OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: joer on September 27, 2016, 10:10:19 am

Title: Sticky Connections Broken
Post by: joer on September 27, 2016, 10:10:19 am
Currently running 16.7.4 - prior to this sticky connections worked fine but now it seems to be broken - users logging in to websites keep getting logged out, which is the behaviour we experienced before turning on sticky connections. To try and get around I have a firewall rule for LAN set to route all 443 traffic through WAN1 which works for some websites but not others.
Title: Re: Sticky Connections Broken
Post by: franco on September 29, 2016, 08:06:09 am
Hi joer,

We need to know two things here:

(a) Narrow down "prior". Was it 16.7.3 or another version?

(b) Check if "sticky-address" is in the /tmp/rules.debug file -- if it is not the firmware disabled it due to a gateway condition.


Cheers,
Franco
Title: Re: Sticky Connections Broken
Post by: joer on October 18, 2016, 05:27:58 pm
Sorry for the late reply - turned out to be something else entirely.

We do seem to have some other weird problems with gateways though.

If a gateway's status is shown as 'Unknown' (like after first boot), I have to manually restart the apinger service to get a proper status to show (It's been an issue over several versions of opnsense and on several pieces of hardware).  The behaviour we've noticed is that on a multi-wan setup this makes the connection with 'Unknown' status get ignored within a gateway group until the next restart of the apinger service. This doesn't allow our box to run autonomously i.e. if we have a power or intermittent line failure someone has to log into opnsense and keep restarting the apinger service to make sure we have 'online' status at all times, effectively making it a manual failover.

Also when we started investigating the problem further we discovered that if we disable all gateways and reboot opnsense the gateways show as disabled but they remain enabled (i.e. traffic still flows like we didn't disable them); this can't be right.  It's as though the gateway group feature undermines the individual gateway's 'disabled' status.  If this is intentional behaviour, is it possible to have an option to disable the group?

Are these known issues?