EC2 IP6 all ports time out with no network connection


This is an example: ssh -i "mydomainkey.pem" -6 admin@IP6ADDRESS -vT debug1: Connecting to IP6ADDRESS [IP6ADDESS] port 22 The connection does not open. I tested all ports from using the IP6 address and they all time out. I configured a test instance with ability for both IP4 and IP6 and IP4 will connect ok and all ports connect in the dnschecker as well as ssh with ip4. I used an ip4 address to log into the instance, and set another root user so I could use the serial console, and then went back to using IP6. In the console while IP6 is running, (I also added the IP6 address to Route53 to test that as well), I tested various forum suggested routing and ip commands, and all output is correct. The ping6 and traceroute6 commands work fine from the serial console, but external requests freeze without any output. It is not an issue with my PC router, as IP6 is already configured on it, and external sites like dnschecker have the same port issues. I have followed AWS documentation to configure IP6 due to the costs that will be charged in 2024. I have around 10 website clients who will need migration to ip6 on LInux 2023. I have tested Linux 2023 and Debian 11. I have re-checked all VPC settings, and followed various articles and YouTube examples to make sure the settings are correctly in place. Those examples are straight forward and ports connect without any issue. I have searched for answers on the Internet forums but found no answers to this problem. I am using ap-southeast-2a. The VPC settings show various components are correctly attached to the instances I test, with igw gateway settings and security groups all fully open to IP6 ::0/ ports, and the instances show all the connections attached with an IP6 address, so I am finally at a loss of what to do. As this is testing, here are settings I have: Network ACL ID acl-0532e20a7920c5458 Associated with subnet-0a4c1675362622e48 / IP-4-6-Subnet1 vpc-0a62c362c11229f8a / IP-4-6 100 All traffic All All Allow 101 All traffic All All ::/0 Allow VPC: vpc-0a62c362c11229f8a State: available DHCP option set dopt-905d6df5 DNS hostnames disabled (i have tried various settings on such items) IPv6 pool Amazon: Associated Default VPC: no (i tried one with yes) Main network ACL: acl-0532e20a7920c5458 IPv6 CIDR (Network border group): 2406:da1c:712:4100::/56 (ap-southeast-2): Associated. Any instance I try has an assigned IP6 address to it. Resource Map shows vpc to subnet - I put on ap-southeast-2a (where I configure my instances) to IP4-6-Subnet1 to IP4-6-RouteTabe to IP4-6-Gateway configurations. CIDR: IPv6 2406:da1c:712:4100::/56 (I just used for IP4) Network Border Group: ap-southeast-2, Pool: Amazon, Associated. Subnet: subnet-0a4c1675362622e48 DICR range: 2406:da1c:712:4100::/64 VPC: vpc-0a62c362c11229f8a | IP-4-6 State: available, (ap-southeast-2a) Route Table: rtb-0a5a3ffdfa40442fa | IP-4-6-RouteTable, Network ACL: acl-0532e20a7920c5458. Resource-based name (RBN) settings shows IP Name checked but I've tried other settings. Route Tables shows the above items, with explicit subnet association (I tried without explicit). Edge Associations show the Internet Gateway is attached. The gateway is attached: igw-0dc0976bdc7a8baef Route Table routes: ::0/ igw-0dc0976bdc7a8baef, igw-0dc0976bdc7a8baef, local 2406:da1c:712:4100::/56, local sg-0a8d9893636de99e3 - default, I have tried all ports and icmp6 open on ::0/ as well as SSH, (but the problem is with all ports), e.g.: sgr-0a64d26a465192cd1 IPv6 SSH TCP 22 ::/0 Outbound: sgr-06c1ee454bc418d46 IPv6 All TCP TCP 0 - 65535 ::/0 (and a rule for ip4). I tried adding ICMP6 and all tcp to ::0/ just in case. It seems to me the VPC, network, subnet, getway, IP assignments, the EC2 instance assignments have all met the required configurations. I am certainly stuck in this :-) Any help would be great. I've gone through the AWS Posts related to my topic. Cheers, Laurence

asked 8 months ago510 views
3 Answers
Accepted Answer

Answer found: To connect from another instance to the newly created IP6 instance, I needed to add IP6 inbound/outbound rules to the old instance. Once configured, the existing instance could ping6, traceroute6 and SSH to the new instance from a terminal session in the old instance. Thank you for time to review my problem and the help provided. I now have to look at how to connect from my iMac PC so that I can do file transfers and ensure https:// is working fine. This has been some days of work for me, but is now answered. Cheers, Laurie

answered 8 months ago

What's your ListenAddress entry in the SSH config file grep ^ListenAddress /etc/ssh/sshd_config ?

ListenAddress will listen for connections on IPv4.

ListenAddress :: will listen for connections on IPv6.

To bind to both IPv4 and IPv6, use both.

profile picture
answered 8 months ago
  • Thanks. All ports are without connection, e.g. 443, 80 and so on. Happy to look at sshd_config, but will review a few other things first. I'd like to try a configuration in another AWS Region to see if the same issue.

  • No probs.

    Does netstat -tulpn show processes listening on IPv6 ?

  • I installed a new vpc+more, AWS doing all the configurations. From another instance terminal I typed ping6 to the new ip6 address and got "ping6: connect: Network is unreachable" I added an IP4 address to test, and can ping6 itself and out to externals. netstat -tulpn returns: Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0* LISTEN 1568/sshd: /usr/sbi tcp6 0 0 :::22 :::* LISTEN 1568/sshd: /usr/sbi udp 0 0* 1292/systemd-networ udp 0 0* 1294/chronyd
    udp6 0 0 ::1:323 :::* 1294/chronyd
    udp6 0 0 fe80::4c7:50ff:fe5a:546 :::* 1292/systemd-networ I must be doing something wrong. I did the same process in another region, same results.


can you share some more details like,

  1. are you able to access internet from ec2?
  2. have you checked the routing for your ec2?
  3. Check your security gp/ACL have the required connection open.

Also you can follow the below link to make sure you have right configuration is correct.

answered 8 months ago
  • From the serial console I could ping6 without issue. From what I've read the last few days, the egress routing is for private connections, so I do not use that particular config. The routing commands from the serial console return correct values. The gateway and security group have all ::0/ ports open. I'll work through the network ACL document as per your suggestion in point 3: Thanks.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions