3 Replies Latest reply on Mar 20, 2014 7:27 AM by Peter Näslund

    IPv6 & 10 times slower transactions

    Peter Näslund

      We have a client (IPv4) that communicates over HTTPS with a server (IPv4) continuously. The log showed 2 second transaction times, until we activated IPv6 on the MWG. Now it takes 20 seconds!

       

      The client has no IPv6 connectivity. The server has no IPv6 connectivity. The MWG has IPv6 connectivity to the Internet and are running Reverse Proxy (and WCCP-IPv4).  Reverse Proxy IPv6 www-tests are OK.

       

      I have tried to put the client IP in Global whitelist, and run rule tracing, and made sure it skips all rules. The rule tracing still shows almost a 20 seconds delay at the top: 2014.03.12 09.48.43, 18s 792 ms 738 us, ...........

       

      I have tried to only enable IPv4 in Configurations->Proxies->DNS Settings and not use other protocol version as fallback. It did not work. I have not done a reboot.

       

      I have tried to delete the default IPv6 Static Route. It did not work.

       

      Finally I inactivated IPv6, and it came back to 2 second transaction times. Rule tracing shows the following: 2014.03.12 16.15.57, 1s 582 ms 220 us, ...........

       

      I have not done a reboot at anytime during the test.

       

      It would be nice to be able to use IPv6.

        • 1. Re: IPv6 & 10 times slower transactions

          That's interesting. I would have assumed DNS, but it sounds like you already checked that on the DNS option. 20 seconds sounds like a TCP timeout, but I'm at a loss to explain why it would use v6 at all if the client is speaking v4 and you are forcing v4 for DNS. It really sounds like MWG is trying to do v6 to the server for some reason.

           

          Have you done a tcpdump? I'm most curious about the DNS lookup from MWG and then if there is an attempted connection over v6.

          • 2. Re: IPv6 & 10 times slower transactions
            Peter Näslund

            I have run dnslookup and there is no IPv6 address for the destination server. Our client does not have IPv6-protocol installed.

             

            I have done several tcpdumps, and there are only IPv6 communication to our Reverse Proxy ports. No IPv6 DNS Lookups.

             

            It looks like a bug.

            • 3. Re: IPv6 & 10 times slower transactions
              Peter Näslund

              I tested ping against MWG with Don't Fragment bit enabled and this is the result:

               

              ping -f -l 1256 mwgipaddress     MWG responded OK

               

              ping -f -l 1257 mwgipaddress     MWG no answer. This is not OK!!!

               

              ping -f -l 1472 mwgipaddress     MWG no anser. This is not OK!!!

               

              ping -f -l 1473 mwgipaddress     Packet too big. This is OK.

               

              With help from McAfee support, I changed MTU on IPv6 from 1280 to 1500 and the IPv4 Proxy MSS from 0 to 1412 (We are using WCCP, so we had to lower it).

               

              Now MWG answer OK (ping -f -l 1472 mwgipaddress)

               

              No delays anymore. Problem solved!