If you are using an Hurricane Electric IPv6 tunnel and have recently been having issues accessing accessing Microsoft web services, the issue may be due to Microsoft and their CDN provider Akamai now strictly enforcing Maximum Transmission Unit (MTU) and Maximum Segment Size (MSS) TCP/IP header size limits. The issue with tunneled IPv4 to IPv6 is that faulty TCP header sizes can result from IPv4 to IPv6 packet encapsulation if MTU and MSS are not configured correctly.
Below is a screenshot of a Wireshark capture for faulty IPv6 TCP packets for which you can see both TCP Dup ACK and TCP retransmission errors.
Impacted services include www.microsoft.com, support.microsoft.com, and the Windows Package Manager (WinGet).
To resolve this, you need to simply set an Maximum Transmission Unit (MTU) limit of 1480 bytes and Maximum Segment Size (MSS) to MTU – 60 for IPv6) or 1420 bytes.
In Opnsense this can be set under Interfaces -> HE IPv6 Tunnelbroker Interface (TUNNELBROKER).
Here is a reference to a Reddit under r/ipv6 discussing this issue as it regards to an OpenBSD router. https://www.reddit.com/r/ipv6/comments/1m8os3g/issues_with_ipv6_microsoftcom_https_connections/
Leave a Reply