FRR ACLs not working after upgrade to 2.7.0 (ospfd also fails unless wiped)
-
I upgraded pfsense to 2.7.0 last night and realized that ospfd was not working. Looking through the logs I found:
routing.log:Aug 1 21:30:53 pfsense watchfrr[64924]: watchfrr 7.5.1 starting: vty@0 Aug 1 21:30:53 pfsense watchfrr[64924]: zebra state -> up : connect succeeded Aug 1 21:30:53 pfsense watchfrr[64924]: staticd state -> up : connect succeeded Aug 1 21:30:53 pfsense watchfrr[64924]: ospfd state -> down : initial connection attempt failed Aug 1 21:30:53 pfsense watchfrr[64924]: Forked background command [pid 65100]: /usr/local/etc/rc.d/frr restart ospfd Aug 1 21:30:53 pfsense watchfrr[64924]: restart ospfd process 65100 exited with non-zero status 1 Aug 1 21:31:08 pfsense watchfrr[64924]: [EC 268435457] staticd state -> down : read returned EOF Aug 1 21:31:08 pfsense watchfrr[64924]: [EC 268435457] zebra state -> down : read returned EOF Aug 1 21:31:08 pfsense watchfrr[64924]: Terminating on signal
and in system.log:
Aug 1 21:29:58 pfsense root[66088]: /usr/local/etc/rc.d/frr: WARNING: failed to start ospfd Aug 1 21:30:52 pfsense php-fpm[379]: FRR Package: FRR: Daemon state: zebra: running | staticd: running | ospfd: stopped Aug 1 21:30:53 pfsense root[63956]: /usr/local/etc/rc.d/frr: WARNING: failed to start ospfd Aug 1 21:30:53 pfsense root[68098]: /usr/local/etc/rc.d/frr: WARNING: failed to start ospfd Aug 1 21:31:08 pfsense php-fpm[84679]: FRR Package: FRR: Daemon state: zebra: running | staticd: running | ospfd: stopped Aug 1 21:31:08 pfsense root[93815]: /usr/local/etc/rc.d/frr: WARNING: failed to start ospfd Aug 1 21:31:09 pfsense root[97519]: /usr/local/etc/rc.d/frr: WARNING: failed to start ospfd Aug 1 21:31:40 pfsense php-fpm[379]: FRR Package: FRR: Daemon state: zebra: running | staticd: running | ospfd: stopped
I tried reinstalling FRR and ospfd still failed to start. I ended up wiping the config and ospf started properly with no config, and then I re-added the same config back bit by bit and everything seemed to be working well. However when I was re-adding my access lists in, I tried to save a standard acl with seq #'s 10,20,30,... I got an error saying:
Standard type ACLs must have a numeric name in the range 1-99 or 1300-1999.
The sequence numbers were within 1-99. Please see screenshot:
Can someone help explain if I'm doing something wrong here? is this a bug?
Thanks -
The Name on your ACL is
test
which isn't valid for a standard ACL, it has to be a number in the given ranges (e.g.50
).I can't reproduce any problems with the input in the fields below either, though I suggest you maybe make sure there isn't any leading or trailing whitespace in the fields.
Make sure the source is a network (e.g.
x.x.x.x/yy
), without the CIDR mask it's not a "network" so it would fail validation. -
@jimp oh. ok, the Name needs to be numeric. I thought it was an issue witht he sequence numbers. In my previous config I had a name of "Block_Ext" to prevent my external routes from being distributed internally, so it should be a "Zebra ACL" rather than a "Standard ACL".
Did you get a chance to look into why an upgrade broke my FRR routing config? I can upload a sanitized routing config if you need.
thanks.