Messages

Please let me clarify my earlier statements.
When running 25.1.1/25.1.2 versions i do not immediately lose connection  with globalprotect, but connecting get MUCH harder. Takes a long time to connect and when it does it connects to Beijing, China... After SSLTunnel establishes this is a very slow (unworkable) connection. I gues due to the distance/delays.

Ok, so next step is to try 25.1.x-nd as well as the MTU 1508 bytes pppoe connection setting.
Update: I've installed 25.1.2-nd and im testing it. Looks good sofar with easy GP connections to local GP gateways.

@meyergru
Did some further testing onder 25.1 and 25.1.2
As said previously, major issues with Globalprotect under 25.1.1/25.1.2, but no issues at all under 25.1.

- ifconfig from opnsense cli: show exactly the same output for both 25.1 and 25.1.1/25.1.2. No change in MTU values reported. Please see dump below for reference.
- ping to quad9 servers from non-globalprotect laptop max out at 1472 (as expected), which translates to an MTU of 1500 on pppoe. Same for both versions.
- ping to quad9 servers from globalprotect laptop max out at 1372, which translates to an MTU of 1400 set for the SSL Tunnel. Same for both versions.

So, i giess back to square one. No discernable differences in settings/attained MTU for all interfaces for both software versions.
Only thing it could be is that these set values are treated differently between 25.1 and 25.1.2 and settings need to be changed.

You mentioned earlier: "Does your ifconfig show the correct sizes (after a reboot) - i.e. my values, not asychevs? I mean 1508 bytes on pppoe0."
As you can see below iconfig reports my MTU on the pppoe (WAN) connection to be 1500 bytes. Should i increase this to 1508?

Unfortunately i cannot try to lower SSL tunnel MTU on globalprotect laptop since this requires admin privileges (which i dont have).
Any other ideas on what can bring improvement?
Are below ifconfig settings correct?

igb0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: LAN (lan)
        options=4e507bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        ether f4:90:ea:00:84:0e
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::f690:eaff:fe00:840e%igb0 prefixlen 64 scopeid 0x1
        inet6 [redacted] prefixlen 64
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

igb1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1512
        description: Phys_WAN (opt1)
        options=4e507bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        ether f4:90:ea:00:84:0f
        inet6 fe80::f690:eaff:fe00:840f%igb1 prefixlen 64 scopeid 0x2
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

enc0: flags=0 metric 0 mtu 1536
        options=0
        groups: enc
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

pfsync0: flags=0 metric 0 mtu 1500
        options=0
        maxupd: 128 defer: off version: 1400
        syncok: 1
        groups: pfsync

pflog0: flags=20100<PROMISC,PPROMISC> metric 0 mtu 33152
        options=0
        groups: pflog

igb1_vlan6: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1508
        description: vlan (opt2)
        options=4600703<RXCSUM,TXCSUM,TSO4,TSO6,LRO,RXCSUM_IPV6,TXCSUM_IPV6,MEXTPG>
        ether f4:90:ea:00:84:0f
        inet6 fe80::f690:eaff:fe00:840f%igb1_vlan6 prefixlen 64 scopeid 0xb
        groups: vlan
        vlan: 6 vlanproto: 802.1q vlanpcp: 0 parent interface: igb1
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

pppoe0: flags=10088d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: WAN_pppoe (wan)
        options=0
        inet [redacted] --> 195.190.228.6 netmask 0xffffffff
        inet6 [redacted]%pppoe0 prefixlen 64 scopeid 0xc
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

@Meyergru
Thanks for your assistance! Let me try to answer some of your questions:
- no i did not check maximum MTU with each setup. I assumed that your settings (once they worked for 25.1) that they would be the same and work for 25.1.1/25.1.2 aswell...
- Baeldung tool i have not used. Honestly i am unsure how to run that from cli, but will look into it.
- Manual ping see my first response above.  Didnt think it would be necessary after upgrade.
- Please find my current (working) values below under 25.1 (from opnsense->system->routes->status):
WAN_physical: 1512
WAN_VLAN: 1508
WAN_PPPoE: 1500 (filled-in 1508 in GUI)
LAN: 1500

- Hardware NICs are all Intel i210 (it is a dec3840 Deciso box)
- VPN/Globalprotect is using MTU 1400 (standard setting). Question that i have is this low enough? According to this this Globalprotect (GP) support page IPSec SSL Tunnel overhead can be 125 bytes. Do i need to subtract 125 bytes from 1500 on the WAN_PPPoE or does GP subtract 125 bytes from 1400 and works with a payload of 1275 bytes? Unclear to me.
Please note that i dont have access to the Globalprotect gateway support environment, so i cannot check all the settings over there.

Hope you can help, getting desperate over here ;)

I've tried your settings @meyergru, and they work great at 25.1, but these do not work for me at kernels 25.1.1 / 25.1.2.
I feel there is still a problem with 25.1.1 / 25.1.2. Especially VPN connections fail to establish (Globalprotect).
Reverting back to 25.1 solves all issues.

Same situation here as asychev (PPPoE over VLAN at KPN in Netherlands), but im runing directly on physical hardware (no VM).
What are settings that will work?

Thanks @newsense
Indeed we need more data. Since I've been struggling to get the firewall live view to provide me the logs i need for troubleshooting, i reverted to trying MTU settings instead.

Initially i was sceptical of suggestions in this messgae: link I decided to try them out and so far the connection problem has gone away.

Was it an MTU problem afterall?

Thanks for looking into this!
Yes i operate a few NTP timeservers, so these have NAT port-forwarding as well as WAN rules.

Floating rules: none
LAN rules: none (only default allow LAN->any rule)
WAN rules: Two rules to allow for incoming NTP (UDP) traffic to timeservers to be GeoIP filtered and routed to them from WAN to LAN.
IPv6 UDP   ! GeoIP    *   Timeserver 123 (NTP)   *   *      NTP Traffic Timeserver

In the properties of these rules all is default except "State Type" which i have set to "none" to avoid opnsense tracking connection states for stateless protocol UDP.

Are there special settings i need to do to facilitate opnsense tracking large-volume UDP (NTP) traffic better?

Hi everyone,

Hope someone can help me.
Been busy for a few days already trying to find the soluton for a Globalprotect connection issue i cannot seem to be able to fix.
Symptom is that a pc on LAN interface usually has a hard time connecting to corporate Globalprotect VPN.
Only just after bootup of opnsense firewall it succeeds, subsequent tries get harder and harder (sometimes it only wants to connect to Company Chinese Globalprotect gateway).

Liveview of firewall action yielded the following default deny by rule no. 10 as a part of the automatically generated firewall rules.
Rule 10 sounds: @10 block drop in log inet all label "02f4bab031b57d1e30553ce08e0ec131"

Initially thought that it might have something to do with MTU setting, but now i lean more towards stateful connection tracking or SYN issue.
None of the stateful settings or SYNcookie settings help.
Since it is an automatically generated rule i cannot remove or change its parameters.
I'll try to get more information.

Thanks,