Is there a way to allow responding to an IPv6 packet sent from a link local address to a regular IPv6 address?
1
vote
1
answer
65
views
We're currently configuring an Azure load balancer to work with a Linux-based backend supporting both IPv4 and IPv6. As part of the setup, the load balancer performs health checks at regular intervals by attempting to establish TCP connections. However, our backend's health checks keep failing due to IPv6 packet transmission issues.
**Context**
* The load balancer doesn't support NAT64, necessitating IPv6 support on both ends.
* Our backend is configured with IPv6, and the web service is actively listening on the required ports.
* Validating connectivity by querying the service from one backend to another confirms proper configuration.
**Problem:**
The issue arises when the Azure load balancer initiates health checks using IPv6 packets sent from a link-local address to a non-link-local address, resulting in failures.
**Request:**
We're seeking guidance on enabling our backend to respond to IPv6 packets sent from link-local addresses to regular IPv6 addresses. Are there any configurations or settings we need to adjust to accommodate this scenario within the Azure load balancer environment?
**Additional Details:**
This situation is nicely explained in the following network capture taken on one of the backend VMs. The Azure load balancer performs its health probe from the link-local address `
| **Source** | **Destination** | **Protocol** | **Length** | **Info** |
|-----------------------|-----------------------|--------------|------------|------------------------------------------------------------------|
| fe80::1234:5678:9abc | 2404:f800:8000:122::4 | TCP | 86 | 58675 → 80 [SYN] Seq=0 Win=64800 Len=0 MSS=1440 WS=256 SACK_PERM |
| 2404:f800:8000:122::4 | fe80::1234:5678:9abc | ICMPv6 | 134 | Destination Unreachable (Beyond scope of source address) |
fe80::1234:5678:9abc`. This packet is send to the regular IPv6 address assigned to this VM's interface. However, the backend refuses this packet and immediately responds with an error via ICMPv6, telling that the link local address is beyond the scope of the source address. We cannot change how the Azure load balancer works, so we are wondering if we can apply a workaround on the backend to allow responding to this packet.
| **Source** | **Destination** | **Protocol** | **Length** | **Info** |
|-----------------------|-----------------------|--------------|------------|------------------------------------------------------------------|
| fe80::1234:5678:9abc | 2404:f800:8000:122::4 | TCP | 86 | 58675 → 80 [SYN] Seq=0 Win=64800 Len=0 MSS=1440 WS=256 SACK_PERM |
| 2404:f800:8000:122::4 | fe80::1234:5678:9abc | ICMPv6 | 134 | Destination Unreachable (Beyond scope of source address) |
Asked by Brecht Vercruyce
(11 rep)
Apr 10, 2024, 08:43 AM
Last activity: Apr 10, 2024, 03:34 PM
Last activity: Apr 10, 2024, 03:34 PM