IPv6 and TLS 1.3?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IPv6 and TLS 1.3?

L4 Transporter

I've been having some IPv6 issues (we're a dual-stack setup currently), and it seems like every time I fix one, I find another.

 

The latest is an issue with some, but not all, IPv6 websites. Sometimes they'll load... sometimes they'll start to load and then stall.  Sometimes they load, and then a refresh has them stalling.

 

Looking at packet captures, it appears that the issue was related to TLS 1.3.  After much Googling, I was able to find flags to force my browsers to use TLS 1.2, and the issue seems to be resolved.  I also verified that it worked just fine with the default flags (so using TLS 1.3) when I disabled IPv6 on my adapter.

 

So it appears it is a combination of IPv6 and TLS 1.3.  I opened a case with Palo support, but I decided to continue looking into this myself.  The last thing they had me try was a change to the Zone Protection Profile on the TCP Drop tab to set "Reject Non-SYN TCP" to No (it was set to Global previously), as they indicated the global counters were showing:

 

flow_tcp_non_syn 3 0 info flow session Non-SYN TCP packets without session match
flow_tcp_non_syn_drop 3 0 drop flow session Packets dropped: non-SYN TCP without session match

 

The session browser was also showing "non-syn-tcp" on the application on attempts to load the test webpage when it failed (when it succeeded, it seemed like there were also sessions open showing SSL).

 

I tried something else this morning... I set my PC's IPv6 MTU to 1400, down from 1500, and it seems to have improved the situation.  Page loading on the test site seems to work fine without the stalling, even on refreshing.  The session browser is showing SSL application sessions from my PC.

 

Has anyone else had a similar issue?  Do I just need to adjust my IPv6 network interfaces down to 1400 MTU, or should I look at the IPv6 TCP MSS?  I figured Path MTU Discovery should be taking care of any MTU issues since the client has to be the one to fragment on IPv6 but something obviously isn't working and, since lowering the IPv6 MTU on my PC seems to fix the issue, I assume there is an MTU issue somewhere along the line but I don't think I've seen Packet Too Big messages.

0 REPLIES 0
  • 332 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!