Community home

Peter,

I've just posted the following on a separate thread.

---

I've found the problem, I think !!!!

1. The VSS is getting a correct DHCP response and a correct ARP response, so the address allocation is all good.

2. The VSS then attempts to do a reserve DNS lookup (normally to find its local domain name) and the NetGear does not respond.  This is not a problem and after 4 attempts the VSS stops trying this.

3. The VSS then attempts an DNS lookup to initial-ipsecrouter.vap.vodafone.co.uk of query type AAAA and the NetGear does not respond.  The problem is that:

  -- an AAAA DNS lookup is IPv6, not IPv4 and there is no IPv6 entry for this DNS address, BUT there are valid IPv4 addresses.

  -- some DNS serves will respond simply by sending the address back unresolved, but I expect many DNS redirections on our modems do not recognise the DNS server response, such as the NetGear, and just ignore it.

You can re-create the problem on your PC.

 - Run a command prompt

 - Run nslookup

 - Type set type=AAAA

 - Type initial-ipsecrouter.vap.vodafone.co.uk

 - Do you get a time out or some form of response?

 - Type google.co.uk

 - You should get a response with an IPv6 address

 - Type set type=A

 - Type initial-ipsecrouter.vap.vodafone.co.uk

 - You should get a response of IPv4 addresses

I have attempted to get the NetGear to provide a different DNS server to the VSS.  According to the manual it should do if you manually enter a DNS entry.  Unfortunately it keeps giving out it's own address so that does not work.

The VSS works on my Linux box because of the following:

 - the Linux box is allocating my ISPs DNS server address and so the VSS is bypassing the NetGear and going directly to the ISP DNS server.

 - The ISP DNS Server does respond to the AAAA query type.... some of the time.  The response to the AAAA request simply says that the authoratitive name server is vodafone.co.uk and that their mailbox is dl-dnsadmin.gb.vodafone.co.uk.  I'm guessing that the NetGear DNS redirection also receives this and does not know what to do with it as it is also pointing to the same name server.

 - The VSS then attempts the AAAA request again and gets the same response.

 - The VSS then attempts an A request and surprise surprise it get the IPv4 addresses.

 - Life then moves on and the VSS does a set of reverse DNS lookups on all of the addresses it receives from the DNS lookup.  This gives a load of cluster severs at vap.vodafone.co.uk

 - The VSS then has a little think for about 7 seconds and then does the type A DNS lookups on all of the DNS entries it has just learnt about.

 - Only once the VSS has got this far does it now try to contact the servers and starting with an IPSEC connection to the initial-ipsecrouter.vap.vodafone.co.uk

Dear Vodafone,

Can you please create and IPv6 entry in the DNS so that our DNS servers will respond, or stop our VSSs doing AAAA type DNS lookups as you're not using it anyway.

Cheers,

Mark.

Peter,

Take a look at my last posts with the network traces and you can see how much DNS traffic is taking place before the VSS even attempts to do its connection.  In the VSS working trace you'll also notice that my Linux box attempted to ping the VSS at the start of this set-up period but with no response, although it has clearly accepted the IP address.

I've made a quick check against the DNS RFCs which states "The response by the name server either answers the
question posed in the query, refers the requester to another set of name servers, or signals some error condition."  For some reason the NetGear does not forward the response from the ISP DNS server.  It could be that a wide number of routers are doing the same and it could be a combination of the ISP DNS server response and the ADSL modem that causes the condition.   I'm still thinking about this bit but unfortunately I cannot easily trace the ADSL link.

The simplest fix is to get the modem to provide the ISP DNS address in the DHCP response, but I don't know how many support this feature, the NetGear claims to but does not.   What I also noticed is that some routers, such as my NetGear, support OpenDNS parental control services, I have this disabled but if these are used and they block the Vodafone DNS entries due to very tight restrictions then it will also fail to work.

Cheers,

Mark.

Andrew,

I don't know if you've seen my last post on this thread but I would appreciate it if you could take a look.  Can you explain why the VSS is doing an AAAA DNS query type for initial-ipsecrouter.vap.vodafone.co.uk yet vodafone has no IPv6 DNS entry and so my DNS does not respond.  I'm not sure what the best general fix is, I expect the VSS has a script that does the AAAA query type before the A query type but because it gets no response to the AAAA it gives up.  I believe this is causing my issue as I can see the full network traffic trace between the VSS and router on a working and non-working connection.

I can fix it for my network but many different users may find it difficult to fix or will not have the option to fix it.

Mark.

Andrew,

I've extracted the network trace log for the VSS when its not working.  This shows two failed attempts.

No.     Time           Source                Destination           Protocol Length Info
    172 23.248432000   0.0.0.0               255.255.255.255       DHCP     342    DHCP Request  - Transaction ID 0x2cf9c143

Frame 172: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits) on interface 0
Ethernet II, Src: Mitrasta_09:fd:5f (0c:4c:39:09:fd:5f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol Version 4, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)
User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)
Bootstrap Protocol

No.     Time           Source                Destination           Protocol Length Info
    173 23.252659000   10.0.0.2              10.0.0.30             DHCP     342    DHCP ACK      - Transaction ID 0x2cf9c143

Frame 173: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits) on interface 0
Ethernet II, Src: Netgear_80:3c:5a (4c:60:de:80:3c:5a), Dst: Mitrasta_09:fd:5f (0c:4c:39:09:fd:5f)
Internet Protocol Version 4, Src: 10.0.0.2 (10.0.0.2), Dst: 10.0.0.30 (10.0.0.30)
User Datagram Protocol, Src Port: bootps (67), Dst Port: bootpc (68)
Bootstrap Protocol

No.     Time           Source                Destination           Protocol Length Info
    178 23.495064000   Mitrasta_09:fd:5f     Broadcast             ARP      60     Who has 10.0.0.2?  Tell 10.0.0.30

Frame 178: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Mitrasta_09:fd:5f (0c:4c:39:09:fd:5f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)

No.     Time           Source                Destination           Protocol Length Info
    179 23.495068000   Netgear_80:3c:5a      Mitrasta_09:fd:5f     ARP      60     10.0.0.2 is at 4c:60:de:80:3c:5a

Frame 179: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Netgear_80:3c:5a (4c:60:de:80:3c:5a), Dst: Mitrasta_09:fd:5f (0c:4c:39:09:fd:5f)
Address Resolution Protocol (reply)

No.     Time           Source                Destination           Protocol Length Info
    180 23.505073000   10.0.0.30             10.0.0.2              DNS      81     Standard query 0x68f3  PTR 2.0.0.10.in-addr.arpa

Frame 180: 81 bytes on wire (648 bits), 81 bytes captured (648 bits) on interface 0
Ethernet II, Src: Mitrasta_09:fd:5f (0c:4c:39:09:fd:5f), Dst: Netgear_80:3c:5a (4c:60:de:80:3c:5a)
Internet Protocol Version 4, Src: 10.0.0.30 (10.0.0.30), Dst: 10.0.0.2 (10.0.0.2)
User Datagram Protocol, Src Port: 11040 (11040), Dst Port: domain (53)
Domain Name System (query)

No.     Time           Source                Destination           Protocol Length Info
    211 28.495109000   10.0.0.30             10.0.0.2              DNS      81     Standard query 0x68f3  PTR 2.0.0.10.in-addr.arpa

Frame 211: 81 bytes on wire (648 bits), 81 bytes captured (648 bits) on interface 0
Ethernet II, Src: Mitrasta_09:fd:5f (0c:4c:39:09:fd:5f), Dst: Netgear_80:3c:5a (4c:60:de:80:3c:5a)
Internet Protocol Version 4, Src: 10.0.0.30 (10.0.0.30), Dst: 10.0.0.2 (10.0.0.2)
User Datagram Protocol, Src Port: 11040 (11040), Dst Port: domain (53)
Domain Name System (query)

No.     Time           Source                Destination           Protocol Length Info
    241 33.500373000   10.0.0.30             10.0.0.2              DNS      81     Standard query 0x68f3  PTR 2.0.0.10.in-addr.arpa

Frame 241: 81 bytes on wire (648 bits), 81 bytes captured (648 bits) on interface 0
Ethernet II, Src: Mitrasta_09:fd:5f (0c:4c:39:09:fd:5f), Dst: Netgear_80:3c:5a (4c:60:de:80:3c:5a)
Internet Protocol Version 4, Src: 10.0.0.30 (10.0.0.30), Dst: 10.0.0.2 (10.0.0.2)
User Datagram Protocol, Src Port: 11040 (11040), Dst Port: domain (53)
Domain Name System (query)

No.     Time           Source                Destination           Protocol Length Info
    277 38.504962000   10.0.0.30             10.0.0.2              DNS      81     Standard query 0x68f3  PTR 2.0.0.10.in-addr.arpa

Frame 277: 81 bytes on wire (648 bits), 81 bytes captured (648 bits) on interface 0
Ethernet II, Src: Mitrasta_09:fd:5f (0c:4c:39:09:fd:5f), Dst: Netgear_80:3c:5a (4c:60:de:80:3c:5a)
Internet Protocol Version 4, Src: 10.0.0.30 (10.0.0.30), Dst: 10.0.0.2 (10.0.0.2)
User Datagram Protocol, Src Port: 11040 (11040), Dst Port: domain (53)
Domain Name System (query)

No.     Time           Source                Destination           Protocol Length Info
    300 43.511647000   10.0.0.30             10.0.0.2              DNS      98     Standard query 0x6d49  AAAA initial-ipsecrouter.vap.vodafone.co.uk

Frame 300: 98 bytes on wire (784 bits), 98 bytes captured (784 bits) on interface 0
Ethernet II, Src: Mitrasta_09:fd:5f (0c:4c:39:09:fd:5f), Dst: Netgear_80:3c:5a (4c:60:de:80:3c:5a)
Internet Protocol Version 4, Src: 10.0.0.30 (10.0.0.30), Dst: 10.0.0.2 (10.0.0.2)
User Datagram Protocol, Src Port: 10292 (10292), Dst Port: domain (53)
Domain Name System (query)

No.     Time           Source                Destination           Protocol Length Info
    309 48.514746000   10.0.0.30             10.0.0.2              DNS      98     Standard query 0x6d49  AAAA initial-ipsecrouter.vap.vodafone.co.uk

Frame 309: 98 bytes on wire (784 bits), 98 bytes captured (784 bits) on interface 0
Ethernet II, Src: Mitrasta_09:fd:5f (0c:4c:39:09:fd:5f), Dst: Netgear_80:3c:5a (4c:60:de:80:3c:5a)
Internet Protocol Version 4, Src: 10.0.0.30 (10.0.0.30), Dst: 10.0.0.2 (10.0.0.2)
User Datagram Protocol, Src Port: 10292 (10292), Dst Port: domain (53)
Domain Name System (query)

No.     Time           Source                Destination           Protocol Length Info
    326 58.249185000   0.0.0.0               255.255.255.255       DHCP     342    DHCP Request  - Transaction ID 0x31908d49

Frame 326: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits) on interface 0
Ethernet II, Src: Mitrasta_09:fd:5f (0c:4c:39:09:fd:5f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol Version 4, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)
User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)
Bootstrap Protocol

No.     Time           Source                Destination           Protocol Length Info
    327 58.252527000   10.0.0.2              10.0.0.30             DHCP     342    DHCP ACK      - Transaction ID 0x31908d49

Frame 327: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits) on interface 0
Ethernet II, Src: Netgear_80:3c:5a (4c:60:de:80:3c:5a), Dst: Mitrasta_09:fd:5f (0c:4c:39:09:fd:5f)
Internet Protocol Version 4, Src: 10.0.0.2 (10.0.0.2), Dst: 10.0.0.30 (10.0.0.30)
User Datagram Protocol, Src Port: bootps (67), Dst Port: bootpc (68)
Bootstrap Protocol

No.     Time           Source                Destination           Protocol Length Info
    330 58.484555000   Mitrasta_09:fd:5f     Broadcast             ARP      60     Who has 10.0.0.2?  Tell 10.0.0.30

Frame 330: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Mitrasta_09:fd:5f (0c:4c:39:09:fd:5f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)

No.     Time           Source                Destination           Protocol Length Info
    331 58.484752000   Netgear_80:3c:5a      Mitrasta_09:fd:5f     ARP      60     10.0.0.2 is at 4c:60:de:80:3c:5a

Frame 331: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: Netgear_80:3c:5a (4c:60:de:80:3c:5a), Dst: Mitrasta_09:fd:5f (0c:4c:39:09:fd:5f)
Address Resolution Protocol (reply)

No.     Time           Source                Destination           Protocol Length Info
    332 58.494641000   10.0.0.30             10.0.0.2              DNS      81     Standard query 0x35cf  PTR 2.0.0.10.in-addr.arpa

Frame 332: 81 bytes on wire (648 bits), 81 bytes captured (648 bits) on interface 0
Ethernet II, Src: Mitrasta_09:fd:5f (0c:4c:39:09:fd:5f), Dst: Netgear_80:3c:5a (4c:60:de:80:3c:5a)
Internet Protocol Version 4, Src: 10.0.0.30 (10.0.0.30), Dst: 10.0.0.2 (10.0.0.2)
User Datagram Protocol, Src Port: 12435 (12435), Dst Port: domain (53)
Domain Name System (query)

No.     Time           Source                Destination           Protocol Length Info
    348 63.484524000   10.0.0.30             10.0.0.2              DNS      81     Standard query 0x35cf  PTR 2.0.0.10.in-addr.arpa

Frame 348: 81 bytes on wire (648 bits), 81 bytes captured (648 bits) on interface 0
Ethernet II, Src: Mitrasta_09:fd:5f (0c:4c:39:09:fd:5f), Dst: Netgear_80:3c:5a (4c:60:de:80:3c:5a)
Internet Protocol Version 4, Src: 10.0.0.30 (10.0.0.30), Dst: 10.0.0.2 (10.0.0.2)
User Datagram Protocol, Src Port: 12435 (12435), Dst Port: domain (53)
Domain Name System (query)

No.     Time           Source                Destination           Protocol Length Info
    357 68.489864000   10.0.0.30             10.0.0.2              DNS      81     Standard query 0x35cf  PTR 2.0.0.10.in-addr.arpa

Frame 357: 81 bytes on wire (648 bits), 81 bytes captured (648 bits) on interface 0
Ethernet II, Src: Mitrasta_09:fd:5f (0c:4c:39:09:fd:5f), Dst: Netgear_80:3c:5a (4c:60:de:80:3c:5a)
Internet Protocol Version 4, Src: 10.0.0.30 (10.0.0.30), Dst: 10.0.0.2 (10.0.0.2)
User Datagram Protocol, Src Port: 12435 (12435), Dst Port: domain (53)
Domain Name System (query)

No.     Time           Source                Destination           Protocol Length Info
    368 73.494353000   10.0.0.30             10.0.0.2              DNS      81     Standard query 0x35cf  PTR 2.0.0.10.in-addr.arpa

Frame 368: 81 bytes on wire (648 bits), 81 bytes captured (648 bits) on interface 0
Ethernet II, Src: Mitrasta_09:fd:5f (0c:4c:39:09:fd:5f), Dst: Netgear_80:3c:5a (4c:60:de:80:3c:5a)
Internet Protocol Version 4, Src: 10.0.0.30 (10.0.0.30), Dst: 10.0.0.2 (10.0.0.2)
User Datagram Protocol, Src Port: 12435 (12435), Dst Port: domain (53)
Domain Name System (query)

No.     Time           Source                Destination           Protocol Length Info
    383 78.501025000   10.0.0.30             10.0.0.2              DNS      98     Standard query 0x255d  AAAA initial-ipsecrouter.vap.vodafone.co.uk

Frame 383: 98 bytes on wire (784 bits), 98 bytes captured (784 bits) on interface 0
Ethernet II, Src: Mitrasta_09:fd:5f (0c:4c:39:09:fd:5f), Dst: Netgear_80:3c:5a (4c:60:de:80:3c:5a)
Internet Protocol Version 4, Src: 10.0.0.30 (10.0.0.30), Dst: 10.0.0.2 (10.0.0.2)
User Datagram Protocol, Src Port: 10057 (10057), Dst Port: domain (53)
Domain Name System (query)

No.     Time           Source                Destination           Protocol Length Info
    389 83.504189000   10.0.0.30             10.0.0.2              DNS      98     Standard query 0x255d  AAAA initial-ipsecrouter.vap.vodafone.co.uk

Frame 389: 98 bytes on wire (784 bits), 98 bytes captured (784 bits) on interface 0
Ethernet II, Src: Mitrasta_09:fd:5f (0c:4c:39:09:fd:5f), Dst: Netgear_80:3c:5a (4c:60:de:80:3c:5a)
Internet Protocol Version 4, Src: 10.0.0.30 (10.0.0.30), Dst: 10.0.0.2 (10.0.0.2)
User Datagram Protocol, Src Port: 10057 (10057), Dst Port: domain (53)
Domain Name System (query)

Mark.

And here is the network trace with the same VSS working up to the point where it starts to establish the IPSEC connection.  Attached as it's too big to paste in.

The detailed traces are attached here.  Same packet capture sequence as the previous high level ones only fully expanded.  I didn't attach the byte sequence but it looks ok and I think you can establish the behaviour from these traces.

Now the VSS is working with my Galaxy SIII I attempted to register my wife's iphone 4s a few days ago.  unfortunately the iphone will not camp on to the VSS.  Is there anything you can do from your side to kick my VSS in to picking up the iphone.

Mark.

Hi there Mark_B,

Thanks for your post.

I'm pleased the VSS has now managed to connect to the servers.

I've checked and there are currently two registered users on the access list.

One number ends 585 and the other 029. I can see you tried to add another number ending 983 a couple of days ago which failed. Can you clarify which number is not picking up the VSS and whether 3G is enabled?

Cheers,

LeeH

Lee,

585 is working,

029 is the iphone that I want to work,

983 was a mistake as it turns out not to be a Vodafone device, Mother-in-law problem.

I've checked the 029 iphone 3G setting and it's always been enabled.

By the way, the VSS is working for me now but the problem is not fixed per se and others seem to be experiencing the same problem.  I would like to get a proper fix for this so that I can use my system in the right security configuration.

Cheers,

Mark.