Unable to update without turning off firewall
-
I have upgraded from 2.6.0 via 2.7.0 to 2.7.2
Yes. Accessing from the LAN side is ok.
This is a lab environment and I have control over most of what is beyond the WAN.
Date and time is ok. However, I do have an out of date certificate on the box, but I fail to see that it could be problematic only when the firewall is active. Do you think it could be the problem?
Mario
-
Wait ... you might have to type the special @stephenw10 command ....
-
-
I would expect to see a cert error there if it was a cert problem at either end. It's just timing out as I understand it though I don't see the actual error.
The states show it is connecting but then just fails.
Try a pcap on the WAN filtered by the destination IP then run the update.
Could be an MTU issue perhaps.
-
@stephenw10
Thanks for answering. Unfortunately I don't get to work with this until tuesday next week. I'll do a capture then.I agree that it looks like a packet size issue, but I don't see how it could be, as the packets getting sent should not change size just because I turn off the firewall?
Mario
-
Well with pf-scrub it re-assembles fragments.... or tries to.
-
@stephenw10
Good morning,I got to do the capture today. I must admit that I don't know what to make of it.
I'll try to attach it here. -
Hmm, interesting. Other traffic is passi8ng the firewall OK?
The pkg server never sees the ACK packet from pfSense so it just keeps sending SYN-ACK and never moves past that.
If you look at the MAC addresses you might have some asymmetry somewhere because pfSense is sending to 60:15:2b:fe:f1:11 but the replies comes back from 00:10:db:ff:10:00.
Which of those is the expected gateway MAC/IP?You don't see anything blocked in pfSense?
-
Awesome! That was the answer.
I have 2 gateways in the same subnet connected to the router for test purposes, and somehow it was using the non-default one for outgoing traffic.
I never noticed that the traffic was asymmetric. Thanks for pointing it out for me.Mario
-
Aha, that would do it. Nice.
