Hey, I spent more than I would like to on debugging various IPv6 issues and the connection timing out pattern you have looks suspiciously similar to issues with MTU during SSL negotiation.
On the tcpdump you would see it as TCP handshake making it through because packets are small, but then the server sends a big packet with SSL certificate, this packets goes zombie and the connection hangs. What's frustrating is you as a client can't 100% confirm this (someone please prove me wrong!) because it's the server who first sends the big packet, so the ICMPv6 "packet too big" is sent back to the server (if at all, because some firewall somewhere may block it).
I never found an ultimate solution to this, but playing with MSS clamping on the client side was enough to prove MTU is an issue when that was the case.
Cheers, Mat
On 22/03/2026 14:13, Beni Keller via swinog wrote:
Hey all
This might not be 100% the correct place to ask this but since the SBB contact form didn't yield any results, I'll try here. Maybe someone from SBB who knows someone who can do something about this reads the list.
There are A and AAAA records for sbb.ch:
$ dig AAAA sbb.ch +short 2a00:4bc0:ffff:9::c296:f58e
$ dig A sbb.ch +short 194.150.245.142
However, on port 80 and 443 I only get a response on IPv4, a 301 to http(s)://www.sbb.ch. On IPv6 it just times out without any response:
$ curl -6 https://sbb.ch -v
- Host sbb.ch:443 was resolved.
- IPv6: 2a00:4bc0:ffff:9::c296:f58e
- IPv4: (none)
- Trying [2a00:4bc0:ffff:9::c296:f58e]:443...
- connect to 2a00:4bc0:ffff:9::c296:f58e port 443 from
2001:8e0:1426:1:47d6:12fd:bc19:5704 port 55992 failed: Connection timed out
- Failed to connect to sbb.ch port 443 after 133922 ms: Could not
connect to server
- closing connection #0
curl: (28) Failed to connect to sbb.ch port 443 after 133922 ms: Could not connect to server
tcpdump doesn't show any response packets at all.
This is mainly an issue on our IPv6-only clients where we use DNS64/NAT64. So the preferred solution would be for someone to fix IPv6. However, removing the AAAA DNS record would also solve the issue because then the resolver generates a DNS64 response and we connect to IPv4 over NAT64.
Hope someone can help. It's a bit of a shot in the dark. Let me know it this is completely inappropriate to be posted on this list.
Thanks and regards
Beni _______________________________________________ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-leave@lists.swinog.ch