Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    XG-7100 - timeout accessing some websites after upgrade

    Scheduled Pinned Locked Moved General pfSense Questions
    14 Posts 3 Posters 1.4k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      Trinity99
      last edited by

      Hi,

      I upgraded yesterday all my pfSense appliances incl the XG-7100 in HQ (+ some SG-3100) to 21.05.2.
      Today some of my users reported that they can´t access some websites and other are loading slower (e.g. Amazon) than before behind the XG-7100. All other sites (SG-3100) have no problems.
      Websites are all showing timeout in the browsers.
      If i configure the client to use squid proxy on the XG-7100 all sites are opened and the speed is OK. So I can exclude ISP.

      Anyone had this problems before?
      Anything I can check?

      Thanks in advance
      Ivo

      S 1 Reply Last reply Reply Quote 0
      • S Offline
        SteveITS Rebel Alliance @Trinity99
        last edited by

        @trinity99 Have not had those issues or seen them here. DNS is working? Do you have any packages installed?

        Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
        Upvote 👍 helpful posts!

        T 1 Reply Last reply Reply Quote 0
        • T Offline
          Trinity99 @SteveITS
          last edited by

          @steveits
          Hi Steve,

          I also didn´t had this before and I´m working with pfSense for more than 5 years. Have meanwhile 12 appliances all over the world.

          Yes, DNS is working fine, I can ping every "non-working" websites and i get replys on the clients.

          The following packages are installed

          • bandwidthd
          • FTP_Client_Proxy
          • haproxy
          • iperf
          • openvpn-client-export
          • Service_Watchdog
          • squid
          • WireGuard

          All packages are up to date.

          any other idea what I can try.

          Thanks
          Ivo

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            @trinity99 said in XG-7100 - timeout accessing some websites after upgrade:

            If i configure the client to use squid proxy on the XG-7100 all sites are opened and the speed is OK.

            So you are running Squid in transparent mode when it is failing?

            Do you see errors in the Squid logs?
            The most likely thing is this:
            https://docs.netgate.com/pfsense/en/latest/troubleshooting/squid.html#sites-not-loading-with-splice-error-409-in-access-log

            Steve

            T 1 Reply Last reply Reply Quote 0
            • T Offline
              Trinity99 @stephenw10
              last edited by Trinity99

              @stephenw10

              Hi Steve,

              No, I never ran Squid in transparent mode. I configured the proxy in the browser with IP of firewall and port 3128
              I don´t use squid in the main site. I have it running for a few clients connecting through S2S VPN (local restrictions in their country)

              Ivo

              1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                Ok, but it's only users configured to use Squid that are seeing this issue? And they are all over VPN?

                What version did you upgrade from?

                Steve

                T 1 Reply Last reply Reply Quote 0
                • T Offline
                  Trinity99 @stephenw10
                  last edited by Trinity99

                  @stephenw10

                  no.. as soon i configure a proxy in the browser everything works fine.
                  Without proxy some sites are not loading at all. (timeout)
                  For now i have only 2 examples but users reported that there are more sites not loading since I upgraded the FW to the latest release.
                  This 2 sites are not working from any client in the headquarter.
                  https://www.aral-supercard.de/
                  https://gdz.bplaced.net/

                  From my home network (behind SG-3100 also upgraded yesterday) I can access this sites without any issues.

                  I upgraded from 21.02

                  Thanks
                  Ivo

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by

                    Hmm, so in fact only clients that are not using the proxy? Odd.

                    And they just timeout, no other error shown?

                    Can those clients resolve the sites correctly? Can they ping them? gdz.bplaced.net appears to respond to ping.

                    Steve

                    T 1 Reply Last reply Reply Quote 0
                    • T Offline
                      Trinity99 @stephenw10
                      last edited by Trinity99

                      @stephenw10

                      yes... i can ping them from any client.
                      just got some more feedback from one of my admins... he can´t sync his IMAP Mailbox in Outlook 365 anymore.
                      he even removed the account from Outlook and tried to add it again but it failed.
                      he then connected his laptop to the mobile hotspot on the phone and he could add and sync the mailbox successfully.
                      also login with WeChat Windows app is not working anymore.

                      Ivo

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        It 'feels' like an MTU issue. Try pinging with large size packets. See if the clients that work can pass larger packets.
                        The largest I can pass from here is 1492B:

                        steve@steve-MMLP7AP-00 ~ $ ping -c 3 -s 1464 gdz.bplaced.net
                        PING gdz.bplaced.net (162.55.0.136) 1464(1492) bytes of data.
                        1472 bytes from server6.bplaced.net (162.55.0.136): icmp_seq=1 ttl=53 time=25.7 ms
                        1472 bytes from server6.bplaced.net (162.55.0.136): icmp_seq=2 ttl=53 time=25.5 ms
                        ^C
                        --- gdz.bplaced.net ping statistics ---
                        2 packets transmitted, 2 received, 0% packet loss, time 1001ms
                        rtt min/avg/max/mdev = 25.509/25.593/25.677/0.084 ms
                        

                        Steve

                        T 3 Replies Last reply Reply Quote 1
                        • T Offline
                          Trinity99 @stephenw10
                          last edited by

                          @stephenw10

                          seems you are pointing in the right direction. Indeed I have one interface where I adjusted the MTU (SDWAN to China) but on all other interfaces the MTU is default. But it seems that with the upgrade the MTU from the SDWAN interface is now set on all other interfaces. (ifconfig shows my SDWAN MTU on all interfaces)
                          I tried to set a MTU on the LAN interface but i get an error: The MTU of a VLAN cannot be greater than that of its parent interface.
                          Where can I set the MTU of the parent interface?

                          2021-11-29_21-25-12.jpg

                          1 Reply Last reply Reply Quote 0
                          • T Offline
                            Trinity99 @stephenw10
                            last edited by

                            @stephenw10

                            according to my config only one interface have a changed MTU (see screenshot 1 below)
                            ifconfig shows me that ix2 and ix3 have MTU of 1370 and all lagg interfaces (see screenshot 2 and 3 below)

                            1.jpg
                            2.jpg
                            3.jpg

                            1 Reply Last reply Reply Quote 0
                            • T Offline
                              Trinity99 @stephenw10
                              last edited by

                              @stephenw10

                              Steve,

                              found a way to fix it. I removed the MTU settings from the SDWAN interface and rebooted the firewall. Now all interfaces have a default MTU (1500) and websites are accessible again.

                              Thank you very much for your help.

                              4.jpg

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S Offline
                                stephenw10 Netgate Administrator
                                last edited by

                                Ah, nice result!

                                Yes so normally the interfaces inherit the MTU from parent. Doubly here since you have VLAN on a LAGG made up of real NICs. So in order to allow you to set an MTU pfSense applies the MTU to the parent interfaces and their parents which results in all the subinterfaces also having that applied.

                                Steve

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.