Problem after upgrading to 2.3.3

  • Hi. I ran into an odd thing after upgrading from 2.3.2_1 to 2.3.3 today. The upgrade itself went well and all seemed fine until I started adding a new IPSec tunnel. The moment I hit the apply button (making stage 1) the gui stopped responding. I thought at first it was the PHP-FPM that messed up again so I restarted it from cli. Nothing changed. Still couldnt load the web gui. Then I restarted webconfigurator but still no go. I then rebooted the entire PfSense and still I cant access it via web gui. Its like some firewall rule is blocking me all of a sudden or some service that simply died and refuse to come back up. There is no problem for the servers on the LAN that uses this firewall though and it seem to run fine otherwise.

    Anyone have any ideas? Note I am fairly new to PfSense but we started using it on a regular basis at work now so I am learning more and more as I go. The firewall is not critical in this particular case that is why I choose to test the new release on it.

  • From console restore recent config (the last known good one).

  • @NOYB:

    From console restore recent config (the last known good one).

    It took me 2 tries and reboots but I found one that worked. Kinda odd behaviour though. When I add an IPSec tunnel does it add/change rules at the same time? If so something is fishy with that. :)  In any case, I´ll try it again and see what happens.

    Thanx for the input anyway.

  • Ok, I managed to reproduce the problem several times and its when I choose IKEv2 in the IPSec tunnel that the gui stops responding. If I pick IKEv1 its no problem at all. Not sure if that is a known issue already but hopefully it gets fixed sometime in the future.

  • Rebel Alliance Developer Netgate

    I'm not aware of any problems like that. How exactly did you configure the tunnel P1 and P2? What are your WAN/LAN interface configurations like?

  • I remember a few versions back I tried to add an Ikev2 tunnel and I tried applying the changes with only the phase 1 configured and it hung the GUI. When I added phase 1 and 2 and then applied it worked.

  • @jimp:

    I'm not aware of any problems like that. How exactly did you configure the tunnel P1 and P2? What are your WAN/LAN interface configurations like?

    Ok, I´ll describe more in detail how I did it below.

    1. I press "Add P1" and change "Key Exchange version" to IKEv2.

    2. Then I add the following values under General information:
    Internet Protocol: IPv4
    Interface: WAN
    Remotegateway: x.x.x.x
    Description: To-From-xxxx

    3. Phase 1 Proposal (Authentication):
    Authentication Method: Mutual PSK
    My identifier: My IP address
    Peer identifier: Peer IP address
    Preshared key: xxxxxxxxxxxxxx (32 letters long with only small/big letters and numbers)

    4. Phase 1 Proposal (Algorithms)
    Encryption Algorithm: AES - 256 bits
    Hash Algorithm: SHA256
    DH Group: 5 (1536 bit) (sometimes I pick 14. Dont ask me why ^^)
    Lifetime (Seconds): 28600

    5. Advance Options I leave untouched. Its the default that PfSense comes with.

    6. I press save.

    After I press save the web interface stops responding and I have no other choice than to revert back to a previous working configuration. So as you notice I dont even get to Phase 2 settings.
    What ever happens in the background it feels a bit like it adds some firewall rules that blocks https. I can still access the firewall via hyper-v gui and the test servers I have in the same VLAN that this firewall handles can still access internet and other servers on the same network. It seems its only the webinterface that is affected.

    The LAN interface is configured with basic settings more or less:
    Static IPv4: x.x.x.x
    IPv6 Configuration type: None
    MAC Address: (nothing typed. Just grey xx.xx)
    MTU: blank
    MSS: blank
    Speed And Duplex: Default
    IPv4 Address: x.x.x.x
    UPv4 Upstream gateway: None
    The two checkboxes in Reserved Networks are not checked.

    Same thing goes for WAN configuration. Only difference is I have an IPv4 Upstream gateway and checked the two boxes in Reserved Networks.

    Last, I upgraded from 2.3.2_1 with a minimum of firewall rules and settings. The PfSense was more or less out of the "box" so to speak and only set up with a wan and lan configuration as I hadnt got any farther in the setup of the new environment I am building.


  • Rebel Alliance Developer Netgate

    I just tried the same procedure here on a 2.3.3 firewall and there was no problem at all.

    Does that happen even before you press Apply Changes, or after?

    From the console, before putting that in place:

    cp /tmp/rules.debug /root/rules.debug.before

    Then re-create the issue and run:

    cp /tmp/rules.debug /root/rules.debug.after

    Then once you regain access, grab both files and compare the two using diff or similar, see what shows up. Like this:

    diff -u /root/rules.debug.before /root/rules.debug.after

    Normally you'd only see additional pass rules and they wouldn't affect anything on your local network.

Log in to reply