江苏电信宽带知乎 ipv6 tls 连接超时

V2EX = way to explore

V2EX 是一个关于分享和探索的地方

现在注册

已注册用户请登录

工单节点使用指南

请用平和的语言准确描述你所遇到的问题

厂商的技术支持和你一样也是有喜怒哀乐的普通人类，尊重是相互的

如果是关于 V2EX 本身的问题反馈，请使用反馈节点

这是一个创建于 1664 天前的主题，其中的信息可能已经有所发展或是发生改变。

IPv6 访问超时

~$ curl https://www.zhihu.com -v --ipv6 * Trying 240e:978:5404:0:35:::443... * TCP_NODELAY set * Connected to www.zhihu.com (240e:978:5404:0:35::) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): （无响应） ~$ curl https://www.zhihu.com -v --ipv6 --tls-max 1.2 * Trying 240e:978:5404:0:38:::443... * TCP_NODELAY set * Connected to www.zhihu.com (240e:978:5404:0:38::) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.2 (OUT), TLS handshake, Client hello (1): （无响应）

IPv4 正常

~$ curl https://www.zhihu.com -v --ipv4 * Trying 180.101.217.181:443... * TCP_NODELAY set * Connected to www.zhihu.com (180.101.217.181) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: C=CN; ST=\U5317\U4EAC\U5E02; O=\U667A\U8005\U56DB\U6D77\UFF08\U5317\U4EAC\UFF09\U6280\U672F\U6709\U9650\U516C\U53F8; CN=*.zhihu.com * start date: Nov 25 00:00:00 2020 GMT * expire date: Dec 26 23:59:59 2021 GMT * subjectAltName: host "www.zhihu.com" matched cert's "*.zhihu.com" * issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust CN RSA CA G1 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x56553628ae10) > GET / HTTP/2 > Host: www.zhihu.com > user-agent: curl/7.68.0 > accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS == 128)! < HTTP/2 302 < server: CLOUD ELB 1.0.0 < date: Sun, 06 Jun 2021 14:51:06 GMT < content-type: text/html; charset= < set-cookie: _zap=<???>; path=/; expires=Tue, 06 Jun 2023 14:51:06 GMT; domain=.zhihu.com < location: //www.zhihu.com/signin?next=%2F < x-backend-response: 0.032 < pragma: no-cache < vary: Accept-Encoding < referrer-policy: no-referrer-when-downgrade < x-secng-response: 0.03499<???> < set-cookie: _xsrf=<???>; path=/; domain=zhihu.com; expires=Thu, 23-Nov-23 14:51:06 GMT < x-lb-timing: 0.035 < x-idc-id: 2 < set-cookie: KLBRSID=<???>; Path=/ < cache-control: private, must-revalidate, no-cache, no-store, max-age=0 < content-length: 93 < x-nws-log-uuid: <???> < x-cache-lookup: Cache Miss < x-edge-timing: 0.064 < x-cdn-provider: tencent < * Connection #0 to host www.zhihu.com left intact Redirecting to <a href="//www.zhihu.com/signin?next=%2F">//www.zhihu.com/signin?next=%2F</a>.

DNS 查询

~$ dig www.zhihu.com aaaa @240e:5a::6666 ; <<>> DiG 9.16.1-Ubuntu <<>> www.zhihu.com aaaa @240e:5a::6666 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57073 ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.zhihu.com. IN AAAA ;; ANSWER SECTION: www.zhihu.com. 8 IN CNAME www.zhihu.com.ipv6.dsa.dnsv1.com. www.zhihu.com.ipv6.dsa.dnsv1.com. 135 IN CNAME 1595096.sched.d0-dk.tdnsv5.com. 1595096.sched.d0-dk.tdnsv5.com. 8 IN AAAA 240e:978:5404:0:35:: 1595096.sched.d0-dk.tdnsv5.com. 8 IN AAAA 240e:978:5404:0:33:: 1595096.sched.d0-dk.tdnsv5.com. 8 IN AAAA 240e:978:5404:0:3b:: 1595096.sched.d0-dk.tdnsv5.com. 8 IN AAAA 240e:978:30a:7:2d:: 1595096.sched.d0-dk.tdnsv5.com. 8 IN AAAA 240e:978:5404:0:39:: 1595096.sched.d0-dk.tdnsv5.com. 8 IN AAAA 240e:978:5404:0:38:: 1595096.sched.d0-dk.tdnsv5.com. 8 IN AAAA 240e:978:a08:2:3b:: 1595096.sched.d0-dk.tdnsv5.com. 8 IN AAAA 240e:978:a08:2:2a:: 1595096.sched.d0-dk.tdnsv5.com. 8 IN AAAA 240e:978:5404:0:36:: ;; Query time: 8 msec ;; SERVER: 240e:5a::6666#53(240e:5a::6666) ;; WHEN: Sun Jun 06 14:54:26 UTC 2021 ;; MSG SIZE rcvd: 367

12 条回复 2023-03-10 23:54:33 +08:00

wdlth

2021-06-06 23:52:36 +08:00

可以看看路由器的 MTU 是不是 1280，有时候电信宽带用 IPv6 访问一些 CDN 的服务器也不通，然后静态资源出不来……

haoxingxing

2021-06-07 08:23:47 +08:00

https://sm.ms/image/zxc8EdWAlrPOD94

yangyang

2021-06-07 08:37:05 +08:00

我前段时间发现无法访问知乎，IPv6 关了就行了，大概也是这问题。

提交 bug 给知乎他们没理我，那就算了

xiaoyeziyuan

2021-06-07 11:43:29 +08:00

大佬们，跟动静态加速云厂商沟通修复了下，再看下还有问题么？

tankren

2021-06-07 14:09:48 +08:00

MSS 设置在哪

tankren

2021-06-07 14:14:22 +08:00

我这边的 CDN 是 2408:873c:8010:3:3e:::443, 你改一下 hosts 试试什么反应, 有可能是节点的问题

haoxingxing

2021-06-09 17:43:43 +08:00

@xiaoyeziyuan 问题仍然存在，没有变化

EGOISTK21

2021-06-27 17:59:05 +08:00 via iPhone

@haoxingxing #2
@yangyang #3
杭州电信也是这个问题，同样是 ROS，MTU 是 1480，你们现在是怎么解决的

EGOISTK21

2021-07-03 17:22:30 +08:00 via iPhone

杭州电信，已恢复

haoxingxing

2021-07-13 17:27:41 +08:00

t/719399

haoxingxing

2021-07-13 17:32:09 +08:00

/ipv6 nd set mtu=1492 0

tingshow163

2023-03-10 23:54:33 +08:00

PPPOE 环境下（通常指家宽），ROS 需求在 IPv6 防火墙上修改 mss 为 1432 （通常都是这样，详细的可以看 https://lyincc.com/tech/access-to-ipv6/）。

命令如下（ ROSv7 ）：
/ipv6/firewall/mangle/add chain=forward action=change-mss new-mss=1432 passthrough=yes protocol=tcp tcp-flags=syn out-interface=pppoe-out1 log=no log-prefix=""

out-interface 选择 pppoe 拨号的虚拟网卡，默认情况下都是 pppoe-out1

江苏电信宽带 知乎 ipv6 tls 连接超时

江苏电信宽带知乎 ipv6 tls 连接超时