http/https traffic problem

Started by robert.schuster, January 26, 2021, 09:09:39 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 26, 2021, 09:09:39 AM
My OPNSense installation works without any problems - more or less...

The only issue I have is that I have no access to http/https targets after a certain uptime (from 4 - 24 hours). A rebbot solves always the problem.

Environment:
OPNsense 20.7.7_1-amd64 on KVM virtualization (proxmox)
Multiqueue set to 8 (as recommended)
virtio or ne1000 virtual nic's (no difference)
2 GB ram
no proxy server active

Sympthomes:

  • Access to http/https sites are getting slow first, then slower and at the end you'll get a timeout
  • Other traffic like vpn, voip, ssh to other (outside) systems seems to unaffeccted
  • I could not find anything at the logfiles

any ideas..?

January 27, 2021, 07:33:32 AM #1
Hi Robert,

Are you running a proxy?
Does ping work to 8.8.8.8 and google.com?
What browser error do you get?

Bart...
January 27, 2021, 08:37:27 AM #2
Hi Bart,

No proxy in charge  - neither OPNsense ist providing proxy services to the inside network nor OPNsense is using a proxy behind
ping to the google nameserver works always  - there is also no name resolution problem
Browser: firefox, opera, chrome, safari - if http(s) is dead everywhere the same situation

If I've some minutes I'll run a tcpdump on the outside interface from the proxmox side of view...

regards
Robert
January 28, 2021, 07:57:32 AM #3
Quote from: robert.schuster on January 27, 2021, 08:37:27 AM
If I've some minutes I'll run a tcpdump on the outside interface from the proxmox side of view...

That was my next suggestion ;) You can also capture packets within OPNsense
February 06, 2021, 11:35:21 AM #4
Hi Bart,

it took same time to get here a bit clearer view...
As it looks like - if the case happens - I can see a lot of retransmissions and incomplete/timoute requests in the tcpdump trace.

Even if the "state table size" and the "MBUF usage" is never > 5% a "States Reset" with both options checked instead of a reboot solves the problem always - for the next couple of hours.

regards
Robert
February 07, 2021, 09:50:38 AM #5
Hi Robert,

Quote from: robert.schuster on February 06, 2021, 11:35:21 AM
As it looks like - if the case happens - I can see a lot of retransmissions and incomplete/timoute requests in the tcpdump trace.

Interesting, do you have the same MTU along the path? Does the same issue happen with IPv6 sites?

Bart...
February 08, 2021, 12:26:44 PM #6
Hi Bart,

ipv6 I have at the moment just internal - no ipv6 routing to the outside (at least in my private network @home)

Unfortunately (of course) the MTU size is not the same on all interfaces...

A simple ping from a Windows Workstation (ping  -f -l 1432 8.8.8.8) showed me a MTU of 1432 for a not fragmented packet. Therefore I switched MTU to 1432 and MSS to 1392 on the WAN interface.

Robert

Print
Go Up Pages1
User actions