Connection Problems with Agent on IPv6

deekerman commented

2026-02-20 09:27:28 -05:00

Owner

Originally created by @MiRei777 on GitHub (Jan 5, 2024).

First of all, I would like to thank you for the great Meshcentral!

I have made the following observation with the client login:
On some machines (Windows 64) the agent (background and interactive) cannot connect to the server via wss//.. .
The login portal via https://... is always immediately accessible.

The problem does not exist with the Meshcentral Assistant.
However, the assistant is problematic for many applications due to UAC issues.

After I deactivated IPV6 on the clients, the agent also works perfectly.

Does anyone have any ideas?

Thank you very much.

Originally created by @MiRei777 on GitHub (Jan 5, 2024). First of all, I would like to thank you for the great Meshcentral! I have made the following observation with the client login: On some machines (Windows 64) the agent (background and interactive) cannot connect to the server via wss//.. . The login portal via https://... is always immediately accessible. The problem does not exist with the Meshcentral Assistant. However, the assistant is problematic for many applications due to UAC issues. After I deactivated IPV6 on the clients, the agent also works perfectly. Does anyone have any ideas? Thank you very much.

deekerman

2026-02-20 09:27:28 -05:00

closed this issue
added the
bug

Stale

Closed
labels

deekerman commented

2026-02-20 09:27:30 -05:00

Author

Owner

@si458 commented on GitHub (Jan 5, 2024):

similar maybe? #5214 #1770

@si458 commented on GitHub (Jan 5, 2024): similar maybe? #5214 #1770

deekerman commented

2026-02-20 09:27:30 -05:00

Author

Owner

@MiRei777 commented on GitHub (Jan 5, 2024):

Many thanks for the tips.
Meshcentral is behind an HAproxy for me.
I don't understand why the Assistant can connect to these computers without any problems.

@MiRei777 commented on GitHub (Jan 5, 2024): Many thanks for the tips. Meshcentral is behind an HAproxy for me. I don't understand why the Assistant can connect to these computers without any problems.

deekerman commented

2026-02-20 09:27:30 -05:00

Author

Owner

@si458 commented on GitHub (Jan 5, 2024):

can you share your config.json (hide sensitive stuff)?
do the remote devices running the agent have only ipv6, mix of 4+6?
is the dns name have an A and AAAA record?

im just waiting on my isp to give me IPv6 in our rack, then i can test 👍

@si458 commented on GitHub (Jan 5, 2024): can you share your config.json (hide sensitive stuff)? do the remote devices running the agent have only ipv6, mix of 4+6? is the dns name have an A and AAAA record? im just waiting on my isp to give me IPv6 in our rack, then i can test 👍

deekerman commented

2026-02-20 09:27:30 -05:00

Author

Owner

@MiRei777 commented on GitHub (Jan 5, 2024):

This is my config.json:

{
  "$schema": "https://raw.githubusercontent.com/Ylianst/MeshCentral/master/meshcentral-config-schema.json",
  "__comment1__": "This is a simple configuration file, all values and sections that start with underscore (_) are ignored. Edit a section and remove the _ in front of the name. Refer to the user's guide for details.",
  "__comment2__": "See node_modules/meshcentral/sample-config-advanced.json for a more advanced example.",
  "settings": {
    "cert": "[MyDnsName for the Meshserver]",
    "MongoDb": "mongodb://127.0.0.1:27017/meshcentral",
    "MongoDbBulkOperations": true,
    "TrustedProxy": "127.0.0.1,::1",
    "TlsOffload": "127.0.0.1,[MyHAProxy-IP],::1",
    "WANonly": true,
    "_LANonly": true,
    "_sessionKey": "MyReallySecretPassword1",
    "port": 4430,
    "aliasPort": 443,
    "redirPort": 800,
    "redirAliasPort": 80,
    "desktopMultiplex": true,
    "Compression": true,
    "WsCompression": true,
    "AgentWsCompression": true,
    "maxInvalidLogin": {
      "time": 10,
      "count": 5,
      "coolofftime": 3
     },
    "maxInvalid2fa": {
      "time": 10,
      "count": 3,
      "coolofftime": 3
    },
    "autoBackup": {
      "_mongoDumpPath": "/usr/bin/mongodump",
      "backupIntervalHours": 24,
      "keepLastDaysBackup": 10,
      "zipPassword": "[A Pswword for the zip-file]",
      "backupPath": "/install",
      "_webdav": {
        "url": "https://server/remote.php/dav/files/xxxxx@server.com/",
        "username": "user",
        "password": "pass",
        "folderName": "MeshCentral-Backups",
        "maxFiles": 10
      }
    }
  },
  "domains": {
    "": {
      "assitentCustomization":{
        "title": "[My Ttile]",
        "_image": "",
        "_filename": ""
      },
      "title": "[My Title]",
      "title2": "[My Title2]",
      "_minify": true,
      "_newAccounts": true,
      "_userNameIsEmail": true,
      "certUrl": "https://[MyDnsName for the Meshserver]:443"
    }
  },
  "smtp": {
     "host": "[My SMTP-Provider]",
     "port": 465,
     "from": "[MySenderAdress]",
     "user": "[MySenderAdress]",
     "pass": "[MyPassword]",
     "tls": true
   }
}

@MiRei777 commented on GitHub (Jan 5, 2024): This is my config.json: ``` { "$schema": "https://raw.githubusercontent.com/Ylianst/MeshCentral/master/meshcentral-config-schema.json", "__comment1__": "This is a simple configuration file, all values and sections that start with underscore (_) are ignored. Edit a section and remove the _ in front of the name. Refer to the user's guide for details.", "__comment2__": "See node_modules/meshcentral/sample-config-advanced.json for a more advanced example.", "settings": { "cert": "[MyDnsName for the Meshserver]", "MongoDb": "mongodb://127.0.0.1:27017/meshcentral", "MongoDbBulkOperations": true, "TrustedProxy": "127.0.0.1,::1", "TlsOffload": "127.0.0.1,[MyHAProxy-IP],::1", "WANonly": true, "_LANonly": true, "_sessionKey": "MyReallySecretPassword1", "port": 4430, "aliasPort": 443, "redirPort": 800, "redirAliasPort": 80, "desktopMultiplex": true, "Compression": true, "WsCompression": true, "AgentWsCompression": true, "maxInvalidLogin": { "time": 10, "count": 5, "coolofftime": 3 }, "maxInvalid2fa": { "time": 10, "count": 3, "coolofftime": 3 }, "autoBackup": { "_mongoDumpPath": "/usr/bin/mongodump", "backupIntervalHours": 24, "keepLastDaysBackup": 10, "zipPassword": "[A Pswword for the zip-file]", "backupPath": "/install", "_webdav": { "url": "https://server/remote.php/dav/files/xxxxx@server.com/", "username": "user", "password": "pass", "folderName": "MeshCentral-Backups", "maxFiles": 10 } } }, "domains": { "": { "assitentCustomization":{ "title": "[My Ttile]", "_image": "", "_filename": "" }, "title": "[My Title]", "title2": "[My Title2]", "_minify": true, "_newAccounts": true, "_userNameIsEmail": true, "certUrl": "https://[MyDnsName for the Meshserver]:443" } }, "smtp": { "host": "[My SMTP-Provider]", "port": 465, "from": "[MySenderAdress]", "user": "[MySenderAdress]", "pass": "[MyPassword]", "tls": true } } ```

deekerman commented

2026-02-20 09:27:30 -05:00

Author

Owner

@MiRei777 commented on GitHub (Jan 5, 2024):

The agents have a mix ipv4 and ipv6.
A + AAAA Records exists .

@MiRei777 commented on GitHub (Jan 5, 2024): The agents have a mix ipv4 and ipv6. A + AAAA Records exists .

deekerman commented

2026-02-20 09:27:30 -05:00

Author

Owner

@si458 commented on GitHub (Jan 5, 2024):

im assuming [MyHAProxy-IP] is an ext/int ip, like 8.8.8.8 or 192.168.99.77 ?
does HAproxy have an IPv6 address?
have you tried adding its IPv6 address to the TLSOffload and restarting the server then restarting the meshagents?

@si458 commented on GitHub (Jan 5, 2024): im assuming `[MyHAProxy-IP]` is an ext/int ip, like 8.8.8.8 or 192.168.99.77 ? does HAproxy have an IPv6 address? have you tried adding its IPv6 address to the TLSOffload and restarting the server then restarting the meshagents?

deekerman commented

2026-02-20 09:27:30 -05:00

Author

Owner

@MiRei777 commented on GitHub (Jan 5, 2024):

Yes, it is the IPv4 Adress of the HAProxy.
The HaProxy does not have an IPv6 IP.

Why is this configuration working with the Assistent ?

Thanks al lot!

@MiRei777 commented on GitHub (Jan 5, 2024): Yes, it is the IPv4 Adress of the HAProxy. The HaProxy does not have an IPv6 IP. Why is this configuration working with the Assistent ? Thanks al lot!

deekerman commented

2026-02-20 09:27:30 -05:00

Author

Owner

@si458 commented on GitHub (Jan 5, 2024):

this might be because

the remote devices have ipv6 enabled which on windows BECOMES PRIMARY FOR ALL CONNECTIONS

~~so if your dns record for say meshcentral.mydomain.com has an AAAA record, its going to try connecting to that ipv6 address~~
~~and if your HAproxy doesnt have an ipv6 address, this is why its failing~~
EDIT: the above made no sense sorry... check below

you have aliasport set SO if your meshcentral has the ipv6 address on instead, and your only using haproxy for ipv4, then when the remote device trys connecting to meshcentral.mydomain.com its going to be forwarded to meshcentral.mydomain.com:443 BUT you arent running meshcentral on port 443, ur running it on 4430, so it will never connect!

best thing is either

remove the haproxy and let meshcentral handle the tls/ssl and direct connects on its own ipv4/ipv6 addresses
OR
put haproxy with a IPv4+IPv6 address, then put the haproxy ipv6 address into the TlsOffload

as you are trying to use a mix of BOTH methods, when it should be one or the other

@si458 commented on GitHub (Jan 5, 2024): this might be because the remote devices have ipv6 enabled which on windows BECOMES PRIMARY FOR ALL CONNECTIONS ~~so if your dns record for say `meshcentral.mydomain.com` has an AAAA record, its going to try connecting to that ipv6 address~~ ~~and if your HAproxy doesnt have an ipv6 address, this is why its failing~~ EDIT: the above made no sense sorry... check below you have aliasport set SO if your meshcentral has the ipv6 address on instead, and your only using haproxy for ipv4, then when the remote device trys connecting to `meshcentral.mydomain.com` its going to be forwarded to `meshcentral.mydomain.com:443` BUT you arent running meshcentral on port 443, ur running it on 4430, so it will never connect! best thing is either remove the haproxy and let meshcentral handle the tls/ssl and direct connects on its own ipv4/ipv6 addresses OR put haproxy with a IPv4+IPv6 address, then put the haproxy ipv6 address into the TlsOffload as you are trying to use a mix of BOTH methods, when it should be one or the other

deekerman commented

2026-02-20 09:27:30 -05:00

Author

Owner

@MiRei777 commented on GitHub (Jan 5, 2024):

First I'll try to change the priority to ipv4 with a registry entry and activate ipv6 again on the client.

After several tests with ipv6, I became cautious because the stability and functionality kept varying.
Why does it work with the Meshcentral wizard in the current configuration?

Many thanks for the great tips. I'll get back to you when I have new findings after changing the priority.

@MiRei777 commented on GitHub (Jan 5, 2024): First I'll try to change the priority to ipv4 with a registry entry and activate ipv6 again on the client. After several tests with ipv6, I became cautious because the stability and functionality kept varying. Why does it work with the Meshcentral wizard in the current configuration? Many thanks for the great tips. I'll get back to you when I have new findings after changing the priority.

deekerman commented

2026-02-20 09:27:30 -05:00

Author

Owner

@si458 commented on GitHub (Jan 5, 2024):

What do u mean 'wizard' ? Do u mean the web ui?
That's because it's using https which will probably be looking up ur IP and returning both 4 and 6 and failing on 6 and falling bk to 4
Windows has always been funny with ipv6/ipv4 allover, hence the other issues that have been opened

@si458 commented on GitHub (Jan 5, 2024): What do u mean 'wizard' ? Do u mean the web ui? That's because it's using https which will probably be looking up ur IP and returning both 4 and 6 and failing on 6 and falling bk to 4 Windows has always been funny with ipv6/ipv4 allover, hence the other issues that have been opened

deekerman commented

2026-02-20 09:27:30 -05:00

Author

Owner

@MiRei777 commented on GitHub (Jan 5, 2024):

Sorry, I mean the Meshcentral-Assistent.

With the following registry setting on the client, the agent also works when IPv6 is switched on:

Location: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
Key: DisabledComponents
Type: REG_DWORD
Value: 0x20

@MiRei777 commented on GitHub (Jan 5, 2024): Sorry, I mean the Meshcentral-Assistent. With the following registry setting on the client, the agent also works when IPv6 is switched on: Location: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters Key: DisabledComponents Type: REG_DWORD Value: 0x20

deekerman commented

2026-02-20 09:27:30 -05:00

Author

Owner

@github-actions[bot] commented on GitHub (Jun 9, 2025):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@github-actions[bot] commented on GitHub (Jun 9, 2025): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

deekerman commented

2026-02-20 09:27:30 -05:00

Author

Owner

@github-actions[bot] commented on GitHub (Aug 11, 2025):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@github-actions[bot] commented on GitHub (Aug 11, 2025): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

deekerman commented

2026-02-20 09:27:30 -05:00

Author

Owner

@github-actions[bot] commented on GitHub (Aug 20, 2025):

This issue has been automatically closed due to inactivity. If you believe this is still relevant, please feel free to reopen it.

@github-actions[bot] commented on GitHub (Aug 20, 2025): This issue has been automatically closed due to inactivity. If you believe this is still relevant, please feel free to reopen it.

Rows
Columns

Connection Problems with Agent on IPv6 #4622