I (often) can't access Fastly servers using HTTPS+IPv6: RST packets received

Follow
Ludovic_Rousseau

Hello,

If I try to access a server hosted by Fastly I often (~90% of times) get a TLS error in HTTPS.

For example:

$ curl https://www.fastly.com/
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.fastly.com:443

I have no problem if I use IPv4 with: curl -4 https://www.fastly.com/

I used tcpdump to record the network traffic and I get this:

$  tshark -r toto_fastly.pcap -Y "tcp.stream eq 12" 
  189   6.435998 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 98 54240 → https(443) [SYN] Seq=0 Win=65535 Len=0 MSS=1396 WS=32 TSval=872032341 TSecr=0 SACK_PERM=1
  190   6.457297 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 94 https(443) → 54240 [SYN, ACK] Seq=0 Ack=1 Win=26960 Len=0 MSS=1360 SACK_PERM=1 TSval=423237058 TSecr=872032341 WS=512
  191   6.457351 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54240 → https(443) [ACK] Seq=1 Ack=1 Win=132096 Len=0 TSval=872032362 TSecr=423237058
  192   6.463614 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TLSv1 603 Client Hello
  193   6.484824 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 86 https(443) → 54240 [ACK] Seq=1 Ack=518 Win=28160 Len=0 TSval=423237065 TSecr=872032368
  194   6.487510 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TLSv1.2 1430 Server Hello
  195   6.488257 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 1430 https(443) → 54240 [ACK] Seq=1345 Ack=518 Win=28160 Len=1344 TSval=423237065 TSecr=872032368 [TCP segment of a reassembled PDU]
  196   6.488312 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54240 → https(443) [ACK] Seq=518 Ack=2689 Win=129728 Len=0 TSval=872032391 TSecr=423237065
  197   6.488662 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TLSv1.2 618 Certificate, Server Key Exchange, Server Hello Done
  198   6.488693 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54240 → https(443) [ACK] Seq=518 Ack=3221 Win=130528 Len=0 TSval=872032392 TSecr=423237065
  199   6.498750 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TLSv1.2 212 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
  200   6.509654 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 74 https(443) → 54240 [RST] Seq=2689 Win=0 Len=0
  201   6.509657 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 74 https(443) → 54240 [RST] Seq=3221 Win=0 Len=0
  202   6.519171 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 74 https(443) → 54240 [RST] Seq=3221 Win=0 Len=0
  203   6.548147 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 618 [TCP Spurious Retransmission] https(443) → 54240 [PSH, ACK] Seq=2689 Ack=518 Win=28160 Len=532 TSval=423237081 TSecr=872032368[Reassembly error, protocol TCP: New fragment overlaps old data (retransmission?)]
  204   6.548180 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 74 54240 → https(443) [RST] Seq=518 Win=0 Len=0
  213   6.785131 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 1430 [TCP Retransmission] https(443) → 54240 [ACK] Seq=1 Ack=518 Win=28160 Len=1344 TSval=423237140 TSecr=872032368
  214   6.785159 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 74 54240 → https(443) [RST] Seq=518 Win=0 Len=0
  292   7.252294 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 1430 [TCP Retransmission] https(443) → 54240 [ACK] Seq=1 Ack=518 Win=28160 Len=1344 TSval=423237257 TSecr=872032368
  293   7.252335 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 74 54240 → https(443) [RST] Seq=518 Win=0 Len=0
  300   8.179594 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 1430 [TCP Retransmission] https(443) → 54240 [ACK] Seq=1 Ack=518 Win=28160 Len=1344 TSval=423237489 TSecr=872032368
  301   8.179634 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 74 54240 → https(443) [RST] Seq=518 Win=0 Len=0

Everything looks fine during the TLS negotiation.
And then, the packets 200, 201 and 202 are RST packets sent by the Fastly server. But why?

  • I have the same problem using macOS, GNU/LInux or Windows 10.
  • I have the problem from computers behind my VDSL/ADSL modem router.
  • I do NOT have the problem if I use a GNU/Linux computer hosted in a data centre.

The problem may to be related to my Technicolor TG788vn VDSL/ADSL modem router.
But since the RST packets are sent by Fastly servers, with no valid reason I could find, then the problem may be on Fastly side.

If I try again and again I can get a working communication.
It then looks like:

$  tshark -r toto_fastly.pcap -Y "tcp.stream eq 13" 
  215   6.979375 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 98 54241 → https(443) [SYN] Seq=0 Win=65535 Len=0 MSS=1396 WS=32 TSval=872032876 TSecr=0 SACK_PERM=1
  216   6.998676 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 94 https(443) → 54241 [SYN, ACK] Seq=0 Ack=1 Win=26960 Len=0 MSS=1360 SACK_PERM=1 TSval=423944015 TSecr=872032876 WS=512
  217   6.998732 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54241 → https(443) [ACK] Seq=1 Ack=1 Win=132096 Len=0 TSval=872032895 TSecr=423944015
  218   7.005124 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TLSv1 603 Client Hello
  219   7.024083 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 86 https(443) → 54241 [ACK] Seq=1 Ack=518 Win=28160 Len=0 TSval=423944021 TSecr=872032901
  220   7.026296 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TLSv1.2 1430 Server Hello
  221   7.026813 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 1430 https(443) → 54241 [ACK] Seq=1345 Ack=518 Win=28160 Len=1344 TSval=423944022 TSecr=872032901 [TCP segment of a reassembled PDU]
  222   7.026845 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54241 → https(443) [ACK] Seq=518 Ack=2689 Win=129728 Len=0 TSval=872032920 TSecr=423944022
  223   7.027137 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TLSv1.2 618 Certificate, Server Key Exchange, Server Hello Done
  224   7.027172 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54241 → https(443) [ACK] Seq=518 Ack=3221 Win=130528 Len=0 TSval=872032920 TSecr=423944022
  225   7.036548 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TLSv1.2 212 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
  226   7.055443 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TLSv1.2 137 Change Cipher Spec, Encrypted Handshake Message
  227   7.055502 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54241 → https(443) [ACK] Seq=644 Ack=3272 Win=131008 Len=0 TSval=872032948 TSecr=423944029
  228   7.055941 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TLSv1.2 139 Application Data
  229   7.055976 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TLSv1.2 142 Application Data
  230   7.056000 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TLSv1.2 128 Application Data
  231   7.056054 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TLSv1.2 155 Application Data
  232   7.074116 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 86 https(443) → 54241 [ACK] Seq=3272 Ack=795 Win=28160 Len=0 TSval=423944034 TSecr=872032948
  233   7.074118 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TLSv1.2 152 Application Data
  234   7.074141 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54241 → https(443) [ACK] Seq=864 Ack=3338 Win=130976 Len=0 TSval=872032966 TSecr=423944034
  235   7.074191 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TLSv1.2 124 Application Data
  236   7.076457 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 1430 [TCP segment of a reassembled PDU]
  237   7.076970 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 1430 https(443) → 54241 [ACK] Seq=4682 Ack=864 Win=28160 Len=1344 TSval=423944034 TSecr=872032948 [TCP segment of a reassembled PDU]
  238   7.076971 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TLSv1.2 186 Application Data
  239   7.076979 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54241 → https(443) [ACK] Seq=902 Ack=6026 Win=129728 Len=0 TSval=872032968 TSecr=423944034
  240   7.076985 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54241 → https(443) [ACK] Seq=902 Ack=6126 Win=129600 Len=0 TSval=872032968 TSecr=423944034
  241   7.077698 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 1430 [TCP segment of a reassembled PDU]
  242   7.077723 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54241 → https(443) [ACK] Seq=902 Ack=7470 Win=131072 Len=0 TSval=872032969 TSecr=423944034
  243   7.078214 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 1430 https(443) → 54241 [ACK] Seq=7470 Ack=864 Win=28160 Len=1344 TSval=423944034 TSecr=872032948 [TCP segment of a reassembled PDU]
  244   7.078214 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TLSv1.2 186 Application Data
  245   7.078224 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54241 → https(443) [ACK] Seq=902 Ack=8914 Win=129600 Len=0 TSval=872032969 TSecr=423944034
  246   7.078760 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 1430 [TCP segment of a reassembled PDU]
  247   7.078785 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54241 → https(443) [ACK] Seq=902 Ack=10258 Win=131072 Len=0 TSval=872032970 TSecr=423944034
  248   7.078850 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 1430 https(443) → 54241 [ACK] Seq=10258 Ack=864 Win=28160 Len=1344 TSval=423944034 TSecr=872032948 [TCP segment of a reassembled PDU]
  249   7.078851 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TLSv1.2 186 Application Data
  250   7.078861 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54241 → https(443) [ACK] Seq=902 Ack=11702 Win=129600 Len=0 TSval=872032970 TSecr=423944034
  251   7.093296 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 1430 [TCP segment of a reassembled PDU]
  252   7.093414 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54241 → https(443) [ACK] Seq=902 Ack=13046 Win=131072 Len=0 TSval=872032984 TSecr=423944039
  253   7.094006 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 1430 https(443) → 54241 [ACK] Seq=13046 Ack=864 Win=28160 Len=1344 TSval=423944039 TSecr=872032966 [TCP segment of a reassembled PDU]
  254   7.095005 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TLSv1.2 1430 Application Data [TCP segment of a reassembled PDU]
  255   7.095042 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54241 → https(443) [ACK] Seq=902 Ack=15734 Win=129728 Len=0 TSval=872032985 TSecr=423944039
  256   7.095729 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 1430 https(443) → 54241 [ACK] Seq=15734 Ack=902 Win=28160 Len=1344 TSval=423944039 TSecr=872032966 [TCP segment of a reassembled PDU]
  257   7.096277 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TLSv1.2 1430 Application Data [TCP segment of a reassembled PDU]
  258   7.096309 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54241 → https(443) [ACK] Seq=902 Ack=18422 Win=129728 Len=0 TSval=872032986 TSecr=423944039
  259   7.096751 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 1430 https(443) → 54241 [ACK] Seq=18422 Ack=902 Win=28160 Len=1344 TSval=423944039 TSecr=872032966 [TCP segment of a reassembled PDU]
  260   7.097225 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TLSv1.2 1430 Application Data [TCP segment of a reassembled PDU]
  261   7.097257 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54241 → https(443) [ACK] Seq=902 Ack=21110 Win=129728 Len=0 TSval=872032986 TSecr=423944039
  262   7.097965 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 1430 https(443) → 54241 [ACK] Seq=21110 Ack=902 Win=28160 Len=1344 TSval=423944039 TSecr=872032968 [TCP segment of a reassembled PDU]
  263   7.098528 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TLSv1.2 1430 Application Data [TCP segment of a reassembled PDU]
  264   7.098570 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54241 → https(443) [ACK] Seq=902 Ack=23798 Win=129728 Len=0 TSval=872032988 TSecr=423944039
  265   7.098609 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 1430 https(443) → 54241 [ACK] Seq=23798 Ack=902 Win=28160 Len=1344 TSval=423944039 TSecr=872032969 [TCP segment of a reassembled PDU]
  266   7.098993 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TLSv1.2 1430 Application Data [TCP segment of a reassembled PDU]
  267   7.099020 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54241 → https(443) [ACK] Seq=902 Ack=26486 Win=127264 Len=0 TSval=872032988 TSecr=423944039
  268   7.099031 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 [TCP Window Update] 54241 → https(443) [ACK] Seq=902 Ack=26486 Win=130048 Len=0 TSval=872032988 TSecr=423944039
  269   7.099707 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 1430 https(443) → 54241 [ACK] Seq=26486 Ack=902 Win=28160 Len=1344 TSval=423944040 TSecr=872032969 [TCP segment of a reassembled PDU]
  270   7.100223 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TLSv1.2 1430 Application Data [TCP segment of a reassembled PDU]
  271   7.100255 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54241 → https(443) [ACK] Seq=902 Ack=29174 Win=129728 Len=0 TSval=872032989 TSecr=423944040
  272   7.100748 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 1430 https(443) → 54241 [ACK] Seq=29174 Ack=902 Win=28160 Len=1344 TSval=423944040 TSecr=872032969 [TCP segment of a reassembled PDU]
  273   7.100866 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TLSv1.2 1430 Application Data [TCP segment of a reassembled PDU]
  274   7.100900 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54241 → https(443) [ACK] Seq=902 Ack=31862 Win=129728 Len=0 TSval=872032990 TSecr=423944040
  275   7.101267 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 1430 https(443) → 54241 [ACK] Seq=31862 Ack=902 Win=28160 Len=1344 TSval=423944040 TSecr=872032970 [TCP segment of a reassembled PDU]
  276   7.101984 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TLSv1.2 1430 Application Data [TCP segment of a reassembled PDU]
  277   7.101994 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54241 → https(443) [ACK] Seq=902 Ack=34550 Win=129728 Len=0 TSval=872032991 TSecr=423944040
  278   7.102056 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TLSv1.2 1265 Application Data
  279   7.102065 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54241 → https(443) [ACK] Seq=902 Ack=35729 Win=129152 Len=0 TSval=872032991 TSecr=423944040
  280   7.102389 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TLSv1.2 117 Encrypted Alert
  281   7.102809 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 86 54241 → https(443) [FIN, ACK] Seq=933 Ack=35729 Win=131072 Len=0 TSval=872032991 TSecr=423944040
  282   7.121598 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TLSv1.2 117 Encrypted Alert
  283   7.121601 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 86 https(443) → 54241 [FIN, ACK] Seq=35760 Ack=933 Win=28160 Len=0 TSval=423944046 TSecr=872032991
  284   7.121664 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 74 54241 → https(443) [RST] Seq=933 Win=0 Len=0
  285   7.121682 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 74 54241 → https(443) [RST] Seq=933 Win=0 Len=0
  286   7.122038 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 86 https(443) → 54241 [ACK] Seq=35761 Ack=934 Win=28160 Len=0 TSval=423944046 TSecr=872032991
  287   7.122061 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 74 54241 → https(443) [RST] Seq=934 Win=0 Len=0
  290   7.176981 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 86 [TCP Retransmission] https(443) → 54241 [FIN, ACK] Seq=35760 Ack=934 Win=28160 Len=0 TSval=423944060 TSecr=872032991
  291   7.177013 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 74 54241 → https(443) [RST] Seq=934 Win=0 Len=0
  294   7.404805 prod.www-fastly-com.map.fastly.net → 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 TCP 117 [TCP Retransmission] https(443) → 54241 [FIN, PSH, ACK] Seq=35729 Ack=934 Win=28160 Len=31 TSval=423944117 TSecr=872032991
  295   7.404844 2001:41d0:fe20:2200:8b8:6974:568e:b1f2 → prod.www-fastly-com.map.fastly.net TCP 74 54241 → https(443) [RST] Seq=934 Win=0 Len=0

The difference is that the packet 226 from Fastly server is “TLSv1.2 137 Change Cipher Spec, Encrypted Handshake Message” instead of the RST packets in the previous case.

I discovered the problem because I was not able to access https ://www.python.org/ nor https ://pypi.python.org/
But, as you see, the problem is not limited to the python.org but to any/most sites hosted by Fastly, including Fastly web sites themselves.

I can send the fully decoded network traffic, or make new tests.
Just tell me.

Thanks

0

Comments

4 comments

Sort by Date Votes
  • Justin

    The problem may to be related to my Technicolor TG788vn VDSL/ADSL modem router.

    It's very likely that is the root of the issue. We rely on certain parameters to be hashed on for TCP/IP flows to complete successfully, and we've seen certain routers that don't hash properly when using IPV6. If you have an alternative router try with that and it is likely to work.

    0
    Comment actions Permalink
  • Ludovic_Rousseau

    Thank you for your answer.

    It’s very likely that is the root of the issue. We rely on certain parameters to be hashed on for TCP/IP flows to complete successfully, and we’ve seen certain routers that don’t hash properly when using IPV6.

    Can you be more specific about which parameters are important for Fastly? I plan to report the problem upstream but need as much details as possible.

    If you have an alternative router try with that and it is likely to work.

    I have another ADSL modem but I don't think it has IPv6 support.

    0
    Comment actions Permalink
  • Justin

    Can you be more specific about which parameters are important for Fastly? I plan to report the problem upstream but need as much details as possible

    Sure. In order for the TCP flows to work correctly we need the source and destination IPs and ports as well as the protocol. If any of these are incorrect or inconsistent you're likely to see problems like the resets you've described. We've seen this happen with several models of that router brand on a few ISPs.

    0
    Comment actions Permalink
  • Leif Strickland

    Hey Justin. Technicolor modems are widely used by Spectrum (I used to have one in my home in Los Angeles), and according to their annual report, their home-connectivity division had €1 billion in sales last year, including an exclusive contract with Comcast. Are you working on a solution to support all modems? I am concerned if Fastly's position is that connections will intermittently fail for https/ipv6 for certain modems, especially ones that are widely used by U.S. ISPs. That is not a high-availability setup.

    I personally experienced these problems earlier this month during a two-week stay at an Airbnb in Lisbon. When trying to access fastly-hosted sites such as python.org, fastly.com, cnn, etc. in a browser, I would get a connection error for the first 10 or so loads. Then the page would finally load, and it would continue working for the duration of the session (but the errors would begin anew for later sessions). I experienced no similar errors for non-fastly sites during the duration of my use of that access point, despite very heavy browsing for work. I was not able to find out the brand of the modem.

    Recent testing with monitoring services makes me concerned that these https/ipv6 problems are even more widespread. I have been using several monitoring services (Site24x7, Uptrends, etc.) to test https/ipv6 for fastly-hosted websites (including my own), and am experiencing frequent TCP connection failures from various testing locations. However, I am seeing no such errors reported for my controls: fastly-hosted sites via https/ipv4, or Cloudflare-hosted sites accessed by https/ipv6.

    I am no networking expert, but is it not possible to recover from incorrect or inconsistent parameters from certain routers? If not, I feel like it's important for fastly to communicate to users that ipv6 should not be used if 99.999% reliability is desired.

    Again, in my limited testing, with all else being equal, it does not appear that other CDNs are experiencing these same errors. I really like Fastly and hope that these issues can be resolved.

    0
    Comment actions Permalink

Please sign in to leave a comment.

New post