I have an ipv6 tunnel that refuses to work until traffic goes outbound. if I turn the device on and ping in, I get no response until the second I start to ping out. if I then walk away for a few hours and try to ping in again, I'll get no response.
I'm using Debian Lenny and Hurricane Electric for my tunnel. I'm not even sure where to begin debugging this behavior because it's so unusual. I've used both of the Debian configs from http://www.tunnelbroker.net/forums/index.php?topic=18.0 and the configs from http://wiki.debian.org/DebianIPv6 and a variety of tweaks in between, but I still cannot get the device to persistently accept inbound traffic. there's no ip6tables, but I do have a variety of iptable rules. has anyone else experienced this kind of issue? what could I possibly do to debug or solve this?
edit: there's no NAT involved and it's all IPv4 Cisco infrastructure. I dont think there's any IPv6 between me, the switches and the router.
Without knowing more about your network design, I'm assuming your tunnel endpoint is on a device on your LAN, behind your internet router. I'm also assuming that device gets access to the internet via NATting on the router.
The likely cause of your inbound problem is the NAT table on the router. The router doesn't know how to route inbound v6 (protocol 41) traffic to the tunnel endpoint device. As soon as you send v6 traffic outbound through the tunnel an entry in the NAT table is created. This entry allows the router to also send inbound traffic back to the tunnel endpoint.
After a while without traffic, the router expires the entry and flushes it from its NAT table, therefore no inbound traffic is able to reach your tunnel endpoint any more.
How you solve this depends on your router's abilities.
An example for solution 2: Put the following in your crontab
The real answer is given in the SixXS FAQ:
http://www.sixxs.net/faq/connectivity/?faq=conntracking
See that article for the full explanation.