Hey Jeroen
Thank you for your reply. I don't think you are correct that the connection did come up, though. Curl seems to report a timeout if no packets are received. We tried from a host which has a guaranteed MTU of 1500 and don't see any back traffic at all, not even a SYN ACK. That's the tcpdump while curl was trying to connect:
tcpdump -n host 2a00:4bc0:ffff:9::c296:f58e dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens2, link-type EN10MB (Ethernet), capture size 262144 bytes 10:07:57.491780 IP6 2a09:b240::16.55742 > 2a00:4bc0:ffff:9::c296:f58e.https: Flags [S], seq 1544255297, win 28800, options [mss 1440,sackOK,TS val 1557641517 ecr 0,nop,wscale 7], length 0 10:08:02.654381 IP6 2a09:b240::16.47342 > 2a00:4bc0:ffff:9::c296:f58e.https: Flags [S], seq 1266028447, win 28800, options [mss 1440,sackOK,TS val 1557646679 ecr 0,nop,wscale 7], length 0 10:08:03.699776 IP6 2a09:b240::16.47342 > 2a00:4bc0:ffff:9::c296:f58e.https: Flags [S], seq 1266028447, win 28800, options [mss 1440,sackOK,TS val 1557647725 ecr 0,nop,wscale 7], length 0 10:08:05.747755 IP6 2a09:b240::16.47342 > 2a00:4bc0:ffff:9::c296:f58e.https: Flags [S], seq 1266028447, win 28800, options [mss 1440,sackOK,TS val 1557649773 ecr 0,nop,wscale 7], length 0 10:08:09.779758 IP6 2a09:b240::16.47342 > 2a00:4bc0:ffff:9::c296:f58e.https: Flags [S], seq 1266028447, win 28800, options [mss 1440,sackOK,TS val 1557653805 ecr 0,nop,wscale 7], length 0 10:08:17.971759 IP6 2a09:b240::16.47342 > 2a00:4bc0:ffff:9::c296:f58e.https: Flags [S], seq 1266028447, win 28800, options [mss 1440,sackOK,TS val 1557661997 ecr 0,nop,wscale 7], length 0
As you suggested I also tried a normal browser and ran Wireshark. There it's excatly the same: All I see are are our outgoing SYNs. The MTU is unlikely to be the issue at this point of the connection. Tracerout suggests that we reach their end but not the target host itself:
traceroute 2a00:4bc0:ffff:9::c296:f58e traceroute to 2a00:4bc0:ffff:9::c296:f58e (2a00:4bc0:ffff:9::c296:f58e), 30 hops max, 80 byte packets 1 2a09:b240::2 (2a09:b240::2) 0.325 ms 0.309 ms 0.300 ms 2 2001:4b20:10:4100::1 (2001:4b20:10:4100::1) 6.382 ms 6.371 ms 6.340 ms 3 * * * 4 2001:4b27:ffff::4 (2001:4b27:ffff::4) 1.437 ms 1.413 ms 1.395 ms 5 2001:4b27:ffff::32 (2001:4b27:ffff::32) 1.241 ms 1.227 ms 1.210 ms 6 zch-b1-link.ip.twelve99.net (2001:2035:0:126a::1) 1.197 ms 1.614 ms 1.594 ms 7 ffm-bb2-v6.ip.twelve99.net (2001:2034:1:6c::1) 6.555 ms 6.643 ms 6.924 ms 8 ffm-b5-link.ip.twelve99.net (2001:2035:0:176::1) 7.448 ms 7.438 ms 7.584 ms 9 * colt-ic-355540.ip.twelve99-cust.net (2001:2035:0:176::2) 6.846 ms 6.992 ms 10 * * 2001:920:0:1::141 (2001:920:0:1::141) 8.985 ms 11 2001:920:0:1::141 (2001:920:0:1::141) 9.101 ms 2a00:4bc0:ffff:ff00::a (2a00:4bc0:ffff:ff00::a) 9.691 ms 2001:920:0:1::141 (2001:920:0:1::141) 9.216 ms 12 2a00:4bc0:ffff:ff00::a (2a00:4bc0:ffff:ff00::a) 9.651 ms 9.431 ms 10.476 ms 13 * 2a00:4bc0:ffff:ff00::1d (2a00:4bc0:ffff:ff00::1d) 10.428 ms * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * *
However, Ping does not work, so this might not be relevant.
ping -6 sbb.ch PING sbb.ch(2a00:4bc0:ffff:9::c296:f58e (2a00:4bc0:ffff:9::c296:f58e)) 56 data bytes ^C --- sbb.ch ping statistics --- 9 packets transmitted, 0 received, 100% packet loss, time 8204ms
% wget https://www.sbb.ch/robots.txt --2026-03-23 09:08:10-- https://www.sbb.ch/robots.txt Resolving www.sbb.ch (www.sbb.ch)... 2600:9000:20a5:6600:2:5597:5ac0:93a1, 2600:9000:20a5:8800:2:5597:5ac0:93a1, 2600:9000:20a5:4800:2:5597:5ac0:93a1, ... Connecting to www.sbb.ch (www.sbb.ch)|2600:9000:20a5:6600:2:5597:5ac0:93a1|:443... connected. HTTP request sent, awaiting response... 403 Forbidden 2026-03-23 09:08:10 ERROR 403: Forbidden.
This wget is not relevant for our issue as it connects to www.sbb.ch, which works. It's only sbb.ch which does not work.
Regards
Beni