"Unable to check for updates" after upgrade from from 23.05.1 to 23.09
-
@stephenw10 Sure, "ping -c 3 pfsense-plus-pkg00.atx.netgate.com" returns "ping: UDP connect: No route to host"
-
Check you have a valid default IPv4 route. Look in Diag > Routes or run
netstat -rn4.If there's no default or it's somehow invalid make sure the default IPv4 gateway is set as WAN (not automatic) in System > Routing > Gateways.
-
@stephenw10 I set the gateway to be WAN (not automatic), after that I was able to ping google.ca. As well:
PING pfsense-plus-pkg00.atx.netgate.com (208.123.73.207): 56 data bytes 64 bytes from 208.123.73.207: icmp_seq=0 ttl=51 time=58.867 ms 64 bytes from 208.123.73.207: icmp_seq=1 ttl=51 time=58.679 ms 64 bytes from 208.123.73.207: icmp_seq=2 ttl=51 time=58.667 ms --- pfsense-plus-pkg00.atx.netgate.com ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 58.667/58.738/58.867/0.091 msHowever, SystemPackage>ManagerAvailable>Packages still shows no packages.
Thank you for your continued support.
-
OK so re-run
pkg-static -d updateandpfSense-repocand see what errors that's showing now it's able to try to connect. -
@stephenw10 OK, it looks like the packages populated over night. Hopefully this is it and everything else is working as expected, more testing to to be done. Thank you.
-
@stephenw10 So after more testing the secondary node appears to be functioning normally. I then switch CARP to maintenance mode on primary node and proceeded with the upgrade of the primary node. The upgrade seemed to have gone well, I was even informed that my system is on the latest version. Next I preceded to check available packages. Unfortunately the list was empty. Trying to execute pkg-static -d update resulted in the page not refreshing, it seemed like the command hung.
I checked that DNS was setup correctly and it is, I'm able to resolve names to IP addresses. Surprisingly, I can't ping google.ca. I checked that System > Routing > Default gateway
is set to "WAMGW" and it was. I also tried rebooting the firewall, nothing changed. -
Does it have a default route present and correct in Diag > Routing?
It's better to run
pkg-static -d updateat the actual command line if you can. That way you can see the partial output and any errors while it's running. -
The gateway IP is our ISP provided gateway. The same as on the secondary firewall.
[23.09-RELEASE][admin@pfsense1.lan.optiwave.com]/root: pkg-static -d update DBG(1)[43703]> pkg initialized Updating pfSense-core repository catalogue... DBG(1)[43703]> PkgRepo: verifying update for pfSense-core DBG(1)[43703]> PkgRepo: need forced update of pfSense-core DBG(1)[43703]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense-core.sqlite' DBG(1)[43703]> Request to fetch pkg+https://pfsense-plus-pkg.netgate.com/pfSense _plus-v23_09_amd64-core/meta.conf DBG(1)[43703]> curl_open DBG(1)[43703]> Fetch: fetcher used: pkg+https DBG(1)[43703]> curl> fetching https://pfsense-plus-pkg.netgate.com/pfSense_plus- v23_09_amd64-core/meta.conf DBG(1)[43703]> CURL> attempting to fetch from , left retry 3 * Couldn't find host pfsense-plus-pkg00.atx.netgate.com in the .netrc file; usin g defaults * Trying 208.123.73.207:443... * Trying [2610:160:11:18::207]:443... * Immediate connect fail for 2610:160:11:18::207: No route to host * ipv4 connect timeout after 21175ms, move on! * Failed to connect to pfsense-plus-pkg00.atx.netgate.com port 443 after 30025 m s: Timeout was reached * Closing connection DBG(1)[43703]> CURL> attempting to fetch from , left retry 2 -
Can it ping
pfsense-plus-pkg00.atx.netgate.com? Or208.123.73.207? -
@stephenw10 I can not ping, both commands just hang there until ctr-c is pressed.
[23.09-RELEASE][admin@pfsense1.lan.optiwave.com]/root: ping pfsense-plus-pkg00.atx.netgate.com PING pfsense-plus-pkg00.atx.netgate.com (208.123.73.207): 56 data bytes ^C --- pfsense-plus-pkg00.atx.netgate.com ping statistics --- 52 packets transmitted, 0 packets received, 100.0% packet loss [23.09-RELEASE][admin@pfsense1.lan.optiwave.com]/root: ping 208.123.73.207 PING 208.123.73.207 (208.123.73.207): 56 data bytes ^C --- 208.123.73.207 ping statistics --- 79 packets transmitted, 0 packets received, 100.0% packet loss [23.09-RELEASE][admin@pfsense1.lan.optiwave.com]/root: -
Hmm, so is this with it still in maintenance mode? Running as backup?
Can it connect to anything? I assume it can ping internal hosts?
-
@stephenw10 Correct, it's running in maintenance m ode as backup. I can ping internal hosts but I'm unable to ping anything external.
-
Check the outbound NAT settings. Is it NATing it's own traffic to the CARP VIP? That will break WAN connectivity.
-
@stephenw10 For the CARP stuff, I followed a tutorial.
-
Hmm, should be fine.
Then next step I would start a ping from pfSense to something external then check the state table to see what states are opened for it on which interface.
-
I tried a simple look in https://firmware.netgate.com/pkg/
No versions higher than 23.01/2.4.4 are there.
-
Because that only includes versions from the old static repo system.
-
@stephenw10 I executed the following at the console and got the results below:
[23.09-RELEASE][admin@pfsense1.lan.optiwave.com]/root: nslookup google.ca ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: timed out ;; Got SERVFAIL reply from 127.0.0.1, trying next server Server: 172.22.1.1 Address: 172.22.1.1#53 Non-authoritative answer: Name: google.ca Address: 172.217.13.195 ;; Got SERVFAIL reply from 127.0.0.1, trying next server Name: google.ca Address: 2607:f8b0:4020:807::2003 [23.09-RELEASE][admin@pfsense1.lan.optiwave.com]/root: [23.09-RELEASE][admin@pfsense1.lan.optiwave.com]/root: ping 172.217.13.195 PING 172.217.13.195 (172.217.13.195): 56 data bytesSearching the table for 172.217.13.195 yields one single entry:
WAN icmp 99.209.83.93:26986 -> 172.217.13.195:26986 0:0 64 / 0 5 KiB / 0 B
-
Ok that looks correct. I would make sure the other node can ping that IP in case it just doesn't respond to ping.
Assuming it does run a packet capture for that IP on the WAN on the node that's failing. Make sure it's actually sending from the WAN. Make sure the MAC addresses are correct in the pcap.
If those are all accurate I'd check the the gateway device. Perhaps you have a conflict somewhere?
-
@stephenw10 Thanks again for sticking with me. Yes, I can ping from the other node. In fact I did a capture from both nodes:
Problematic Node:
22:23:11.437391 IP 99.xxx.xxx.xxx> 172.217.13.195: ICMP echo request, id 52159, seq 0, length 64
22:23:12.453848 IP 99.xxx.xxx.xxx > 172.217.13.195: ICMP echo request, id 52159, seq 1, length 64
and the pattern repeats.Working node:
22:34:54.366632 IP 99.xxx.xxx.xxx > 172.217.13.195: ICMP echo request, id 37721, seq 0, length 64
22:34:54.370407 IP 172.217.13.195 > 99.xxx.xxx.xxx: ICMP echo reply, id 37721, seq 0, length 64
22:34:55.397837 IP 99.xxx.xxx.xxx > 172.217.13.195: ICMP echo request, id 37721, seq 1, length 64
22:34:55.401639 IP 172.217.13.195 > 99.xxx.xxx.xxx: ICMP echo reply, id 37721, seq 1, length 64
and the pattern repeats.Sorry, I couldn't figure out how to show the MAC addresses.
