How Do I Detect IPv6 Misconfiguration?

IPv6 misconfiguration is one of the most insidious networking problems you can face. Unlike a complete lack of IPv6 connectivity, misconfigurations create partial, broken, or intermittent connectivity that causes timeouts, delays, and unpredictable behavior. This comprehensive guide teaches you how to systematically detect, diagnose, and identify IPv6 misconfigurations at every layer of your network stack.

Quick Diagnostic Reference

Before diving into layer-by-layer analysis, use this quick reference to identify common misconfiguration symptoms:

Run baseline connectivity test at test-ipv6.run
Check for "broken IPv6" status (configured but timing out)
Verify address types (global vs. link-local vs. ULA)
Test dual-stack behavior (both protocols working together)
Examine ICMPv6 traffic (ensure not blocked by firewall)
Validate DNS AAAA records (published records match actual services)
Check prefix delegation (proper distribution from router to clients)
Monitor for Router Advertisement conflicts (multiple conflicting RAs)

Understanding IPv6 Misconfiguration vs. Complete Failure

What Is Misconfiguration?

IPv6 misconfiguration occurs when IPv6 is partially configured, creating situations where:

IPv6 addresses are assigned but not routable
Services advertise IPv6 addresses they can't actually serve
Firewalls block essential ICMPv6 traffic
Router Advertisements contain incorrect parameters
DNS records point to unreachable IPv6 addresses
Prefix delegation distributes wrong network ranges

Key distinction: Complete failure means no IPv6 at all. Misconfiguration means IPv6 appears to work but actually creates problems.

Why Misconfiguration Is Worse Than No IPv6

Broken IPv6 creates a worse user experience than no IPv6:

Connection Timeout Delays: Browsers attempt IPv6 first, wait 3-10 seconds for timeout, then fall back to IPv4
Intermittent Failures: Some connections work while others fail unpredictably
Application Hangs: Applications without proper fallback logic may hang indefinitely
Degraded Performance: Path MTU discovery failures cause packet drops and retransmissions
Security Vulnerabilities: Misconfigured IPv6 can bypass IPv4-only security controls

According to research, over 97% of invalid IPv6 DNS records fall into ten main configuration mistakes, and most go unnoticed because systems automatically fall back to IPv4.

Step 1: Initial Connectivity Assessment

Start every diagnostic session here. Before making any system changes or running complex tests, establish a baseline understanding of your IPv6 connectivity status.

Use a Comprehensive Testing Tool

Visit test-ipv6.run to perform six parallel tests that reveal configuration issues:

IPv4-only test - Confirms basic IPv4 connectivity works
IPv6-only test - Tests if IPv6 addresses can be reached at all
Dual-stack test - MOST CRITICAL - Tests sites offering both A and AAAA records
IPv4 latency - Baseline performance measurement
IPv6 latency - Reveals if IPv6 is slower than IPv4 (misconfiguration indicator)
Protocol preference - Shows which protocol your browser/OS prefers

Interpreting Test Results

Score 0/10 (Red) - Broken IPv6:

IPv6 is configured but timing out
This is the primary misconfiguration indicator
Worse than having no IPv6 support

Score 7-10 (Green/Blue) - Healthy Dual-Stack:

Both protocols working correctly
Configuration appears correct

Score 9 (Blue) - Partial Dual-Stack:

Both protocols work independently
Dual-stack test fails - indicates preference or routing misconfiguration

Critical Warning Signs:

"Broken IPv6" status message
Timeouts (t) instead of success (o) or fast failure (b)
Slow (s) status on basic connectivity tests
IPv6 latency significantly higher than IPv4 (>50ms difference)

Step 2: Layer 2 - Link Layer Configuration

IPv6 misconfiguration often begins at the link layer with Neighbor Discovery Protocol (NDP) issues.

Check Neighbor Discovery Functionality

NDP is IPv6's replacement for ARP and is critical for basic communication.

Linux/macOS:

# View IPv6 neighbor cache (equivalent to ARP table)
ip -6 neigh show
ndp -an

# Monitor neighbor solicitation/advertisement messages
tcpdump -i eth0 'icmp6 && (ip6[40] == 135 || ip6[40] == 136)'

Windows:

# View neighbor cache
netsh interface ipv6 show neighbors

# Clear cache to test discovery
netsh interface ipv6 delete neighbors

Signs of Misconfiguration:

Empty neighbor cache despite active communication attempts
Neighbor entries stuck in "INCOMPLETE" state
Frequent cache invalidation and renewal
No response to neighbor solicitations

Verify Router Advertisement (RA) Configuration

Router Advertisements are how IPv6 routers announce themselves and distribute configuration. Misconfigured RAs are a leading cause of broken IPv6.

Capture and Analyze RAs:

# Linux/macOS - capture Router Advertisements
rdisc6 eth0

# Alternative using tcpdump
tcpdump -i eth0 -v 'icmp6 && ip6[40] == 134'

# Send Router Solicitation to trigger RA
rdisc6 -1 eth0

Common RA Misconfigurations:

Conflicting Router Advertisements: Multiple routers sending different prefixes or configuration flags
Wrong Prefix Flags:
- Autonomous Address-Configuration (A) flag on when it should be off
- Managed (M) and Other (O) flags incorrectly set
Invalid Prefix Lengths: Advertising non-/64 prefixes for SLAAC
Incorrect Lifetime Values: Too short (frequent renumbering) or too long (stale information)
Missing Default Route Advertisement: No default route flag or zero router lifetime

What to Look For in RA:

Prefix                 : 2001:db8:1234:5678::/64
  Valid Lifetime       : 86400 seconds (should be reasonable, not 0)
  Preferred Lifetime   : 14400 seconds (should be <= valid lifetime)
  On-link Flag         : Yes
  Autonomous Flag      : Yes (for SLAAC, No for DHCPv6-only)
Managed Flag (M)       : No (Yes if using stateful DHCPv6)
Other Config Flag (O)  : No (Yes if using DHCPv6 for DNS/NTP)
Router Lifetime        : 1800 seconds (non-zero to be default router)

Test for Rogue Router Advertisements

Misconfigured or malicious devices can send conflicting RAs.

# Monitor for multiple sources of RAs
tcpdump -i eth0 -n 'icmp6 && ip6[40] == 134' | grep 'IP6'

# Check for suspicious patterns
# - RAs from multiple link-local addresses
# - RAs with unusual prefixes (not matching your network)
# - RAs advertising deprecated prefixes

Indicators of RA Problems:

Devices switching between different default routers
Addresses being assigned from multiple prefixes
Intermittent loss of default gateway
Random connectivity failures

Step 3: Layer 3 - Network Layer Configuration

Network layer misconfigurations involve addressing, routing, and prefix management.

Validate IPv6 Address Assignment

Check what type of IPv6 addresses your device has and whether they're appropriate.

View Address Configuration:

# Linux
ip -6 addr show

# macOS
ifconfig en0 inet6

# Windows
ipconfig /all

Address Types and Misconfiguration Indicators:

Link-Local (fe80::/10):

Normal: Every interface has one
Misconfiguration: ONLY link-local addresses present (no global address)
Implication: Local network only, no Internet connectivity

Global Unicast (2000::/3):

Normal: Publicly routable addresses (typically 2xxx:xxxx or 3xxx:xxxx)
Misconfiguration:
- Multiple global addresses with different prefixes (conflicting RAs)
- Global address but no default route
- Duplicate address detection (DAD) failures
Implication: Should enable Internet access if routing is correct

Unique Local Addresses (ULA):

Normal: Private addressing (fc00:: or fd00::) for internal use
Misconfiguration: ULA as ONLY address type with expectation of Internet access
Implication: Not routable on public Internet (similar to RFC 1918 in IPv4)

Temporary/Privacy Addresses:

Normal: Multiple addresses per interface for privacy
Misconfiguration:
- Privacy addresses generated from wrong prefix
- Excessive address generation rate
- Addresses with invalid lifetimes
Implication: Can cause connection tracking or firewall issues

Check for Address Configuration Conflicts

Duplicate Address Detection (DAD) Failures:

# Linux - check kernel logs for DAD failures
dmesg | grep -i "duplicate"
journalctl -k | grep -i dad

# Windows - check event log
Get-EventLog -LogName System -Source Tcpip6 -Newest 50

Signs of Misconfiguration:

"Duplicate address detected" errors
Tentative addresses that never become valid
Frequent address changes
Multiple devices claiming same address

Verify Routing Configuration

Even with valid addresses, routing misconfigurations prevent communication.

Check IPv6 Routing Table:

# Linux
ip -6 route show
netstat -rn -f inet6

# Windows
netsh interface ipv6 show route
route print -6

# macOS
netstat -rn -f inet6

What to Look For:

Default Route Present:

default via fe80::1 dev eth0 proto ra metric 100

Misconfiguration: No default route despite having global address
Implication: Can't reach Internet destinations

Specific Network Routes:

2001:db8:1234:5678::/64 dev eth0 proto kernel metric 256

Misconfiguration: Missing on-link route for local prefix
Implication: Can't communicate with local IPv6 neighbors

Multiple Default Routes:

Misconfiguration: Several default routes with different metrics/gateways
Implication: Unpredictable routing behavior, possible black holes

Blackhole/Unreachable Routes:

unreachable 2001:db8::/32 dev lo metric 1024

Misconfiguration: Explicit unreachable routes for prefixes that should be routable
Implication: Artificial blocking of legitimate destinations

Test Reachability of Default Gateway

# Ping your default router (use link-local address from routing table)
ping6 fe80::1%eth0

# Trace route to external destination
traceroute6 test-ipv6.run

# Check hop-by-hop progression
mtr -6 google.com

Misconfiguration Indicators:

Default gateway unreachable
First hop shows high latency (>5ms on local network)
No response from first hop but later hops respond (broken routing)
Asymmetric routing (different path for forward/return traffic)

Step 4: Prefix Delegation Validation

Prefix delegation misconfigurations are common in residential and small business networks.

Understanding Prefix Delegation

In typical home networks:

ISP delegates prefix (usually /56 or /60) to home router via DHCPv6-PD
Router subdivides into /64 subnets for each LAN segment
Router advertises these /64 prefixes via Router Advertisements
Clients use SLAAC or DHCPv6 to obtain addresses from advertised prefixes

Check Router's Delegated Prefix

On Router (if accessible):

# Check WAN interface for delegated prefix
ip -6 addr show dev ppp0
ip -6 route | grep -v fe80

# View DHCPv6 client status (varies by router firmware)
cat /var/lib/dhcpv6/dhcp6c.conf

Common Prefix Delegation Misconfigurations:

No Prefix Delegation Configured: Router in wrong IPv6 mode (SLAAC when should be DHCPv6-PD)
Wrong Prefix Size Request: Requesting /64 when ISP only delegates /56 or /60
Prefix Not Subdivided: Using entire delegated prefix on single interface
Static Prefix When Dynamic Required: Manual configuration instead of requesting delegation
Expired Prefix Not Renewed: Old prefix still advertised after ISP changed delegation

Verify Prefix Consistency

Check that advertised prefix matches delegated prefix:

# On router, compare WAN prefix to LAN advertisements
# WAN should have delegate prefix, LAN should have subnet of that prefix

# Example:
# WAN: 2001:db8:1234::/48 (delegated by ISP)
# LAN1: 2001:db8:1234:0::/64 (RA advertises this)
# LAN2: 2001:db8:1234:1::/64 (RA advertises this)

Misconfiguration: LAN advertising prefix that's not within delegated range.

Implication: Clients get addresses that ISP won't route.

Test Client Address Sources

Verify clients are getting addresses from correct prefix:

# On client, check address prefix matches router's RA
ip -6 addr show | grep "scope global"

# Should match prefix from router's RA capture

SLAAC vs DHCPv6 Conflict Misconfiguration:

Router RA has Autonomous flag ON but also Managed flag ON
Clients receive both SLAAC address and DHCPv6 address
Two IPv6 addresses from different prefix ranges
Creates ambiguous source address selection

Step 5: DNS and AAAA Record Validation

DNS misconfiguration is responsible for over 97% of reachability issues in studies.

Test AAAA Record Resolution

# Query AAAA records for a known dual-stack site
dig AAAA test-ipv6.run
nslookup -type=AAAA google.com

# Check that your DNS server itself is reachable via IPv6
dig @2001:4860:4860::8888 AAAA test-ipv6.run

Signs of DNS Misconfiguration:

AAAA queries timing out (DNS server doesn't support IPv6)
AAAA records returned but addresses unreachable
Different results from different DNS servers
Stale AAAA records pointing to decommissioned addresses

Common DNS Misconfiguration Patterns

Research has identified these prevalent errors:

Publishing AAAA Before Service Ready
- DNS record added before web server configured for IPv6
- DNS resolves correctly but TCP connection fails
- Test: curl -6 https://yourdomain.com (should not timeout)
Wrong Address Type in AAAA Record
- Link-local (fe80::) in AAAA record (not globally routable)
- ULA (fc00::/7) in public DNS
- Test: Verify addresses in AAAA records are in 2000::/3 range
Firewall Not Updated for IPv6
- AAAA record published
- IPv6 address assigned to server
- Firewall blocks incoming IPv6 on port 80/443
- Test: telnet -6 yourdomain.com 80
Misaligned Routing
- Server has public IPv6 address
- AAAA record published
- Intermediate routers don't have return path
- Test: traceroute6 yourdomain.com (look for routing loops or black holes)
IPv6 DNS Server Without IPv6 Connectivity
- DNS server has AAAA record
- DNS server can't actually be reached via IPv6
- Test: dig @[IPv6-of-DNS-server] test-ipv6.run

Validate Forward and Reverse DNS

# Forward lookup
dig AAAA yourdomain.com +short

# Reverse lookup using result
dig -x 2001:db8::1 +short

# Should return the original hostname

Misconfiguration: Forward resolves but reverse doesn't (or points to wrong name).

Implication: Email, SSH, and many services perform reverse DNS validation.

Check DNS Server IPv6 Reachability

# Test if your configured DNS servers are reachable via IPv6
# Get DNS server addresses
cat /etc/resolv.conf | grep nameserver

# Ping each IPv6 DNS server
ping6 2001:4860:4860::8888

# Test actual query over IPv6
dig @2001:4860:4860::8888 test-ipv6.run AAAA

Misconfiguration Indicators:

IPv6 DNS servers configured but unreachable
DNS queries work over IPv4 but fail over IPv6
Delayed DNS responses (fallback to IPv4 DNS after IPv6 timeout)

Step 6: Firewall and ICMPv6 Verification

Firewall misconfigurations are a leading cause of broken IPv6.

Understand Critical ICMPv6 Types

Unlike IPv4 where blocking ICMP is sometimes acceptable, blocking ICMPv6 breaks IPv6 entirely.

Essential ICMPv6 types that MUST NOT be blocked:

Type	Name	Purpose	If Blocked
1	Destination Unreachable	Error reporting	Silent failures
2	Packet Too Big	PMTU Discovery	Large packets dropped
3	Time Exceeded	Loop detection	No traceroute, hidden loops
4	Parameter Problem	Header errors	Protocol errors ignored
128	Echo Request	Ping	Can't test connectivity
129	Echo Reply	Ping response	Can't test connectivity
133	Router Solicitation	Router discovery	Can't find gateway
134	Router Advertisement	Router announcements	No autoconfiguration
135	Neighbor Solicitation	Address resolution	Can't communicate locally
136	Neighbor Advertisement	Address resolution reply	Can't communicate locally

Test ICMPv6 Connectivity

# Test basic ping (ICMP type 128/129)
ping6 test-ipv6.run

# Test if router advertisements are being received
rdisc6 eth0

# Test neighbor discovery
ip -6 neigh show

# Send targeted neighbor solicitation
ndisc6 2001:db8::1 eth0

Signs of Firewall Misconfiguration:

Ping works but TCP connections fail
Local link-local communication fails (NDP blocked)
Can't obtain SLAAC address (RA blocked)
MTU discovery failures (ICMPv6 type 2 blocked)

Check Firewall Rules

Linux (ip6tables):

# View current IPv6 firewall rules
sudo ip6tables -L -v -n

# Check for overly restrictive DROP policies
sudo ip6tables -L INPUT -v -n
sudo ip6tables -L FORWARD -v -n

# Look for rules blocking ICMPv6
sudo ip6tables -L | grep -i icmpv6

Windows:

# View IPv6 firewall rules
netsh advfirewall firewall show rule name=all | findstr IPv6

# Check ICMPv6 rules specifically
Get-NetFirewallRule -DisplayName "*ICMPv6*"

# View which ICMP types are allowed
netsh advfirewall firewall show rule name="Core Networking - Neighbor Discovery"

Common Firewall Misconfigurations:

Blanket ICMPv6 Block: All ICMPv6 blocked for "security"
Copied IPv4 Rules: IPv4 ruleset applied to IPv6 without adaptation
Stateful Firewall Issues: Connection tracking not handling IPv6 properly
Host-Based Firewall Too Restrictive: Local security software blocking essential traffic
No Exception for Link-Local: Blocking fe80::/10 traffic that's required for NDP

Test Path MTU Discovery

PMTU discovery requires ICMPv6 type 2 (Packet Too Big) messages.

# Test with different packet sizes
ping6 -s 1452 test-ipv6.run  # Should work (below typical MTU)
ping6 -s 1500 test-ipv6.run  # May fail if PMTU discovery broken

# Monitor for PMTU-related ICMPv6
tcpdump -i eth0 'icmp6 && ip6[40] == 2'

# Check current PMTU to destination
ip route get 2001:db8::1

Misconfiguration Indicator: Small packets work but large packets (web pages, file transfers) fail silently.

Solution: Ensure ICMPv6 type 2 allowed through all firewalls in path.

Step 7: Transport Layer Diagnostics

Test actual application connectivity to identify misconfigurations that don't show up in network-layer tests.

Test TCP Connectivity

# Test TCP connection to IPv6-enabled web server
curl -6 -v https://test-ipv6.run

# Test specific port
nc -6 test-ipv6.run 443

# Time the connection establishment
time curl -6 https://test-ipv6.run > /dev/null

Signs of Misconfiguration:

Connection refused (service not listening on IPv6)
Connection timeout (firewall or routing issue)
Extremely slow connection setup (routing inefficiency)
TLS handshake failures (certificate issues with IPv6)

Compare IPv4 vs IPv6 Performance

# IPv4 test
time curl -4 https://test-ipv6.run > /dev/null

# IPv6 test
time curl -6 https://test-ipv6.run > /dev/null

# Compare latency
ping -4 -c 10 test-ipv6.run
ping6 -c 10 test-ipv6.run

Misconfiguration Indicators:

IPv6 significantly slower (>50ms difference)
IPv6 packet loss while IPv4 clean
IPv6 high jitter (inconsistent latency)

Test Dual-Stack Behavior

Use Happy Eyeballs test:

# Let OS/application choose protocol
curl -v https://test-ipv6.run

# Monitor which protocol was selected
tcpdump -i any 'host test-ipv6.run'

Misconfiguration: Always falls back to IPv4 even though IPv6 is available (indicates IPv6 timeouts).

Systematic Diagnostic Methodology

Use this structured approach for comprehensive misconfiguration detection.

Phase 1: External Validation

Run test at test-ipv6.run
Document score and specific failures
Note any "broken IPv6" or timeout warnings
Compare IPv4 vs IPv6 latency

Phase 2: Layer 2 Verification

Check Neighbor Discovery Protocol operation
Capture and analyze Router Advertisements
Verify no conflicting RAs from multiple sources
Confirm RA parameters match expected configuration

Phase 3: Layer 3 Validation

Verify correct IPv6 address types assigned
Check routing table for proper default route
Test gateway reachability
Validate prefix delegation chain (ISP → router → clients)
Ensure address prefixes are globally routable

Phase 4: DNS Verification

Test AAAA record resolution
Verify DNS servers reachable via IPv6
Check published AAAA records point to functional services
Validate forward and reverse DNS consistency

Phase 5: Firewall Analysis

Verify essential ICMPv6 types allowed
Test Path MTU Discovery functionality
Check for protocol-specific firewall rules
Ensure stateful firewall handles IPv6 properly

Phase 6: Transport Testing

Test TCP connection establishment
Compare IPv4 vs IPv6 performance
Verify dual-stack application behavior
Check for transport-layer timeouts

Phase 7: End-to-End Application Validation

Test real-world applications (web browsers, SSH, etc.)
Monitor for fallback to IPv4 behavior
Verify no user-visible delays or failures
Confirm consistent connectivity over time

Comprehensive Misconfiguration Checklist

Use this checklist to systematically identify misconfigurations:

Router/Gateway Level

Router has valid global IPv6 address on WAN
Correct IPv6 connection type configured (DHCPv6-PD, SLAAC, etc.)
Prefix delegation requesting appropriate size
Delegated prefix being subdivided correctly for LANs
Router Advertisements enabled on LAN interfaces
RA parameters correct (flags, lifetimes, MTU)
No conflicting RAs from multiple devices
Router firmware up to date with IPv6 fixes
IPv6 firewall rules allow essential ICMPv6
IPv6 forwarding enabled between WAN and LAN

Client Device Level

IPv6 enabled on network interface
Global IPv6 address assigned (not just link-local)
Address from correct prefix (matches router RA)
Default route pointing to correct gateway
No duplicate address detection errors
DNS servers reachable via IPv6
Can ping default gateway (fe80:: address)
Can ping external IPv6 hosts
Privacy extensions working if desired
Network drivers up to date

DNS Configuration

AAAA records exist for services offering IPv6
AAAA records point to correct IPv6 addresses
Addresses in AAAA records are globally routable (2000::/3)
Services are actually listening on advertised IPv6 addresses
Firewalls allow traffic to advertised IPv6 addresses/ports
Reverse DNS configured correctly
DNS servers themselves are IPv6-reachable
No stale AAAA records for decommissioned services

Firewall Configuration

ICMPv6 types 1, 2, 3, 4 allowed (error messages)
ICMPv6 types 128, 129 allowed (ping)
ICMPv6 types 133, 134 allowed (router discovery)
ICMPv6 types 135, 136 allowed (neighbor discovery)
Link-local (fe80::/10) traffic not blocked
Stateful firewall handles IPv6 connection tracking
Application ports open for IPv6 (80, 443, 22, etc.)
No blanket "deny IPv6" rules

ISP/Upstream

ISP actually provides IPv6 connectivity
ISP's IPv6 routing functioning properly
No upstream firewall blocking essential ICMPv6
Prefix delegation from ISP working
ISP's announced prefix is stable (not changing frequently)

Tools for Misconfiguration Detection

Command-Line Tools

Linux:

ip -6 addr show - View IPv6 addresses
ip -6 route - View routing table
ip -6 neigh - View neighbor cache (NDP)
rdisc6 - Capture Router Advertisements
ndisc6 - Test neighbor discovery
tcpdump -i eth0 ip6 - Capture IPv6 traffic
mtr -6 - IPv6 traceroute with statistics

Windows:

ipconfig /all - View IPv6 configuration
netsh interface ipv6 show address - Detailed address info
netsh interface ipv6 show route - Routing table
netsh interface ipv6 show neighbors - Neighbor cache
Test-NetConnection -ComputerName test-ipv6.run - PowerShell connectivity test

macOS:

ifconfig en0 | grep inet6 - View IPv6 addresses
ndp -an - View neighbor cache
netstat -rn -f inet6 - Routing table
network-info - Comprehensive network status

Online Testing Tools

test-ipv6.run - Comprehensive connectivity testing with dual-stack validation
ipv6-test.com - Alternative testing platform
test-ipv6.com - Jason Fesler's original test suite
ip6.nl - European IPv6 testing service

Packet Capture and Analysis

# Capture all IPv6 traffic for analysis
tcpdump -i eth0 -w ipv6-capture.pcap ip6

# Analyze with Wireshark filters:
# - ipv6.addr == 2001:db8::1 (specific address)
# - icmpv6.type == 134 (Router Advertisements)
# - ipv6.nxt == 58 (all ICMPv6)

Real-World Misconfiguration Scenarios

Scenario 1: Broken IPv6 Due to RA Conflict

Symptoms:

Intermittent connectivity
Devices switch between working and not working
Multiple global addresses assigned

Diagnosis:

# Capture RAs for 60 seconds
timeout 60 tcpdump -i eth0 'icmp6 && ip6[40] == 134' -v

Findings:

Two different routers sending RAs
Different prefixes advertised
Conflicting managed/autonomous flags

Solution:

Disable IPv6 on one router or configure DHCPv6 relay
Implement RA Guard on switches
Configure consistent RA parameters across routers

Scenario 2: AAAA Record Published Before Service Ready

Symptoms:

Website loads slowly (3-10 second delay)
Some users report site down while others fine
IPv4-only users unaffected

Diagnosis:

# Check if AAAA record exists
dig AAAA yourdomain.com

# Test IPv6 connectivity to address
curl -6 -v --max-time 5 https://yourdomain.com

Findings:

AAAA record returns valid address
Connection to IPv6 address times out
Web server not listening on IPv6 socket

Solution:

Configure web server to listen on IPv6 (:: or specific address)
Update firewall to allow IPv6 traffic on port 80/443
Test before publishing AAAA record

Scenario 3: Firewall Blocking Essential ICMPv6

Symptoms:

Can't obtain IPv6 address via SLAAC
Have IPv6 address but can't communicate
Ping works but nothing else does

Diagnosis:

# Check if RAs are being received
rdisc6 eth0
# Times out - RAs blocked

# Check neighbor discovery
ip -6 neigh show
# Empty or all FAILED entries

# Check firewall rules
sudo ip6tables -L -v -n
# Shows DROP rule for icmpv6-type router-advertisement

Solution:

Allow ICMPv6 types 133, 134, 135, 136 at minimum
Allow all ICMPv6 with rate limiting instead of blanket block
Update firewall documentation to highlight IPv6 requirements

Scenario 4: Wrong Prefix Delegation Size

Symptoms:

Router shows IPv6 address on WAN
No addresses distributed to LAN clients
Router logs show DHCPv6-PD failures

Diagnosis:

# On router, check DHCPv6 client log
cat /var/log/dhcp6c.log
# Shows "no valid prefix delegation received"

# ISP delegates /60, router requesting /64

Solution:

Configure router to request /60 or /56 prefix
Enable prefix size auto-detection if available
Contact ISP to confirm delegation size

Conclusion

Detecting IPv6 misconfiguration requires systematic layer-by-layer validation starting with comprehensive testing at test-ipv6.run. The most common misconfigurations occur at the routing layer (wrong RA parameters, prefix delegation issues) and firewall layer (blocked ICMPv6), with DNS misconfigurations being the most prevalent cause of user-facing failures.

Unlike complete IPv6 failures that are obvious, misconfigurations create subtle, intermittent issues that degrade user experience through timeouts and delays. The key to successful detection is understanding that IPv6 is not just IPv4 with longer addresses - it has fundamentally different requirements for protocol functionality, especially regarding ICMPv6.

Always start your diagnostic process with external validation using test-ipv6.run to establish baseline connectivity status, then work systematically through each network layer, using the comprehensive checklist to ensure no misconfiguration is overlooked. Remember that broken IPv6 (configured but timing out) scores 0/10 because it actively harms the user experience - making it critical to either fix the misconfiguration or disable IPv6 entirely until it can be properly configured.

Test your IPv6 configuration at test-ipv6.run - Comprehensive connectivity testing that identifies misconfigurations