OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: jmeyer on February 25, 2019, 11:26:14 am
-
Hi,
i try to setup two new VMs with OPNsense 19.1.1. There are two Networks WAN and LAN. The two firewall Hosts can communicate over both interfaces (ping) with each other. Also CARP (via multicast) and pfsync with direct IPs (not multicast) is working on the LAN interface.
Setting up the configuration sync is not working. The TLS connection is not working and I don't know why. I can establish a http connection and get the redirect. I can reach the https interface from a third device without any issues. I tried with the default self signed certificate and a certificate from my private CA, nothing worked.
The TCP connect is working, but the setup of the TLS connection does not work...
root@fw-os-01:~ # echo | openssl s_client -connect 10.4.0.12:443 -debug
CONNECTED(00000003)
write to 0x4f5e5e1c0e0 [0x4f5e5f64000] (307 bytes => 307 (0x133))
0000 - 16 03 01 01 2e 01 00 01-2a 03 03 85 30 40 b0 d8 ........*...0@..
0010 - ed da d4 6b 01 bb a5 9e-56 24 df 13 76 7b 55 01 ...k....V$..v{U.
0020 - c6 13 5e f0 51 c2 c1 ae-10 ff 35 00 00 ac c0 30 ..^.Q.....5....0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a5 00 a3 00 a1 .,.(.$..........
0040 - 00 9f 00 6b 00 6a 00 69-00 68 00 39 00 38 00 37 ...k.j.i.h.9.8.7
0050 - 00 36 00 88 00 87 00 86-00 85 c0 32 c0 2e c0 2a .6.........2...*
0060 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 2f .&.......=.5.../
0070 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a4 00 a2 00 a0 .+.'.#..........
0080 - 00 9e 00 67 00 40 00 3f-00 3e 00 33 00 32 00 31 ...g.@.?.>.3.2.1
0090 - 00 30 00 9a 00 99 00 98-00 97 00 45 00 44 00 43 .0.........E.D.C
00a0 - 00 42 c0 31 c0 2d c0 29-c0 25 c0 0e c0 04 00 9c .B.1.-.).%......
00b0 - 00 3c 00 2f 00 96 00 41-00 07 c0 11 c0 07 c0 0c .<./...A........
00c0 - c0 02 00 05 00 04 c0 12-c0 08 00 16 00 13 00 10 ................
00d0 - 00 0d c0 0d c0 03 00 0a-00 ff 01 00 00 55 00 0b .............U..
00e0 - 00 04 03 00 01 02 00 0a-00 1c 00 1a 00 17 00 19 ................
00f0 - 00 1c 00 1b 00 18 00 1a-00 16 00 0e 00 0d 00 0b ................
0100 - 00 0c 00 09 00 0a 00 23-00 00 00 0d 00 20 00 1e .......#..... ..
0110 - 06 01 06 02 06 03 05 01-05 02 05 03 04 01 04 02 ................
0120 - 04 03 03 01 03 02 03 03-02 01 02 02 02 03 00 0f ................
0130 - 00 01 01 ...
read from 0x4f5e5e1c0e0 [0x4f5e5f6b540] (7 bytes => -1 (0xFFFFFFFFFFFFFFFF))
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1550850935
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Has anyone an idea what can cause this issue?
Regards
Julian
-
I'm not 100% sure what you were trying to achieve with TLS, but the errors you posted clearly shows that the trust was incomplete to begin with
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 307 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
-
The Webinterface of OPNsense runs on TLS and the XMLRPC Sync uses this.
The error says that there are no bytes recived.
Interesting fact, if I enable the sync on the WAN interface it works. This is confusing!
-
I found the Issue. The problem was a wrong mtu size one the lan interface. The lan interface was in a virtual vxlan and the overhead dropped the packages. Fixing the mtu fixed the sync issue.