OPNsense Forum

English Forums => General Discussion => Topic started by: youngman on July 15, 2018, 11:16:41 am

Title: Update from gui/cli
Post by: youngman on July 15, 2018, 11:16:41 am: Kinda in the vein of the recent thread: https://forum.opnsense.org/index.php?topic=9096.0

I'm finding that my most recent updates were not possible from the gui (but were fine via cli & console command #12). Additionally, when the updates were completed, they did not show in the gui list of previous updates. Should they? Last update shown is 18.1.10, I am currently running 18.1.12

On the latest update I note the following error message (via console command #12):

Code: [Select]
Fetching change log information, please wait... fetch: transfer timed out fetch: /tmp/changelog/changelog.txz.sig appears to be truncated: 0/1332 bytes
I am also getting the common gui update message "Firmware status check was aborted internally. Please try again." but this only started recently - could it be related?

Also out of interest;
Code: [Select]
root@OPNsense:~ # pkg info | wc -l 144 root@OPNsense:~ # pkg update -f Updating OPNsense repository catalogue... Fetching meta.txz: 100% 1 KiB 1.5kB/s 00:01 Fetching packagesite.txz: 100% 135 KiB 138.1kB/s 00:01 Processing entries: 100% OPNsense repository update completed. 506 packages processed. All repositories are up to date. root@OPNsense:~ # pkg upgrade -n Updating OPNsense repository catalogue... OPNsense repository is up to date. All repositories are up to date. Checking for upgrades (16 candidates): 100% Processing candidates (16 candidates): 100% Checking integrity... done (0 conflicting) Your packages are up to date.
Following on from that previous thread https://forum.opnsense.org/index.php?topic=9096.0 (https://forum.opnsense.org/index.php?topic=9096.0), this install is running on ESXi 6.5.0 Update 2 (Build 8294253). Franco's last comment on that thread was that their difficulties were to do with an ESXi 6.7 update. Anyone have the details of what was changed (LRO/TSO settings?) - it is possible that the same change was made to this recent 6.5 build...

Any insights appreciated!
Title: Re: Update from gui/cli
Post by: franco on July 18, 2018, 10:26:32 pm: Hi there,

Yes, try this:

# ping pkg.opnsense.org

(should be suspiciously ok)

# ping -s 1500 pkg.opnsense.org

(may break)

# ping -s 10000 pkg.opnsense.org

(will definitely break if host messes with packets)

LRO and TSO need to be disabled in the host config. Somehow VMware either enabled it on update or added a regression that makes it fail for the guest now.

Cheers,
Franco
Title: Re: Update from gui/cli
Post by: youngman on July 19, 2018, 02:09:55 pm: Thanks Franco, ...maybe not my issue then... :o

Code: [Select]
root@OPNsense:~ # ping pkg.opnsense.org PING pkg.opnsense.org (212.32.245.132): 56 data bytes 64 bytes from 212.32.245.132: icmp_seq=0 ttl=50 time=335.045 ms 64 bytes from 212.32.245.132: icmp_seq=1 ttl=50 time=334.515 ms 64 bytes from 212.32.245.132: icmp_seq=2 ttl=50 time=336.218 ms 64 bytes from 212.32.245.132: icmp_seq=3 ttl=50 time=334.796 ms ^C --- pkg.opnsense.org ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 334.515/335.061/336.218/0.603 ms root@OPNsense:~ # ping -s 1500 pkg.opnsense.org PING pkg.opnsense.org (212.32.245.132): 1500 data bytes 1508 bytes from 212.32.245.132: icmp_seq=0 ttl=50 time=335.456 ms 1508 bytes from 212.32.245.132: icmp_seq=1 ttl=50 time=335.688 ms 1508 bytes from 212.32.245.132: icmp_seq=2 ttl=50 time=335.425 ms 1508 bytes from 212.32.245.132: icmp_seq=3 ttl=50 time=338.460 ms ^C --- pkg.opnsense.org ping statistics --- 10 packets transmitted, 10 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 335.330/335.809/338.460/0.902 ms root@OPNsense:~ # ping -s 10000 pkg.opnsense.org PING pkg.opnsense.org (212.32.245.132): 10000 data bytes 10008 bytes from 212.32.245.132: icmp_seq=0 ttl=50 time=338.140 ms 10008 bytes from 212.32.245.132: icmp_seq=1 ttl=50 time=338.165 ms ^C --- pkg.opnsense.org ping statistics --- 7 packets transmitted, 7 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 337.939/338.596/341.415/1.165 ms root@OPNsense:~ # ping -s 65000 pkg.opnsense.org PING pkg.opnsense.org (212.32.245.132): 65000 data bytes 65008 bytes from 212.32.245.132: icmp_seq=0 ttl=50 time=353.488 ms 65008 bytes from 212.32.245.132: icmp_seq=1 ttl=50 time=353.677 ms 65008 bytes from 212.32.245.132: icmp_seq=2 ttl=50 time=353.215 ms ^C --- pkg.opnsense.org ping statistics --- 4 packets transmitted, 3 packets received, 25.0% packet loss round-trip min/avg/max/stddev = 353.215/353.460/353.677/0.190 ms
Title: Re: Update from gui/cli
Post by: franco on July 19, 2018, 05:16:40 pm: So what about this then?

# pkg update -f
# pkg upgrade -n
Title: Re: Update from gui/cli
Post by: youngman on July 20, 2018, 01:04:24 pm: Thanks for the help Franco,

The output of those were provided in the first post but just for completeness:

Code: [Select]
root@OPNsense:~ # pkg update -f Updating OPNsense repository catalogue... Fetching meta.txz: 100% 1 KiB 1.5kB/s 00:01 Fetching packagesite.txz: 100% 135 KiB 138.1kB/s 00:01 Processing entries: 100% OPNsense repository update completed. 506 packages processed. All repositories are up to date. root@OPNsense:~ # pkg upgrade -n Updating OPNsense repository catalogue... OPNsense repository is up to date. All repositories are up to date. Checking for upgrades (16 candidates): 100% Processing candidates (16 candidates): 100% Checking integrity... done (0 conflicting) Your packages are up to date.
So no apparent issue with updating from the cli or from the console. Is there any difference in the way the gui performs the update? Would it for example use a different gateway to what is used by the cli?
Title: Re: Update from gui/cli
Post by: franco on July 20, 2018, 04:28:14 pm: Hmm, try different browsers, or a video of what works and what doesn't would be helpful.

Cheers,
Franco
Title: Re: Update from gui/cli
Post by: youngman on July 21, 2018, 04:25:15 am: No luck with Waterfox, Firefox or Chrome from OpenSUSE Linux desktops.

The main issue is that the gui fails to see any updates - and records no history of the updates done via cli or console. I.e.
Code: [Select]
System: Firmware Firmware status check was aborted internally. Please try again. Updates Version Date 18.1.10 2018-06-21 18.1.9 2018-05-31 18.1.8 2018-05-17 18.1.7 2018-05-03
And yet the main dashboard correctly reports:
Code: [Select]
System Information Name OPNsense.local.lan Versions OPNsense 18.1.12-amd64 FreeBSD 11.1-RELEASE-p11 LibreSSL 2.6.5
The system continues to function, and I have no issue upgrading via cli but it would obviously be preferable if the gui functioned as expected!
Title: Re: Update from gui/cli
Post by: franco on July 23, 2018, 09:08:50 am: It still looks like something in your network is messing with the update info fetch:

Fetching change log information, please wait... fetch: transfer timed out
fetch: /tmp/changelog/changelog.txz.sig appears to be truncated: 0/1332 bytes

There is no difference in GUI and console except for an extra layer through the backend service which will time out if downloads are blocked.

Cheers,
Franco
Title: Re: Update from gui/cli
Post by: youngman on July 23, 2018, 03:41:33 pm: Interesting. Oh well... I guess I will continue to update via cli for the moment then!

Cheers!
Title: Re: Update from gui/cli
Post by: franco on July 24, 2018, 08:09:31 am: Or you could look into your network why it truncates downloads.

# fetch https://pkg.opnsense.org/FreeBSD:11:amd64/18.1/sets/changelog.txz.sig

The problem won't go away by expecting fixes from our side when we don't even know what's wrong.

Cheers,
Franco
Title: Re: Update from gui/cli
Post by: youngman on July 24, 2018, 01:40:13 pm: Quote from: franco on July 24, 2018, 08:09:31 am
The problem won't go away by expecting fixes from our side when we don't even know what's wrong.
Ha! Yes, no expectation that that would occur. Figured if this is the only thing that doesn't appear to work on my network but that I had a work-around, then it was simply easier to just perform the work-around!

Anyhow, it appears fetch is now working for me from the cli?!
Code: [Select]
root@OPNsense:~ # fetch https://pkg.opnsense.org/FreeBSD:11:amd64/18.1/sets/changelog.txz.sig changelog.txz.sig 100% of 1332 B 8498 kBps 00m00s
Meanwhile the gui reports:
Code: [Select]
Timeout while connecting to the selected mirror.

My network is firewalled such that all general traffic exits via a VPN gateway. Root cli traffic does not exit in this manner as proven with low pings to local websites i.e. it is exiting via clearnet wan. Are we confident that the gui fetch command is exiting via clearnet rather than the vpn gateway?
Title: Re: Update from gui/cli
Post by: youngman on July 24, 2018, 03:02:42 pm: I added a logging floating 'pass' 'both' rule applied to both the vpn & wan interfaces:
Code: [Select]
IPv4 * This Firewall * 212.32.245.132 * * ALLOW OPNsense Update

I can now see the passed traffic during an update check attempt e.g.
Code: [Select]
WAN Jul 24 20:48:13 61.xxx.xxx.xx:3118 212.32.245.132:80 tcp USER_RULE: ALLOW OPNsense Update WAN Jul 24 20:48:10 61.xxx.xxx.xx:62638 212.32.245.132:443 tcp USER_RULE: ALLOW OPNsense Update
The update gui now sits for far longer prior to eventually either timing out or aborting internally. I may leave it this way and check the results when there is actually an update to do...