Constant delay in TLS handshake after 26.1.6_2 update

[odites999]

After the update, accessing many websites becomes incredibly slow (when it even works) with numerous "performing TLS handshake" messages. Searching online, I found a solution for Firefox that involves enabling the "network.dns.disableIPv6" parameter. After that, it works fine again in that Firefox instance, but the problem persists for the rest of the network. Is anyone else experiencing something similar?

[meyergru]

The name of the parameter should give you a hint about what is probably wrong with your setup: DNS resolution for IPv6 names or IPv6 reachability.

You should investigate what exactly goes wrong (and then, why).

For example:

1. When you resolve a name like "www.google.com", you will get both an IPv6 and an IPv4 address - that is, if DNS resolution does not fail in the first place, in case your client tries to resolve via IPv6 first. If that fails, which is the IPv6 address of your DNS server? Does it answer?

2. Can you reach the resolved IPv6 via ping? Probably not.

3. Does your client get a routeable IPv6?

4. Has it got an IPv6 gateway? Can it be reached?

5. Can you reach your upstream gateway? Or any IPv6, like "2600::", via ping?

You catch my drift. "websites are slow" means "cannot be reached via IPv6, which is the preferred way" in your case. There is about 0% chance that TLS is impacted. OpnSense does not even interfere with that, unless you use a proxy.

When IPv6 did work before, you should be able to fix it. If your ISP does not offer it, turn it off globally.

[odites999]

I'll try everything you suggested. The strange thing is, everything was working perfectly yesterday. Today I updated and it started malfunctioning even though I hadn't changed any settings.

[meyergru]

Read the change notes for the update(s) you did. I think there were changes for IPv6. Probably, you need a reboot, depending on what your update path was.

[odites999]

The name of the parameter should give you a hint about what is probably wrong with your setup: DNS resolution for IPv6 names or IPv6 reachability.

You should investigate what exactly goes wrong (and then, why).

For example:

1. When you resolve a name like "www.google.com", you will get both an IPv6 and an IPv4 address - that is, if DNS resolution does not fail in the first place, in case your client tries to resolve via IPv6 first. If that fails, which is the IPv6 address of your DNS server? Does it answer?

2. Can you reach the resolved IPv6 via ping? Probably not.

3. Does your client get a routeable IPv6?

4. Has it got an IPv6 gateway? Can it be reached?

5. Can you reach your upstream gateway? Or any IPv6, like "2600::", via ping?

You catch my drift. "websites are slow" means "cannot be reached via IPv6, which is the preferred way" in your case. There is about 0% chance that TLS is impacted. OpnSense does not even interfere with that, unless you use a proxy.

When IPv6 did work before, you should be able to fix it. If your ISP does not offer it, turn it off globally.

Replys to every point:

1. DNS responses work ok. The DNS server is the upstream router.
2. Ping to the resolved address works well.
3. Yes. It gets a routable IPv6.
4. Yes.
5. Yes
I ran a test on http://test-ipv6.com, which failed, including the fact that it says my provider is "APPLE-ENGINEERING - Apple Inc., US" and that's getting close to witchcraft... ;-) because I don't have any Apple devices at home and my provider is Movistar in Spain.

[odites999]

Read the change notes for the update(s) you did. I think there were changes for IPv6. Probably, you need a reboot, depending on what your update path was.

I just read the notes and I don't see anything that could directly affect me (probably due to my lack of knowledge).

[meyergru]

The provider test is crap, for me, it shows "OPALTELECOM-AS TalkTalk Communications Limited, GB", while I am in Germany.

If you still use the parameter in Firefox, the test should probably fail, because that setting essentially disables IPv6.

There were several changes in 26.1.6 for IPv6. If you only did an 26.1.6 -> 26.1.6_2 upgrade, everything should work.

What do you mean by "the DNS server is the upstream router"? Do you use a router-behind-router setup, do you mean the ISP router or your OpnSense? If so, its IPv4 or IPv6 address? Please be more specific.

[nero355]

my provider is Movistar in Spain.

Is there a chance that you could get kicked into a CG-NAT segment of their network after rebooting your Router ??

I can imagine a congested CG-NAT network can cause all sorts of issues...

Could you do a tracert/traceroute to the websites you are having issues with ?

[meyergru]

CG-NAT does not handle IPv6, which is the problem at hand if it can be fixed by using IPv4 only or by instructing the browser to disregard IPv6 in the first place.

Movistar in Spain is known to have issues with IPv6, there are lots of reports on this (also from this year, BTW).

[odites999]

The provider test is crap, for me, it shows "OPALTELECOM-AS TalkTalk Communications Limited, GB", while I am in Germany.

If you still use the parameter in Firefox, the test should probably fail, because that setting essentially disables IPv6.

There were several changes in 26.1.6 for IPv6. If you only did an 26.1.6 -> 26.1.6_2 upgrade, everything should work.

What do you mean by "the DNS server is the upstream router"? Do you use a router-behind-router setup, do you mean the ISP router or your OpnSense? If so, its IPv4 or IPv6 address? Please be more specific.

I mean Opnsense

[odites999]

After letting it rest for a while, I tried again this afternoon, and it wasn't responding to the DNS requests I was sending from my client. I restarted Opnsense and tried again, and this time it responded to requests sent to Opnsense's IPv6 LAN address but not to the IPv4 address. Upon restarting, I noticed that I had enabled the option to use the ISP's DNS servers (it wasn't active before the update). I disabled it and restarted. I switched the initial client (Linux) to Windows, and on Windows, it still displays the "performing tls..." message, but it doesn't freeze; it loads the page in just over a second.

My ISP (Movistar) doesn't have CG-NAT, as far as I know. Regarding IPv6 issues, although it's a beta version, I haven't had any problems for over a year.

[odites999]

I just restored a backup of version 26.1.6 (without _2) and everything is back to normal. Thanks to everyone for your help. If the same thing happens again when I update to a newer version, we'll revisit the issue.

[odites999]

I'm going to add some information. I just noticed that the problem occurs when the laptop is connected via Ethernet cable. When it's connected via Wi-Fi, it works perfectly. In this case, since there are more components involved (Ethernet adapter, cable, access point), I'll have to investigate further.

[odites999]

The last post was not correct. The problem continues. I'll try to disable IPv6 globally to see if that helps.

[nero355]

CG-NAT does not handle IPv6

I know, but some providers do CG-NAT IPv4 + Regular IPv6 and the results can be very "mixed" sometimes to say the least...

The last post was not correct. The problem continues. I'll try to disable IPv6 globally to see if that helps.

You can edit previous posts : Either Quick Edit or via MORE... and then the full posts editing option ;)