Microsoft sites not reachable

Started by gstyle, March 19, 2026, 02:25:52 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
March 19, 2026, 02:25:52 PM
Hi everybody,

since weeks I have a strange problem.

My setup:
- German Telekom FTTH connection
- OPNsense with always up-to-date version
- IPv4/IPv6 dual stack
This is PPPoE to the fiber modem. DHCPv6 receives a /56 subnet. On the LAN interface it is identity association and RA by Dnsmasq.

My internet connection works completely fine. IPv4 and IPv6. With all my devices in different VLANS etc.
However I have reoccuring problems with servers from Microsoft.
I discovered it because my "apt update" on my Mint system hangs at the servers for VS Code (packages.microsoft.com).

Now for example. I am not able to open https://code.visualstudio.com/ from any of my devices.
https://microsoft.com/ did not work the whole day. However coming from google, https://www.microsoft.com/de-de just worked.


Also Ping:
Code Select
mario@mint-vm:~$ ping packages.microsoft.com
PING packages.microsoft.com (2620:1ec:46::45) 56 data bytes
^C
--- packages.microsoft.com ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8182ms
Same with IPv4:
Code Select
mario@mint-vm:~$ ping -4 packages.microsoft.com
PING packages.microsoft.com (13.107.246.45) 56(84) bytes of data.
^C
--- packages.microsoft.com ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4082ms

Yesterday I was able to go on https://code.visualstudio.com/
Today nothing loads.

My work laptop is also connected here but uses a Proxy from my company. There no problems at all.

I already disabled my firewalls:
- Zenarmor
- Crowdsec
No effect.

As you see from the ping: DNS resolving works. But the IPs are not reachable.
It is with all devices in my network. Android, Linux, Windows, etc..
When I am using the mobile network it works. So the servers are there, I am just not able to reach them from my home network.

I have no ideas where this is coming from. Any advice in which direction to investigate?


Cheers
Mario
March 19, 2026, 02:48:54 PM #1
With everything you've tried so far and the fact that DNS appears to be resolving correctly, I would be suspicious of some kind of ban on your IP. Does your ISP use dynamic assignment for your IPv4 WAN address? Maybe try to to connect via a VPN and see if the problem persists.
March 19, 2026, 02:50:04 PM #2 Last Edit: March 19, 2026, 02:55:31 PM by sopex8260
Lower your MTU to 1400.

FreeBSD 15 supposedly fixes this
March 19, 2026, 03:08:52 PM #3
Quote from: sopex8260 on March 19, 2026, 02:50:04 PMLower your MTU to 1400.

FreeBSD 15 supposedly fixes this

OK. Changed the MTU on the WAN to 1400. Now it works...
Thanks a lot. Can you explain it?
March 19, 2026, 03:14:26 PM #4
I can:

1. packages.microsoft.com does never respond to ping requests:

Code Select
~# ping packages.microsoft.com
PING packages.microsoft.com (2620:1ec:46::45) 56 data bytes
^C
--- packages.microsoft.com ping statistics ---
11 packets transmitted, 0 received, 100% packet loss, time 10218ms

root@baremetal:~# ping -4 packages.microsoft.com
PING packages.microsoft.com (13.107.246.45) 56(84) bytes of data.
^C
--- packages.microsoft.com ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5150ms

That does not mean it does not work:

Code Select
root@baremetal:~# nmap -Pn -p80,443 packages.microsoft.com
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-19 15:08 CET
Nmap scan report for packages.microsoft.com (13.107.213.45)
Host is up (0.0080s latency).
Other addresses for packages.microsoft.com (not scanned): 2620:1ec:bdf::45 2620:1ec:46::45 13.107.246.45

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

root@baremetal:~# nmap -Pn -p80,443 -6 packages.microsoft.com
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-19 15:10 CET
Nmap scan report for packages.microsoft.com (2620:1ec:bdf::45)
Host is up (0.014s latency).
Other addresses for packages.microsoft.com (not scanned): 2620:1ec:46::45 13.107.213.45 13.107.246.45

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.78 seconds

2. AFAIK, German Telekom always uses PPPoE "somewhere". In that, your maximum MTU can be limited to 1492 bytes. You did not say if that is a special business connection or what "fiber modem" you use. You can test what MTU is feasible for you - see this, point 9.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 450 up, Bufferbloat A+
March 19, 2026, 03:26:53 PM #5
With 1400. The packaging updating and the website of VS code works again.
You are right, still no ping. But the problem is solved.

The MTU field was empty, however it stated below: Calculated PPP MTU: 1492, so I thought this is fine for PPPoE.

I have a standard private FTTH connection by the German Telekom.

In between, I found out with curl that the connection to https://code.visualstudio.com/ worked with IPv4, but not with IPv&.
March 19, 2026, 03:33:48 PM #6
The automatic MTU calculation seems broken currently, also MTU sizes differ between IPv6 and IPv4. However, with IPv6, PMTUD is a mandatory feature, unlike IPv4. Thus, this should always work. If it does not, then likely your IPv6 setup is broken. See this.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 450 up, Bufferbloat A+
March 19, 2026, 04:13:11 PM #7
Weird... really the only problems with this VS code or packages.microsoft.com sites.
IPv6 working with all other sites. Also the IPv6 test sites showing perfect results.

March 19, 2026, 04:30:04 PM #8
Quote from: gstyle on March 19, 2026, 03:26:53 PMWith 1400. The packaging updating and the website of VS code works again.
You are right, still no ping. But the problem is solved.
I am curious what the results would have been if you had used tracert/traceroute instead ?

Or first nslookup/dig to find out the correct IP Addresses used for the domain and then tracert/traceroute to all of those ?


Ping never shows the whole story...
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
March 19, 2026, 04:33:24 PM #9 Last Edit: March 19, 2026, 04:48:50 PM by Boxer
I had similar issues with Microsoft and it's the DNSmasq RA MTU that needs to be manually set. If you use radvd instead, the issue goes away. But setting the dnsmasq RA MTU to a workable value also fixes it. As does clamping the WAN MSS value
Intel i3-8300T - Intel i350_T2 - 8GB RAM
March 19, 2026, 05:00:25 PM #10
It stopped working for me again also with the 1400 MTU

Seems I am not the only one:
https://www.reddit.com/r/ipv6/comments/1mp3gl2/certain_microsoft_websites_are_inaccessible_over/
March 19, 2026, 05:10:52 PM #11
Quote from: Boxer on March 19, 2026, 04:33:24 PMI had similar issues with Microsoft and it's the DNSmasq RA MTU that needs to be manually set. If you use radvd instead, the issue goes away. But setting the dnsmasq RA MTU to a workable value also fixes it. As does clamping the WAN MSS value

I set the RA MTU to 1452. Unfortunately this did not have an impact. Still not working.
March 19, 2026, 05:15:11 PM #12
Try clamping your mss to 1492
Intel i3-8300T - Intel i350_T2 - 8GB RAM
March 19, 2026, 05:26:39 PM #13
Quote from: Boxer on March 19, 2026, 05:15:11 PMTry clamping your mss to 1492

Under Firewall - Settings - Normalization ?

For the WAN interface?
March 19, 2026, 05:27:42 PM #14
Interfaces>wan
Intel i3-8300T - Intel i350_T2 - 8GB RAM
Print
Go Up Pages1 2
User actions