My OPNsense got borked

Started by securid, January 21, 2024, 02:33:16 PM

Previous topic - Next topic
January 21, 2024, 02:33:16 PM Last Edit: January 21, 2024, 02:36:15 PM by securid
Last changes I made are with regards to HA Proxy. Last night I left everything in a working state, this morning everything worked fine. During the day I noticed these lines in the logs on the dashboard:
pf_map_addr: selected address 10.26.14.1
pf: stack key attach failed on all: UDP in wire: 10.0.0.10 185.51.192.61:123 etc (see screenshot).

This didn't seem to matter much and Im pretty sure it can be ignored? I think it has to do with a NAT rule redirecting NTP to my firewall but it doesn't work right with the wireguard interface.

Then I made changes to HA Proxy today, added home assistant which isn't working. I tried some random things and left it to walk the dog. When I came back, OPNsense was down. It still responded to the ACPI shutdown via the power button so it wasn't really dead, just unreachable. It came back up with the second screenshot:
pf: state ID collision: id: 000000blablabla creator id: 884dcb1b

I searched for it, I have no idea what it is or what it means.

Also, I have no idea if these two messages are related, and I also don't know whether they are the cause for the outage, and I also don't know if its related to HAproxy. Turns out, I don't know much of anything  ::).

So, I reverted the HA proxy changes I made today manually. It made no difference.
I turned off HAproxy, no difference.
I restored the config from last night. No difference.

I am at a loss and my internet is down  :o.

I can restore from 2 days ago (before HAproxy) but at this point I doubt that matters?

If anyone has an idea what might be going on I'd love to hear about it.

Thanks!


Got it working again.

I have no idea what is / was going on but as Murphy is always around the corner, there was another issue. At one point I was able to login to the console and between all the blurp of messages I noticed igc1 (LAN) "no carrier" .... you gotta be kidding me ...  :-X

I checked and it was plugged in properly, it fits so well there's not even any play. I use good quality cables. I took it out, plugged it back in and it came up. Lo and behold ... ping replies!

I disabled the NTP and DNS NAT rules, I  think they were part of the problem.

I also reverted HAproxy config to last night and the messages seem to have disappeared.

I still don't know what is / was the problem with that in the images.

Its only a notice:

Notice   kernel   pf: state ID collision: id: 0300000065ad36a5 creatorid: 2511b8bc

but they still appear. Aren't state ID supposed to be unique? What is causing that, any ideas?

Gotta be honest this entire post is all over the place so it's bit difficult to home in on the actual issue.  I'm not familiar with that particular error and a google search doesn't reveal anything meaningful.

Silly question, but you're only using HA proxy for reverse proxy capabilities and not load balancing correct?  What is your network configuration?  Is OPNsense on bare metal? Do you have it virtualized?
OPNsense 25.7.6 running on:
Dell Optiplex 3050
Intel I5-7600 @ 3.5Ghz (4 Cores)
Intel I350-T4 Nic
8G DDR4
256G SSD

The Solution for "pf_map_addr: selected address " was to delet a reverse entry wit this address.