XG-7100 - timeout accessing some websites after upgrade
-
Hi Steve,
No, I never ran Squid in transparent mode. I configured the proxy in the browser with IP of firewall and port 3128
I don´t use squid in the main site. I have it running for a few clients connecting through S2S VPN (local restrictions in their country)Ivo
-
Ok, but it's only users configured to use Squid that are seeing this issue? And they are all over VPN?
What version did you upgrade from?
Steve
-
no.. as soon i configure a proxy in the browser everything works fine.
Without proxy some sites are not loading at all. (timeout)
For now i have only 2 examples but users reported that there are more sites not loading since I upgraded the FW to the latest release.
This 2 sites are not working from any client in the headquarter.
https://www.aral-supercard.de/
https://gdz.bplaced.net/From my home network (behind SG-3100 also upgraded yesterday) I can access this sites without any issues.
I upgraded from 21.02
Thanks
Ivo -
Hmm, so in fact only clients that are not using the proxy? Odd.
And they just timeout, no other error shown?
Can those clients resolve the sites correctly? Can they ping them? gdz.bplaced.net appears to respond to ping.
Steve
-
yes... i can ping them from any client.
just got some more feedback from one of my admins... he can´t sync his IMAP Mailbox in Outlook 365 anymore.
he even removed the account from Outlook and tried to add it again but it failed.
he then connected his laptop to the mobile hotspot on the phone and he could add and sync the mailbox successfully.
also login with WeChat Windows app is not working anymore.Ivo
-
It 'feels' like an MTU issue. Try pinging with large size packets. See if the clients that work can pass larger packets.
The largest I can pass from here is 1492B:steve@steve-MMLP7AP-00 ~ $ ping -c 3 -s 1464 gdz.bplaced.net PING gdz.bplaced.net (162.55.0.136) 1464(1492) bytes of data. 1472 bytes from server6.bplaced.net (162.55.0.136): icmp_seq=1 ttl=53 time=25.7 ms 1472 bytes from server6.bplaced.net (162.55.0.136): icmp_seq=2 ttl=53 time=25.5 ms ^C --- gdz.bplaced.net ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 25.509/25.593/25.677/0.084 msSteve
-
seems you are pointing in the right direction. Indeed I have one interface where I adjusted the MTU (SDWAN to China) but on all other interfaces the MTU is default. But it seems that with the upgrade the MTU from the SDWAN interface is now set on all other interfaces. (ifconfig shows my SDWAN MTU on all interfaces)
I tried to set a MTU on the LAN interface but i get an error: The MTU of a VLAN cannot be greater than that of its parent interface.
Where can I set the MTU of the parent interface?
-
according to my config only one interface have a changed MTU (see screenshot 1 below)
ifconfig shows me that ix2 and ix3 have MTU of 1370 and all lagg interfaces (see screenshot 2 and 3 below)
-
Steve,
found a way to fix it. I removed the MTU settings from the SDWAN interface and rebooted the firewall. Now all interfaces have a default MTU (1500) and websites are accessible again.
Thank you very much for your help.
-
Ah, nice result!
Yes so normally the interfaces inherit the MTU from parent. Doubly here since you have VLAN on a LAGG made up of real NICs. So in order to allow you to set an MTU pfSense applies the MTU to the parent interfaces and their parents which results in all the subinterfaces also having that applied.
Steve
