XG-7100 - timeout accessing some websites after upgrade

Trinity99

Hi,

I upgraded yesterday all my pfSense appliances incl the XG-7100 in HQ (+ some SG-3100) to 21.05.2.
Today some of my users reported that they can´t access some websites and other are loading slower (e.g. Amazon) than before behind the XG-7100. All other sites (SG-3100) have no problems.
Websites are all showing timeout in the browsers.
If i configure the client to use squid proxy on the XG-7100 all sites are opened and the speed is OK. So I can exclude ISP.

Anyone had this problems before?
Anything I can check?

Thanks in advance
Ivo

SteveITS

@trinity99 Have not had those issues or seen them here. DNS is working? Do you have any packages installed?

Trinity99

@steveits
Hi Steve,

I also didn´t had this before and I´m working with pfSense for more than 5 years. Have meanwhile 12 appliances all over the world.

Yes, DNS is working fine, I can ping every "non-working" websites and i get replys on the clients.

The following packages are installed

• bandwidthd
• FTP_Client_Proxy
• haproxy
• iperf
• openvpn-client-export
• Service_Watchdog
• squid
• WireGuard

All packages are up to date.

any other idea what I can try.

Thanks
Ivo

stephenw10

@trinity99 said in XG-7100 - timeout accessing some websites after upgrade:

If i configure the client to use squid proxy on the XG-7100 all sites are opened and the speed is OK.

So you are running Squid in transparent mode when it is failing?

Do you see errors in the Squid logs?
The most likely thing is this:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/squid.html#sites-not-loading-with-splice-error-409-in-access-log

Steve

Trinity99

@stephenw10

Hi Steve,

No, I never ran Squid in transparent mode. I configured the proxy in the browser with IP of firewall and port 3128
I don´t use squid in the main site. I have it running for a few clients connecting through S2S VPN (local restrictions in their country)

Ivo

stephenw10

Ok, but it's only users configured to use Squid that are seeing this issue? And they are all over VPN?

What version did you upgrade from?

Steve

Trinity99

@stephenw10

no.. as soon i configure a proxy in the browser everything works fine.
Without proxy some sites are not loading at all. (timeout)
For now i have only 2 examples but users reported that there are more sites not loading since I upgraded the FW to the latest release.
This 2 sites are not working from any client in the headquarter.
https://www.aral-supercard.de/
https://gdz.bplaced.net/

From my home network (behind SG-3100 also upgraded yesterday) I can access this sites without any issues.

I upgraded from 21.02

Thanks
Ivo

stephenw10

Hmm, so in fact only clients that are not using the proxy? Odd.

And they just timeout, no other error shown?

Can those clients resolve the sites correctly? Can they ping them? gdz.bplaced.net appears to respond to ping.

Steve

Trinity99

@stephenw10

yes... i can ping them from any client.
just got some more feedback from one of my admins... he can´t sync his IMAP Mailbox in Outlook 365 anymore.
he even removed the account from Outlook and tried to add it again but it failed.
he then connected his laptop to the mobile hotspot on the phone and he could add and sync the mailbox successfully.
also login with WeChat Windows app is not working anymore.

Ivo

stephenw10

It 'feels' like an MTU issue. Try pinging with large size packets. See if the clients that work can pass larger packets.
The largest I can pass from here is 1492B:

steve@steve-MMLP7AP-00 ~ $ ping -c 3 -s 1464 gdz.bplaced.net
PING gdz.bplaced.net (162.55.0.136) 1464(1492) bytes of data.
1472 bytes from server6.bplaced.net (162.55.0.136): icmp_seq=1 ttl=53 time=25.7 ms
1472 bytes from server6.bplaced.net (162.55.0.136): icmp_seq=2 ttl=53 time=25.5 ms
^C
--- gdz.bplaced.net ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 25.509/25.593/25.677/0.084 ms

Steve

Trinity99

@stephenw10

seems you are pointing in the right direction. Indeed I have one interface where I adjusted the MTU (SDWAN to China) but on all other interfaces the MTU is default. But it seems that with the upgrade the MTU from the SDWAN interface is now set on all other interfaces. (ifconfig shows my SDWAN MTU on all interfaces)
I tried to set a MTU on the LAN interface but i get an error: The MTU of a VLAN cannot be greater than that of its parent interface.
Where can I set the MTU of the parent interface?

Trinity99

@stephenw10

according to my config only one interface have a changed MTU (see screenshot 1 below)
ifconfig shows me that ix2 and ix3 have MTU of 1370 and all lagg interfaces (see screenshot 2 and 3 below)

Trinity99

@stephenw10

Steve,

found a way to fix it. I removed the MTU settings from the SDWAN interface and rebooted the firewall. Now all interfaces have a default MTU (1500) and websites are accessible again.

Thank you very much for your help.

stephenw10

Ah, nice result!

Yes so normally the interfaces inherit the MTU from parent. Doubly here since you have VLAN on a LAGG made up of real NICs. So in order to allow you to set an MTU pfSense applies the MTU to the parent interfaces and their parents which results in all the subinterfaces also having that applied.

Steve