Netgate SG-2100 http file transfers hang

a9jg83

My company has multiple office locations with a site-to-site vpn tunnel connecting the networks between them. The primary office is using a Netgate XG-7100 and the satellite offices are using Netgate SG-2100 . Previously the satellite offices were using Netgate SG-1100 and faced no issues. After the upgrade, general connections were working fine, but certain files failed to be transferred over http (wget or netcat) from one office to another. Other files can transfer fine, and the same files can be transferred over ssh fine. The specific files each freeze the transfer at a specific packet. eg File A (340M) always fails at 22%, File B (10M) always fails at 14%, and File C (61M) always fails at 61%. This behavior happens if the source file is being sent through either of the Netgate SG-2100 boxes, or if it's coming from either of the Netgate SG-2100 boxes themselves to devices on the LAN networks. Sending from the Netgate 2100 in the remote offices to the primary office through the WAN connection works fine.

From a network perspective, the Netgate box believes it sent the problematic packet, but the peer never sees and, and re-requests it by ack-ing the previous packet. The Netgate box keeps reportedly sending it, but it is never seen on the peer side. This behavior is reproducible on a number of machines, so it's not an issue with one specific peer.

Switching back to the old SG-1100 Gateway resolves the issue, and switching to a PC based PFSense also seems to resolve the issue. That leads us to believe that this is somehow an issue with the SG-2100 box. Does anyone know what the underlying issue might be, or a resolution so that we can use the new hardware without running into this problem?

The firmware on the SG-2100's is 21.05-RELEASE (arm64)

I've linked an aggressively truncated file (1.5K) that fails to transfer at 70% over http.

https://github.com/a9jg83/Untransferrable/blob/main/clipped_poison.bin

stephenw10

Hmm, that's a curious error. The code path in the 2100 is almost identical to the 1100, especially to the LAN side where both go through a switch.

If you run a packet capture on the LAN do you see the packet in question being sent?

How were you arranging an http transfer from the 2100 to a LAN side client?

Steve

SteveITS

@a9jg83 Any sort of IDS or other packages installed? Have not had such issues with anyone using a 2100, and I can download that file from behind a 2100. Can you reproduce with a default/plain config?

a9jg83

@stephenw10 A packet capture from the 2100 shows it being sent, but a packet capture on the peer does not show it being received. The ACK of the previous packet is shown being sent by the peer and is seen being received by the 2100, which causes a resend of the broken packet.

The http transfer from the 2100 to LAN was done from the command line with netcat.

a9jg83

@steveits The only two packages installed are aws-wizard Version 0.10 and ipsec-profile-wizard Version 1.0_3 .

If you were downloading the file directly from github, it may have been wrapped in a TLS layer. Please try downloading it and then transferring it directly with netcat or wget (or some other plain http transfer method)

stephenw10

@a9jg83 said in Netgate SG-2100 http file transfers hang:

The http transfer from the 2100 to LAN was done from the command line with netcat.

You mean 'putting' it from pfSense to something on the LAN?

Or you set the gui to http and just hosted the file on the 2100 directly?

Just trying to replicate it as closely as possible.

Steve

a9jg83

@stephenw10 , Yes, I was 'putting' it from pfSense to something on the LAN.

The other method I was using was hosting something on a fileserver outside of that network and wget'ing it from within the LAN.