OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: PCServices on March 04, 2018, 01:19:10 am
-
Hi,
I am hoping that someone can suggest how to fix this error.
Ever since updating to v18.x I have been unable to access windows update for windows 10. I get the error:
"There were some problems installing updates, but we’ll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x801901f7)"
I have tried adding the various WU server addresses to the SSL 'No Bump' list, I have tried turning off IPS (that seems to crash the system and requires that I reload services from the console or reboot the system).
I am running Squid, IPS and ClamAV, all with the latest OPNsense versions. I have also done a full, clean, install of OPNsense, regenerated certs and installed them on the PC. I still get the same error.
I have read various posts on here regarding similar problems but have not found any solutions that work for me.
Hoping someone can suggest something that I have not tried???
Thanks
-
Oh, forgot to mention that I can't get updates from the Windows App Store either.
-
Had some issues with IPS/IDS enabled. There was a rule (or two) blocking wu. I would start there. Also try disabling IPS/IDS, see if this helps and to rule out IDS if it's not the case.
-
True, there are a few IDS rules that stop Windows Updates. You should be able to track them down from the logs, then disable those rules.
Personally I use very few ET rules. I have my own custom rules which are much more effective for my configurations.
-
Had some issues with IPS/IDS enabled. There was a rule (or two) blocking wu. I would start there. Also try disabling IPS/IDS, see if this helps and to rule out IDS if it's not the case.
People are quick to jump on the IDS bandwagon when someone complains of routing problems in 18.1 because they assume everyone uses it which is very wrong not to mention that rules should not behave any differently on PFSense versus OPNsense much less 17.7 to 18.1 so put that to rest.
-
People are quick to jump on the IDS bandwagon when someone complains of routing problems in 18.1 because they assume everyone uses it which is very wrong not to mention that rules should not behave any differently on PFSense versus OPNsense much less 17.7 to 18.1 so put that to rest.
There are several things wrong with your comment:
1. The topic author did not report a routing problem
2. There is proof that some IPS rules set to drop break WU: https://forum.opnsense.org/index.php?topic=6840
3. There are several major differences between the suricata implementation of pfsense vs OPNsense. One being that in OPNsense, it actually works all the time (when all requirements are met). Another one is that it actually works very well.
4. There is a major difference between 17.7 and 18.1 regarding dropped alerts. 17.7 did not report the dropped packets/rules that broke wu, 18.1 does (and others as well)
What else do I need to put to rest?
-
Thanks, elektroinside.
Really the only service that has explict rules for Windows Update is in IDS. If the internet is working, then only an IP specific or GeoIP firewall rule can block Windows Update. So that is why we went there.
-
So, did you find blocked traffic in IPS? Or the firewall?
Sure thing, happy to help (if i can).
-
Had the same Issue. On my Firewall the Problem was the edrop blocking
https://docs.opnsense.org/manual/how-tos/edrop.html (https://docs.opnsense.org/manual/how-tos/edrop.html)
-
Whenever something is not working (connection wise), I usually follow this steps:
1. If you have IDS+IPS, retry and check the alerts; if there are none and the connection is not working, proceed
2. Go to the live view of the firewall logs and retry the connection; retry more times while paying attention to what is blocked; if there is nothing blocked regarding your connection, proceed
3. Disable IPS and retry; if it still doesn't work, disable IPS entirely and retry; if still no success, proceed
4. Check again the live view and retry; if still nothing is logged as blocked regarding your connection, proceed
5. Verify all your firewall rules (even the "allowed" ones) and make sure logging is enabled for each of them; if it is not, enable logging for each individual rule (where this is available), save the settings, wait a bit and retry the connection; if it still doesn't work, proceed
6. Make sure (somehow) the other end of the connection works; try connecting from another network with another ISP if possible; if all good, proceed
7. Replace OPNsense with something else and check again; if it works... well, you need to dig deeper :)