Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Netgate SG-2100 http file transfers hang

    Scheduled Pinned Locked Moved Hardware
    7 Posts 3 Posters 637 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      a9jg83
      last edited by

      My company has multiple office locations with a site-to-site vpn tunnel connecting the networks between them. The primary office is using a Netgate XG-7100 and the satellite offices are using Netgate SG-2100 . Previously the satellite offices were using Netgate SG-1100 and faced no issues. After the upgrade, general connections were working fine, but certain files failed to be transferred over http (wget or netcat) from one office to another. Other files can transfer fine, and the same files can be transferred over ssh fine. The specific files each freeze the transfer at a specific packet. eg File A (340M) always fails at 22%, File B (10M) always fails at 14%, and File C (61M) always fails at 61%. This behavior happens if the source file is being sent through either of the Netgate SG-2100 boxes, or if it's coming from either of the Netgate SG-2100 boxes themselves to devices on the LAN networks. Sending from the Netgate 2100 in the remote offices to the primary office through the WAN connection works fine.

      From a network perspective, the Netgate box believes it sent the problematic packet, but the peer never sees and, and re-requests it by ack-ing the previous packet. The Netgate box keeps reportedly sending it, but it is never seen on the peer side. This behavior is reproducible on a number of machines, so it's not an issue with one specific peer.

      Switching back to the old SG-1100 Gateway resolves the issue, and switching to a PC based PFSense also seems to resolve the issue. That leads us to believe that this is somehow an issue with the SG-2100 box. Does anyone know what the underlying issue might be, or a resolution so that we can use the new hardware without running into this problem?

      The firmware on the SG-2100's is 21.05-RELEASE (arm64)

      I've linked an aggressively truncated file (1.5K) that fails to transfer at 70% over http.

      https://github.com/a9jg83/Untransferrable/blob/main/clipped_poison.bin

      S 1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Hmm, that's a curious error. The code path in the 2100 is almost identical to the 1100, especially to the LAN side where both go through a switch.

        If you run a packet capture on the LAN do you see the packet in question being sent?

        How were you arranging an http transfer from the 2100 to a LAN side client?

        Steve

        A 1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire @a9jg83
          last edited by

          @a9jg83 Any sort of IDS or other packages installed? Have not had such issues with anyone using a 2100, and I can download that file from behind a 2100. Can you reproduce with a default/plain config?

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          A 1 Reply Last reply Reply Quote 0
          • A
            a9jg83 @stephenw10
            last edited by

            @stephenw10 A packet capture from the 2100 shows it being sent, but a packet capture on the peer does not show it being received. The ACK of the previous packet is shown being sent by the peer and is seen being received by the 2100, which causes a resend of the broken packet.

            The http transfer from the 2100 to LAN was done from the command line with netcat.

            stephenw10S 1 Reply Last reply Reply Quote 0
            • A
              a9jg83 @SteveITS
              last edited by

              @steveits The only two packages installed are aws-wizard Version 0.10 and ipsec-profile-wizard Version 1.0_3 .

              If you were downloading the file directly from github, it may have been wrapped in a TLS layer. Please try downloading it and then transferring it directly with netcat or wget (or some other plain http transfer method)

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator @a9jg83
                last edited by

                @a9jg83 said in Netgate SG-2100 http file transfers hang:

                The http transfer from the 2100 to LAN was done from the command line with netcat.

                You mean 'putting' it from pfSense to something on the LAN?

                Or you set the gui to http and just hosted the file on the 2100 directly?

                Just trying to replicate it as closely as possible.

                Steve

                A 1 Reply Last reply Reply Quote 0
                • A
                  a9jg83 @stephenw10
                  last edited by

                  @stephenw10 , Yes, I was 'putting' it from pfSense to something on the LAN.

                  The other method I was using was hosting something on a fileserver outside of that network and wget'ing it from within the LAN.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.