"Unable to check for updates" after upgrade from from 23.05.1 to 23.09
-
DBG(1)[42008]> pkg initialized Updating pfSense-core repository catalogue... DBG(1)[42008]> PkgRepo: verifying update for pfSense-core DBG(1)[42008]> PkgRepo: need forced update of pfSense-core DBG(1)[42008]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense-core.sqlite' DBG(1)[42008]> Request to fetch pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v23_09_amd64-core/meta.conf DBG(1)[42008]> curl_open DBG(1)[42008]> Fetch: fetcher used: pkg+https DBG(1)[42008]> curl> fetching https://pfsense-plus-pkg.netgate.com/pfSense_plus-v23_09_amd64-core/meta.conf DBG(1)[42008]> CURL> attempting to fetch from , left retry 3 * Couldn't find host pfsense-plus-pkg00.atx.netgate.com in the .netrc file; using defaults * Trying [2610:160:11:18::207]:443... * Immediate connect fail for 2610:160:11:18::207: No route to host * Trying 208.123.73.207:443... * Immediate connect fail for 208.123.73.207: Network is unreachable * Failed to connect to pfsense-plus-pkg00.atx.netgate.com port 443 after 4 ms: Couldn't connect to server * Closing connection DBG(1)[42008]> CURL> attempting to fetch from , left retry 2pfSense-repoc: failed to fetch the repo data failed to read the repo data.I tried DNS lookup of google.com and got: 142.251.32.78 but when I try to ping said IP address I get 100% packet loss:
PING 142.251.32.78 (142.251.32.78): 56 data bytes --- 142.251.32.78 ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet lossI can ping google.com from the other non-upgraded firewall just fine:
PING google.com (172.217.13.110): 56 data bytes 64 bytes from 172.217.13.110: icmp_seq=0 ttl=117 time=3.697 ms 64 bytes from 172.217.13.110: icmp_seq=1 ttl=117 time=3.789 ms 64 bytes from 172.217.13.110: icmp_seq=2 ttl=117 time=3.737 ms --- google.com ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 3.697/3.741/3.789/0.038 ms -
@Kajetan321 said in "Unable to check for updates" after upgrade from from 23.05.1 to 23.09:
- Immediate connect fail for 208.123.73.207: Network is unreachable
That implies you have something blocking access to it or some bogus route added.
Can you ping the pkg server?[23.09-RELEASE][admin@2100-2.stevew.lan]/root: ping -c 3 pfsense-plus-pkg00.atx.netgate.com PING pfsense-plus-pkg00.atx.netgate.com (208.123.73.207): 56 data bytes 64 bytes from 208.123.73.207: icmp_seq=0 ttl=51 time=112.563 ms 64 bytes from 208.123.73.207: icmp_seq=1 ttl=51 time=112.511 ms 64 bytes from 208.123.73.207: icmp_seq=2 ttl=51 time=112.216 ms --- pfsense-plus-pkg00.atx.netgate.com ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 112.216/112.430/112.563/0.153 ms -
@stephenw10 Sure, "ping -c 3 pfsense-plus-pkg00.atx.netgate.com" returns "ping: UDP connect: No route to host"
-
Check you have a valid default IPv4 route. Look in Diag > Routes or run
netstat -rn4.If there's no default or it's somehow invalid make sure the default IPv4 gateway is set as WAN (not automatic) in System > Routing > Gateways.
-
@stephenw10 I set the gateway to be WAN (not automatic), after that I was able to ping google.ca. As well:
PING pfsense-plus-pkg00.atx.netgate.com (208.123.73.207): 56 data bytes 64 bytes from 208.123.73.207: icmp_seq=0 ttl=51 time=58.867 ms 64 bytes from 208.123.73.207: icmp_seq=1 ttl=51 time=58.679 ms 64 bytes from 208.123.73.207: icmp_seq=2 ttl=51 time=58.667 ms --- pfsense-plus-pkg00.atx.netgate.com ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 58.667/58.738/58.867/0.091 msHowever, SystemPackage>ManagerAvailable>Packages still shows no packages.
Thank you for your continued support.
-
OK so re-run
pkg-static -d updateandpfSense-repocand see what errors that's showing now it's able to try to connect. -
@stephenw10 OK, it looks like the packages populated over night. Hopefully this is it and everything else is working as expected, more testing to to be done. Thank you.
-
@stephenw10 So after more testing the secondary node appears to be functioning normally. I then switch CARP to maintenance mode on primary node and proceeded with the upgrade of the primary node. The upgrade seemed to have gone well, I was even informed that my system is on the latest version. Next I preceded to check available packages. Unfortunately the list was empty. Trying to execute pkg-static -d update resulted in the page not refreshing, it seemed like the command hung.
I checked that DNS was setup correctly and it is, I'm able to resolve names to IP addresses. Surprisingly, I can't ping google.ca. I checked that System > Routing > Default gateway
is set to "WAMGW" and it was. I also tried rebooting the firewall, nothing changed. -
Does it have a default route present and correct in Diag > Routing?
It's better to run
pkg-static -d updateat the actual command line if you can. That way you can see the partial output and any errors while it's running. -
The gateway IP is our ISP provided gateway. The same as on the secondary firewall.
[23.09-RELEASE][admin@pfsense1.lan.optiwave.com]/root: pkg-static -d update DBG(1)[43703]> pkg initialized Updating pfSense-core repository catalogue... DBG(1)[43703]> PkgRepo: verifying update for pfSense-core DBG(1)[43703]> PkgRepo: need forced update of pfSense-core DBG(1)[43703]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense-core.sqlite' DBG(1)[43703]> Request to fetch pkg+https://pfsense-plus-pkg.netgate.com/pfSense _plus-v23_09_amd64-core/meta.conf DBG(1)[43703]> curl_open DBG(1)[43703]> Fetch: fetcher used: pkg+https DBG(1)[43703]> curl> fetching https://pfsense-plus-pkg.netgate.com/pfSense_plus- v23_09_amd64-core/meta.conf DBG(1)[43703]> CURL> attempting to fetch from , left retry 3 * Couldn't find host pfsense-plus-pkg00.atx.netgate.com in the .netrc file; usin g defaults * Trying 208.123.73.207:443... * Trying [2610:160:11:18::207]:443... * Immediate connect fail for 2610:160:11:18::207: No route to host * ipv4 connect timeout after 21175ms, move on! * Failed to connect to pfsense-plus-pkg00.atx.netgate.com port 443 after 30025 m s: Timeout was reached * Closing connection DBG(1)[43703]> CURL> attempting to fetch from , left retry 2 -
Can it ping
pfsense-plus-pkg00.atx.netgate.com? Or208.123.73.207? -
@stephenw10 I can not ping, both commands just hang there until ctr-c is pressed.
[23.09-RELEASE][admin@pfsense1.lan.optiwave.com]/root: ping pfsense-plus-pkg00.atx.netgate.com PING pfsense-plus-pkg00.atx.netgate.com (208.123.73.207): 56 data bytes ^C --- pfsense-plus-pkg00.atx.netgate.com ping statistics --- 52 packets transmitted, 0 packets received, 100.0% packet loss [23.09-RELEASE][admin@pfsense1.lan.optiwave.com]/root: ping 208.123.73.207 PING 208.123.73.207 (208.123.73.207): 56 data bytes ^C --- 208.123.73.207 ping statistics --- 79 packets transmitted, 0 packets received, 100.0% packet loss [23.09-RELEASE][admin@pfsense1.lan.optiwave.com]/root: -
Hmm, so is this with it still in maintenance mode? Running as backup?
Can it connect to anything? I assume it can ping internal hosts?
-
@stephenw10 Correct, it's running in maintenance m ode as backup. I can ping internal hosts but I'm unable to ping anything external.
-
Check the outbound NAT settings. Is it NATing it's own traffic to the CARP VIP? That will break WAN connectivity.
-
@stephenw10 For the CARP stuff, I followed a tutorial.
-
Hmm, should be fine.
Then next step I would start a ping from pfSense to something external then check the state table to see what states are opened for it on which interface.
-
I tried a simple look in https://firmware.netgate.com/pkg/
No versions higher than 23.01/2.4.4 are there.
-
Because that only includes versions from the old static repo system.
-
@stephenw10 I executed the following at the console and got the results below:
[23.09-RELEASE][admin@pfsense1.lan.optiwave.com]/root: nslookup google.ca ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: timed out ;; Got SERVFAIL reply from 127.0.0.1, trying next server Server: 172.22.1.1 Address: 172.22.1.1#53 Non-authoritative answer: Name: google.ca Address: 172.217.13.195 ;; Got SERVFAIL reply from 127.0.0.1, trying next server Name: google.ca Address: 2607:f8b0:4020:807::2003 [23.09-RELEASE][admin@pfsense1.lan.optiwave.com]/root: [23.09-RELEASE][admin@pfsense1.lan.optiwave.com]/root: ping 172.217.13.195 PING 172.217.13.195 (172.217.13.195): 56 data bytesSearching the table for 172.217.13.195 yields one single entry:
WAN icmp 99.209.83.93:26986 -> 172.217.13.195:26986 0:0 64 / 0 5 KiB / 0 B
