VM IPv6 is associated but not routable

Daniel Hellstern 21

Hi, I've been trying to set up IPv6 for an existing B1ms virtual machine running Ubuntu Server 20.04, with no success. In its current state, I have a NIC with a primary IPv4 address (public and private), plus a secondary IPv6 address (again, both public and private). As is required, this is connected to my VNet which has a ULA address space configured. The VM shows the ULA address in ip addr, and I've confirmed ip -6 route has a default route to the link-local address of the gateway. IPv4 works perfectly. However, IPv6 is not being properly routed to and from the VM. From the VM, I can ping the link-local address of the gateway, but no public IPv6 addresses. Outside the VM, I cannot ping the VM's address.

From my attempts to fix the issue, I believe it is on the Azure networking side, rather than the VM, but I'm not quite sure where. I took a packet capture (both from the portal and from inside the VM), which showed that the only IPv6 traffic on the NIC is RAs from the VNet gateway. I also enabled NSG flow logs, and looking through them I don't even see a single IPv6 address, so I suspect the traffic isn't even reaching the NSG. I even tried detaching the NSG to see if it was blocking v6 traffic, but that didn't change anything. I've also tried using some of the connection testing tools, though several don't appear to be compatible with IPv6, and the results included a socket opening error and being stopped by the NSG (triggering DefaultRule_DenyAllOutBound). However, as mentioned, detaching the NSG did not fix this issue. In addition, the effective security rules section shows the IPv6 prefix ::/0 on all relevant rules, so it's not like the NSG doesn't understand IPv6.

My issue is almost word-for-word what is in this ServerFault comment. However, my configuration practically matches that of the screenshots in the answer, and I've followed the suggestions in the comments, but it still does not work.

I should also mention I have Wireguard running as a client on the VM, and it has some ULA address space configured as routable. However, this space does not conflict at all with the VNet, and I have no reason to suspect it is the issue.

Thanks!

GitaraniSharma-MSFT 47,686 Reputation points Microsoft Employee

2021-07-12T11:27:12.397+00:00

Hello @Daniel Hellstern ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Some of the Linux virtual-machine images in the Azure Marketplace do not have Dynamic Host Configuration Protocol version 6 (DHCPv6) configured by default. To support IPv6, DHCPv6 must be configured in the Linux OS distribution that you are using.
Please refer : https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-ipv6-for-linux

Another point that I came across in our internal resources is ULA ranges (fc00::/7) get blocked in Azure (this point needs validation from the PG team, so I would request you to share more details for me to confirm the same with PG)
A unique local address (ULA) is an IPv6 address in the block fc00::/7, defined in RFC 4193. It is the approximate IPv6 counterpart of the IPv4 private address. Unique local addresses are available for use in private networks. They are routable within the scope of a certain private-owned network, but not in the global IPv6 Internet.

Thanks,
Gita
Daniel Hellstern 21 Reputation points

2021-07-12T21:28:17.763+00:00
Thank you for the reply! I hope you're doing well, too.

I did check, the Netplan configuration for the Ubuntu Server 20.04 image, and it has DHCPv6 enabled. I am correctly getting an IPv6 address (from my ULA range) on the interface.

network: ethernets: eth0: dhcp4: true dhcp4-overrides: &id001 route-metric: 100 dhcp6: true dhcp6-overrides: *id001 match: driver: hv_netvsc macaddress: <removed> set-name: eth0 version: 2

I'm surprised to hear that ULA might be blocked? This is my VNET address space:

I would assume that ULA is OK for inside a VNET, since that's what the prefix is intended for (internal, non-routable networks, like where you would see RFC1918 networks). If not ULA, which prefix should I be using internally? As for the public address on the NIC, that is a GUA, starting with 2603:.
GitaraniSharma-MSFT 47,686 Reputation points Microsoft Employee

2021-07-16T11:18:55.337+00:00

Hello @Daniel Hellstern ,

Thank you for sharing information on your setup. I have contacted the PG team to validate this. Will get back to you on this once I hear from them.

Regards,
Gita
GitaraniSharma-MSFT 47,686 Reputation points Microsoft Employee

2021-07-19T12:26:27.023+00:00

Hello @Daniel Hellstern ,

The PG has asked the below information:
When you say "IPv6 is not being properly routed to and from the VM. From the VM, I can ping the link-local address of the gateway, but no public IPv6 addresses. Outside the VM, I cannot ping the VM's address."
What does this exactly mean? Is the routing not working from one VM to another? Is it in the same Subnet / on two subnets on the same VNet (same ULA address space) / OR from Internet?

Also, they would like to take a look at your setup for further investigation. Could you send an email to azcommunity@microsoft.com referencing this thread and the resource URI for the VM associated with IPv6? Please mention "ATTN gishar" in the subject field.

Thanks,
Gita
Daniel Hellstern 21 Reputation points

2021-07-20T03:58:11.19+00:00

Thanks, sent with the requested details! Sorry I haven't been more responsive, I do not receive any notification when replies are posted.
GitaraniSharma-MSFT 47,686 Reputation points Microsoft Employee

2021-07-20T11:22:27.99+00:00

Thank you for your email @Daniel Hellstern . I will work with the PG team and get back to you with further updates.

In case you are not receiving email notifications for replies, please subscribe to notifications.
GitaraniSharma-MSFT 47,686 Reputation points Microsoft Employee

2021-07-23T14:27:02.023+00:00

Hello @Daniel Hellstern ,

Below is the response that I received from the PG team:

ICMPv6 to/from an Azure VM does not currently work & isn't supported.

So, I would request you to use "telnet" or "tcp ping" or any other TCP based tool to check the IPv6 connectivity to/from your VM.

Thanks,
Gita
Daniel Hellstern 21 Reputation points

2021-07-26T07:11:01.893+00:00

Thank you, this was very useful to further diagnose the issue. It's true most of my diagnostic work was done with ICMPv6 pings, so that explains the issues I had with that. However, I was also unable to use HTTPS over IPv6 (as I have a redirect from HTTP to HTTPS, I did not notice that HTTP was working fine). I originally believed that this must be a misconfiguration on my side, but I have now determined that the confusing lack of ICMPv6 support on Azure VMs is likely breaking IPv6 for certain users, including me.

TL;DR: Since ICMPv6 is not supported on Azure VMs, it also means VMs cannot properly support Path MTU Discovery to adjust the path MTU when it is not 1500 bytes, like for me.

I access IPv6 from my home using a Hurricane Electric tunnel. The MTU of this tunnel (due to IPv4 header overhead) is 1480. However, the MTU on my Azure VM is 1500. This means that any replies larger than 1480 bytes (such as a TLS Server Hello, >2KB) will be dropped by Hurricane Electric's tunnel brokers as they cannot fit into the tunnel. The tunnel broker is likely sending an ICMPv6 Packet Too Big packet back to the Azure VM to instruct it to lower the path MTU to 1480, however, as Azure does not support ICMPv6 to and from the VM, this is never received and the path MTU is not adjusted. In theory, this would mean that anyone using Tunnelbroker (or similar) to access Azure VMs with IPv6 will experience the same issue.

For now, the workaround for me is to manually set the interface MTU to 1480. However, the real solution is for Azure to support ICMPv6, to enable PMTU-D.
GitaraniSharma-MSFT 47,686 Reputation points Microsoft Employee

2021-07-26T15:00:19.567+00:00

Hello @Daniel Hellstern ,

Thank you for the update.

If you wish you may leave your feedback here requesting this feature. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

Thanks,
Gita
GitaraniSharma-MSFT 47,686 Reputation points Microsoft Employee

2021-07-27T19:41:15.617+00:00

Hello @Daniel Hellstern ,

I have added the summarized answer below. Please "Accept the answer" if the information helped you. This will be beneficial to other community members.

Thanks,
Gita

Accepted answer

GitaraniSharma-MSFT 47,686 Reputation points Microsoft Employee

2021-07-27T19:40:08.757+00:00

Hello @Daniel Hellstern ,

ICMPv6 to/from an Azure VM does not currently work & isn't supported.

So, I suggest you to use "telnet" or "tcp ping" or any other TCP based tool to check the IPv6 connectivity to/from your VM.

If you wish you may leave your feedback here requesting this feature. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

VM IPv6 is associated but not routable

0 additional answers