Upgrade from 2.4.5 to 2.5.2

nPerf

Hello,

I recently tried to update my pfSense from v2.4.5 to 2.5.2. Few seconds after upgrading, I have packet loss (around 30%) and high latency, so my network is unusable. When I reinstall with version 2.4.5, there is no problem at all. Do you know where this problem can come from? For information, I already have the same problem before when trying to update from 2.4.5 to 2.5.0.

Thanks for your help.

Gertjan

@nperf said in Upgrade from 2.4.5 to 2.5.2:

Do you know where this problem can come from?

No.
Most pfSense users use 2.5.2 now - the CE version, or the one delivered with a "Netgate device".
Not a solid proof, but this excludes the code base, as we all use the same.
What's left is :
Your settings.
Your hardware.

So .... should we come over to check for ourselves, or are you willing to share details here ?
Suspect messages in the log files ?

stephenw10

Yes, more info required!

Where are you seeing the latency/packet loss to?

What NICs are you using?

Do you see errors logged?

Steve

Gertjan

@nperf said in Upgrade from 2.4.5 to 2.5.2:

Few seconds after upgrading

Something else : a reboot is part of the upgrade, as the new kernel should take over.
A second reboot, when the re install finishes, initiated by you, is also advisable to strait out 'non defined issues'.

nPerf

Hello,
Thanks all for your feedback. I actually just wanted to know if there was some known issue for 2.5.2 version, but apparently no. When I did it I didn't notice anything suspicious in the log, but I did it quickly. When I'll have a slot alone at the office, I'll try again an update and take time to analyze it, and come back to you with more information.
Best regards.

stephenw10

Not something that would behave like that. Not that would affect everything.

I would be looking at a driver change maybe hence the hardware questions.

The usual suspects: Old Realtek and/or USB NICs.

Steve

nPerf

Hello,
I come back with some details as I still have the problem. I have 2 dedicated small PC with pFsense on it (version 2.4.5-RELEASE-p1) like this one: https://www.amazon.fr/dp/B095PCVVMS/
High Availability Sync is configured with 3 VIP in CARP mode. When I put FW01 in maintenance mode, all traffic goes to FW02 and everything is working well. So I end maintenance on FW01, then upgrade FW02 to 2.5.2 via WebUI, I rebooted FW02 twice after the upgrade, then put back FW01 in maintenance mode, and then I have high latency problem with packet loss. I tried the same thing, but instead of upgrade FW02 from 2.4.5 to 2.5.2, I reinstalled it with a USB key to 2.5.2, and then restore my configuration I backed up juste before, but then it's not working at all when I put FW01 in maintenance mode (CARP switch well to MASTER on FW02 and to BACKUP on FW01, but there's no more connection from our LAN). I don't find anything suspicious in the logs.
I plan to try to do again a fresh install of 2.5.2 on FW02 and reconfigure it by hand without using the backup file, but I'm not confident it will work. Is there any chance this problem could come from the difference between the 2 firewall version, 2.4.5 for FW01 and 2.5.2 for FW02?
Thanks for your help.

Boot log:
boot.txt

System log:
general.txt

Dmidecode on the device:
dmidecode.txt

pciconf -lv on the device:
pciconf.txt

stephenw10

When you have different pfSense versions on each node the config cannot sync but the CARP failover will still function. And the logs show that it is:

Oct 6 16:39:00 	kernel 		carp: 2@em0: MASTER -> BACKUP (more frequent advertisement received)
Oct 6 16:39:00 	kernel 		carp: 4@em2: MASTER -> BACKUP (more frequent advertisement received)

That is on the secondary when it;s running as backup?

It looks like it cannot resolve though. Does it have a default route?

Is it trying to NAT it's own traffic via the CARP VIP incorrectly?

What actually fails when you switch the Secondary to Master? You can still reach the pfSense webgui on both nodes I assume?
The gateways still show UP on both nodes?
DNS works?

Steve

nPerf

Yes, logs were on FW02 when it went from BACKUP to MASTER, then from MASTER to BACKUP. Indeed CARP failover is working fine. I did some other tests and problem comes from LAN interface on FW02 when it becomes MASTER. So once again, when FW01 and FW02 are in version 2.4.5, everything is working fine. When I upgrade FW02 to 2.5.2 and I pass FW01 in maintenance mode, so FW02 becomes MASTER, here is what I tested:

From my PC :

Ping to google.fr => Packet loss and high latency
Statistiques Ping pour 142.250.179.227:
Paquets : envoyés = 44, reçus = 25, perdus = 19 (perte 43%),
Durée approximative des boucles en millisecondes :
Minimum = 20ms, Maximum = 3161ms, Moyenne = 361ms
Traceroute to google.fr OK (but with high latency)
Nslookup OK
Ping to FW01 => OK
Ping to FW02 => Packet loss and high latency
Statistiques Ping pour 192.168.100.252:
Paquets : envoyés = 18, reçus = 6, perdus = 12 (perte 66%),
Durée approximative des boucles en millisecondes :
Minimum = 2ms, Maximum = 1894ms, Moyenne = 578ms

From FW02 :

Ping to google.fr OK
Ping to my PC => Packet loss and high latency
--- 192.168.100.151 ping statistics ---
10 packets transmitted, 9 packets received, 10.0% packet loss
round-trip min/avg/max/stddev = 1.892/2741.855/4921.859/1466.654 ms

So the problem seems to be packet loss and high latency on LAN interface of FW02 only when it is MASTER on VIP interfaces. Indeed, when FW01 is MASTER and FW02 BACKUP, a ping to FW02 is OK.

But I don't know what could cause this problem... As I said I'll try to do a fresh install of FW02 with version 2.5.2 and then reconfigure it by hand, without restoring the config, and try to see what config is the cause.

stephenw10

Packet loss that high is almost always an IP conflict of some kind.

It's definitely not dual Master on LAN?

Even if it was that would not affect traffic to from the FW02 LAN IP directly.

Steve