Errors in status interfaces
I have two boxes 1.2.3 release (built on Sun Dec 6 23:38:21 EST 2009), with 15 virtual ip (carp), about 10 ipsec tunnels (des, sha1, group2).
The wan is parted in 4 vlans (vlan1 10mbit hdsl, vlan2 20mbit adsl, vlan3 20mbit adsl, vlan4 100mbit wifi)
from Status/Interfaces I have this situation:
Media 100baseTX <full-duplex>In/out packets 22294161/19292992 (3.86 GB/1.47 GB)
In/out errors 0/55210
WAN2 interface (vlan1)
Media 100baseTX <full-duplex>In/out packets 82393/345183 (13.77 MB/75.93 MB)
In/out errors 0/2095
WAN3 interface (vlan2)
Media 100baseTX <full-duplex>In/out packets 24892508/21675838 (1.20 GB/76.62 MB)
In/out errors 0/63224
WIFI interface (vlan3)
Media 100baseTX <full-duplex>In/out packets 5507840/3261755 (3.57 GB/1.35 GB)
In/out errors 0/10363
In/out packets 105693896/164395537 (1008.87 MB/1.08 GB)
In/out errors 766966/0
When I try to ping everything behind the fw I have a lot of packet loss, the same thing when I try to ping from the firewalls.
How can debug this situation ?
I would start with the most likely suspects first:
Change the network cable(s) first, and if possible, the switch.
I also noticed a strange routing thing:
on the wifi dedicated vlan (vlan3) I have many ipsec tunnels, when I touch something in the ipsec configuration or I reboot the firewall, routes to remote peers go to hell.
From netstat I can see that routes to those remote peers are in the wrong vlan (vlan0 that is the vlan of the principal wan).
Doing a "route delete ip.of.the.peers" the routes coming back to the right vlan, and I am happy again.
At the moment I semi-solved with a route delete host every 3 min in the crontab.