DNS and large packet - blurb about sending and receiving large packets.

Test IPv6 large packet - blurb about PMTUD issues if the test fails

Highlighted
L2 Linker

Closer examination is pointing to the 2020 not properly processing ICMP6 packet too big messages.

[icmp6 sum ok] ICMP6, packet too big, length 1240, mtu 1480

These ICMP6 messages are being generated by the router that handles the Hurricane Electric tunnel.

Even when I add a rule to explicitly allow "ipv6-icmp" for any/any source to any/any destination, they do not make it through the 2020.

I've also add a management profile to the external interface to allow ICMPs to the external interface.  The ICMP6 packets too big messages are, of course, destine to the global IPv6 address of the internal workstation, not the 2020's external IPv6 address.

Oddly enough, everything works when I allow pure port 80 traffic, or the unknown-tcp application.

Highlighted
L7 Applicator

I have a tunnelbroker.net IPv6 /48 routed through a Juniper router into my Palo Alto Networks firewall and can pass 10/10 every time using my Mac. 

I'll try it out with a PA2020 and 4.1.7 if I get some free time and see if the behavior is any different. 

Highlighted
L2 Linker

Plot thickens..

Thus far, I've been running these tests on a Windows 7 32-bit system using IE only.

Just installed Firefox 15.0.1.   When IE fails the tests, firefox succeeds and continues to succeed.

I conducted another packet capture and the capture clearly shows ICMPv6 Packet too big messages do not get through the 2020 when IE 8 is used.  But ICMPv6 Packet too big messages do get forwarded through when FF 15.0.1 is used.

The main difference seems to be in the order of the HTTP headers.  Below are the HTTP request headers with the Cookies removed.  These aren't necessarily from the same point in the test.

Firefox:

GET /ip/?callback=_jqjsp HTTP/1.1

Host: ipv6.test-ipv6.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1

Accept: */*

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

Referer: http://test-ipv6.com/

Cache-Control: max-age=0

IE:

GET /ip/?callback=_jqjsp HTTP/1.1

Accept: */*

Referer: http://test-ipv6.com/

Accept-Language: en-US

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Accept-Encoding: gzip, deflate

Host: ipv6.test-ipv6.com

Connection: Keep-Alive

Highlighted
L2 Linker

Updated the Applications and Threat DB to 328-1503.   No change.

I have noticed that if I run the test (test-ipv6.com) on firefox and allow it to complete, and then immediately run the test on IE, IE will complete 10/10.

But if I wait some period of time, 30 second per se, IE will continue failing again.

Highlighted
L6 Presenter

@Gary Fowler: out of curiosity, have you tried allowing ipv6-icmp as an application in your security policy? if so did it make a difference?

Highlighted
L2 Linker

Yes I did.  Details are in the #3 reply of this thread.

And It did not make a difference.  The application 'ipv6-icmp' does not appear to apply to the ICMPv6 service alone.

Highlighted
L2 Linker

Jvalentine,

Do you have the ability to spin up a Windows 7 VM and run the test again using IE 8? 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!