[SOLVED] Cannot update to lastest patches

[santi.benejam]

I upgraded to OPNSense 23.1 and I get this errors in audit connectivity.
Suricata emerging rules not updating

Code Select Expand

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 23.1_6 at Tue Mar 21 08:13:21 CET 2023
Checking connectivity for host: pkg.opnsense.org -> 89.149.211.205
PING 89.149.211.205 (89.149.211.205): 1500 data bytes
1508 bytes from 89.149.211.205: icmp_seq=0 ttl=50 time=59.467 ms
1508 bytes from 89.149.211.205: icmp_seq=1 ttl=50 time=62.226 ms
1508 bytes from 89.149.211.205: icmp_seq=2 ttl=50 time=59.678 ms
1508 bytes from 89.149.211.205: icmp_seq=3 ttl=50 time=59.301 ms

--- 89.149.211.205 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 59.301/60.168/62.226/1.196 ms
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:13:amd64/23.1
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/meta.txz: Operation timed out
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/packagesite.pkg: Operation timed out
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/packagesite.txz: Operation timed out
Unable to update repository OPNsense
Error updating repositories!
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:4f00:a005:5::
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:13:amd64/23.1
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
***DONE***


[santi.benejam]

I can ping to pkg.opnsense.org from console.

Code Select Expand

ping pkg.opnsense.org
PING pkg.opnsense.org (89.149.211.205): 56 data bytes
64 bytes from 89.149.211.205: icmp_seq=0 ttl=50 time=58.724 ms
64 bytes from 89.149.211.205: icmp_seq=1 ttl=50 time=59.299 ms
64 bytes from 89.149.211.205: icmp_seq=2 ttl=50 time=59.112 ms
64 bytes from 89.149.211.205: icmp_seq=3 ttl=50 time=58.237 ms
64 bytes from 89.149.211.205: icmp_seq=4 ttl=50 time=58.720 ms
64 bytes from 89.149.211.205: icmp_seq=5 ttl=50 time=59.095 ms
64 bytes from 89.149.211.205: icmp_seq=6 ttl=50 time=58.481 ms
64 bytes from 89.149.211.205: icmp_seq=7 ttl=50 time=58.477 ms
64 bytes from 89.149.211.205: icmp_seq=8 ttl=50 time=59.455 ms
64 bytes from 89.149.211.205: icmp_seq=9 ttl=50 time=58.424 ms
64 bytes from 89.149.211.205: icmp_seq=10 ttl=50 time=58.432 ms
64 bytes from 89.149.211.205: icmp_seq=11 ttl=50 time=58.549 ms
64 bytes from 89.149.211.205: icmp_seq=12 ttl=50 time=65.933 ms
64 bytes from 89.149.211.205: icmp_seq=13 ttl=50 time=58.496 ms
64 bytes from 89.149.211.205: icmp_seq=14 ttl=50 time=58.185 ms
64 bytes from 89.149.211.205: icmp_seq=15 ttl=50 time=59.128 ms
64 bytes from 89.149.211.205: icmp_seq=16 ttl=50 time=59.122 ms
64 bytes from 89.149.211.205: icmp_seq=17 ttl=50 time=59.091 ms
64 bytes from 89.149.211.205: icmp_seq=18 ttl=50 time=58.743 ms
^C
--- pkg.opnsense.org ping statistics ---
19 packets transmitted, 19 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 58.185/59.142/65.933/1.641 ms

[santi.benejam]

Code Select Expand

System: Firmware
Status
Settings
Changelog
Updates
Plugins
Packages
Type opnsense
Version 23.1_6
Architecture amd64
Flavour OpenSSL
Commit 6621e1999
Mirror https://pkg.opnsense.org/FreeBSD:13:amd64/23.1
Repositories OPNsense
Updated on Tue Mar 21 06:57:11 CET 2023
Checked on N/A

[santi.benejam]

More info from Health Audit

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 23.1_6 at Tue Mar 21 08:54:39 CET 2023
>>> Check installed kernel version
Version 23.1 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 23.1 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense
>>> Check installed plugins
os-clamav 1.8
os-ddclient 1.9_2
os-dmidecode 1.1_1
os-dyndns 1.27_3
os-net-snmp 1.5_2
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 66 dependencies to check.
Checking packages: .
beep-1.0_1 has no upstream equivalent
Checking packages: .
ca_root_nss-3.87 has no upstream equivalent
Checking packages: .
choparp-20150613 has no upstream equivalent
Checking packages: .
cpustats-0.1 has no upstream equivalent
Checking packages: .
dhcp6c-20200512_1 has no upstream equivalent
Checking packages: .
dnsmasq-2.88_1,1 has no upstream equivalent
Checking packages: .
dpinger-3.2 has no upstream equivalent
Checking packages: .
expiretable-0.6_2 has no upstream equivalent
Checking packages: .
filterlog-0.6 has no upstream equivalent
Checking packages: .
flock-2.37.2 has no upstream equivalent
Checking packages: .
flowd-0.9.1_3 has no upstream equivalent
Checking packages: .
hostapd-2.10_5 has no upstream equivalent
Checking packages: .
ifinfo-13.0 has no upstream equivalent
Checking packages: .
iftop-1.0.p4 has no upstream equivalent
Checking packages: .
isc-dhcp44-relay-4.4.3P1 has no upstream equivalent
Checking packages: .
isc-dhcp44-server-4.4.3P1 has no upstream equivalent
Checking packages: .
lighttpd-1.4.67 has no upstream equivalent
Checking packages: .
monit-5.32.0 has no upstream equivalent
Checking packages: .
mpd5-5.9_13 has no upstream equivalent
Checking packages: .
ntp-4.2.8p15_5 has no upstream equivalent
Checking packages: .
openssh-portable-8.9.p1_4,1 has no upstream equivalent
Checking packages: .
openssl-1.1.1s,1 has no upstream equivalent
Checking packages: .
openvpn-2.5.8 has no upstream equivalent
Checking packages: .
opnsense-23.1_6 has no upstream equivalent
Checking packages: .
opnsense-installer-23.1 has no upstream equivalent
Checking packages: .
opnsense-lang-22.7.3 has no upstream equivalent
Checking packages: .
opnsense-update-23.1 has no upstream equivalent
Checking packages: .
pam_opnsense-19.1.3 has no upstream equivalent
Checking packages: .
pftop-0.8_2 has no upstream equivalent
Checking packages: .
php81-ctype-8.1.14 has no upstream equivalent
Checking packages: .
php81-curl-8.1.14 has no upstream equivalent
Checking packages: .
php81-dom-8.1.14 has no upstream equivalent
Checking packages: .
php81-filter-8.1.14 has no upstream equivalent
Checking packages: .
php81-gettext-8.1.14 has no upstream equivalent
Checking packages: .
php81-google-api-php-client-2.4.0 has no upstream equivalent
Checking packages: .
php81-ldap-8.1.14 has no upstream equivalent
Checking packages: .
php81-pdo-8.1.14 has no upstream equivalent
Checking packages: .
php81-pecl-radius-1.4.0b1_2 has no upstream equivalent
Checking packages: .
php81-phalcon-5.1.4 has no upstream equivalent
Checking packages: .
php81-phpseclib-3.0.18 has no upstream equivalent
Checking packages: .
php81-session-8.1.14 has no upstream equivalent
Checking packages: .
php81-simplexml-8.1.14 has no upstream equivalent
Checking packages: .
php81-sockets-8.1.14 has no upstream equivalent
Checking packages: .
php81-sqlite3-8.1.14 has no upstream equivalent
Checking packages: .
php81-xml-8.1.14 has no upstream equivalent
Checking packages: .
php81-zlib-8.1.14 has no upstream equivalent
Checking packages: .
pkg-1.19.1_1 has no upstream equivalent
Checking packages: .
py39-Jinja2-3.1.2 has no upstream equivalent
Checking packages: .
py39-dnspython-2.2.1_1,1 has no upstream equivalent
Checking packages: .
py39-duckdb-0.6.1 has no upstream equivalent
Checking packages: .
py39-netaddr-0.8.0 has no upstream equivalent
Checking packages: .
py39-numpy-1.23.5_1,1 has no upstream equivalent
Checking packages: .
py39-pandas-1.5.1,1 has no upstream equivalent
Checking packages: .
py39-requests-2.28.1_1 has no upstream equivalent
Checking packages: .
py39-sqlite3-3.9.16_7 has no upstream equivalent
Checking packages: .
py39-ujson-5.0.0 has no upstream equivalent
Checking packages: .
py39-vici-5.9.9 has no upstream equivalent
Checking packages: .
radvd-2.19_1 has no upstream equivalent
Checking packages: .
rrdtool-1.8.0_2 has no upstream equivalent
Checking packages: .
samplicator-1.3.8.r1_1 has no upstream equivalent
Checking packages: .
squid-5.7 has no upstream equivalent
Checking packages: .
strongswan-5.9.9_1 has no upstream equivalent
Checking packages: .
sudo-1.9.12p2 has no upstream equivalent
Checking packages: .
suricata-6.0.9_1 has no upstream equivalent
Checking packages: .
syslog-ng-3.38.1 has no upstream equivalent
Checking packages: .
unbound-1.17.1_1 has no upstream equivalent
Checking packages: .
wpa_supplicant-2.10_6 has no upstream equivalent
Checking packages: .
zip-3.0_1 has no upstream equivalent
***DONE***

[franco]

The ping works but the fetch of the information fails? There is something wrong on your end for sure.

Might be firewall / network policy (ICMP is not TCP) / proxy screwup / etc.


Cheers,
Franco

[santi.benejam]

I stopped Intrusion detection and updates seems to work now. Enabling Intrusion detections with IPS Mode disabled seems to work too.
I'll try to upgrade later.

[santi.benejam]

I was missing this config as explained in this topic https://forum.opnsense.org/index.php?topic=32539.msg158377#msg158377

I had to disable HW Offload checkboxes  and re-enable IPS mode and it now works. Tomorrow morning I'll do the pending updates.

[franco]

Makes sense as some of these only affect TCP (and UDP) traffic and your ping is fine. :)


Cheers,
Franco

[santi.benejam]

I just upgraded the OPNSense  box to 23.1.4 and it seems that all is working as expected for now.

Many thaks Franco

[franco]

No problem, glad to hear :)