After 22.7.5 update, can't get updates, RSS is not working & errors in X540-t2.

[h4ck3r]

**GOT REQUEST TO AUDIT CONNECTIVITY**
Currently running OPNsense 22.7.5 (amd64/OpenSSL) at Tue Oct 18 00:26:55 +03 2022
Checking connectivity for host: pkg.opnsense.org -> 89.149.211.205
PING 89.149.211.205 (89.149.211.205): 1500 data bytes
1508 bytes from 89.149.211.205: icmp_seq=0 ttl=54 time=51.545 ms
1508 bytes from 89.149.211.205: icmp_seq=1 ttl=54 time=51.555 ms
1508 bytes from 89.149.211.205: icmp_seq=2 ttl=54 time=51.585 ms
1508 bytes from 89.149.211.205: icmp_seq=3 ttl=54 time=51.504 ms

--- 89.149.211.205 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 51.504/51.547/51.585/0.029 ms
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:13:amd64/22.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 808 packages processed.
All repositories are up to date.
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:4f00:a005:5::
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:13:amd64/22.7
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
**DONE**



root@OPNsense:~ # sysctl -a | grep rss
net.inet.rss.bucket_mapping: 0:0 1:1 2:2 3:3 4:4 5:5 6:6 7:7 8:8 9:9 10:10 11:11 12:12 13:13 14:14 15:15
net.inet.rss.enabled: 1
net.inet.rss.debug: 0
net.inet.rss.basecpu: 0
net.inet.rss.buckets: 16
net.inet.rss.maxcpus: 64
net.inet.rss.ncpus: 16
net.inet.rss.maxbits: 7
net.inet.rss.mask: 15
net.inet.rss.bits: 4
net.inet.rss.hashalgo: 2
hw.bxe.udp_rss: 0
hw.ix.enable_rss: 1


root@OPNsense:~ # sysctl -a | grep isr
net.route.netisr_maxqlen: 256
net.isr.numthreads: 16
net.isr.maxprot: 16
net.isr.defaultqlimit: 256
net.isr.maxqlimit: 10240
net.isr.bindthreads: 1
net.isr.maxthreads: 16
net.isr.dispatch: hybrid

before update:
root@OPNsense:/home # dmesg | grep vectors
igb0: Using MSI-X interrupts with 9 vectors
igb1: Using MSI-X interrupts with 9 vectors
igb2: Using MSI-X interrupts with 9 vectors
igb3: Using MSI-X interrupts with 9 vectors
ix0: Using MSI-X interrupts with 9 vectors
ix1: Using MSI-X interrupts with 9 vectors
ix2: Using MSI-X interrupts with 9 vectors
ix3: Using MSI-X interrupts with 9 vectors
after update:
root@OPNsense:/home # dmesg | grep vectors
anything????

ix0    1500 <Link#5>      a0:36:9f:54:2d:94  2106555    22     0  1253860     0     0
ix0       - 193.X.X.36/ 193.X.X.38          2354     -     -     2029     -     -
ix0       - 79.123.X.X 79.123.X.X           0     -     -        0     -     -
ix1    1500 <Link#6>      a0:36:9f:54:2d:96  1015755     0     0  1045083     0     0

[h4ck3r]

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 22.7.5 (amd64/OpenSSL) at Tue Oct 18 08:22:03 +03 2022
Checking connectivity for host: pkg.opnsense.org -> 89.149.211.205
PING 89.149.211.205 (89.149.211.205): 1500 data bytes
1508 bytes from 89.149.211.205: icmp_seq=0 ttl=54 time=51.213 ms
1508 bytes from 89.149.211.205: icmp_seq=1 ttl=54 time=51.172 ms
1508 bytes from 89.149.211.205: icmp_seq=2 ttl=54 time=51.122 ms
1508 bytes from 89.149.211.205: icmp_seq=3 ttl=54 time=51.168 ms

--- 89.149.211.205 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 51.122/51.169/51.213/0.032 ms
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:13:amd64/22.7
Updating OPNsense repository catalogue...
Fetching meta.txz: . done
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.pkg: Operation timed out
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.txz: Operation timed out
Unable to update repository OPNsense
Error updating repositories!
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:4f00:a005:5::
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:13:amd64/22.7
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
***DONE***



Seems like it can't resolve it in dns with "fetch".

root@OPNsense:~ # sh -x /usr/local/opnsense/scripts/firmware/changelog.sh fetch                      + set -e
+ DESTDIR=/usr/local/opnsense/changelog
+ FETCH='fetch -qT 5'
+ COMMAND=fetch
+ VERSION=''
+ [ fetch '=' fetch ]
+ changelog_fetch
+ mkdir -p /usr/local/opnsense/changelog
+ changelog_checksum /usr/local/opnsense/changelog/changelog.txz
+ sha256 -q /usr/local/opnsense/changelog/changelog.txz
+ echo 6cdecc6510a5e297cfc7cb537996eca3f1ad8674710cec75b6f338369c5d3ed5
+ CHECKSUM=6cdecc6510a5e297cfc7cb537996eca3f1ad8674710cec75b6f338369c5d3ed5
+ changelog_url
+ opnsense-version -a
+ CORE_ABI=22.7
+ opnsense-verify -a
+ SYS_ABI=FreeBSD:13:amd64
+ URLPREFIX=https://pkg.opnsense.org/FreeBSD:13:amd64/22.7
+ opnsense-update -M
+ egrep -iq '\/[a-z0-9]{8}(-[a-z0-9]{4}){3}-[a-z0-9]{12}\/'
+ echo https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/sets/changelog.txz
+ URL=https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/sets/changelog.txz
+ fetch -qT 5 -mo /usr/local/opnsense/changelog/changelog.txz https://pkg.opnsense.org/FreeBS        D:13:amd64/22.7/sets/changelog.txz
+ changelog_checksum /usr/local/opnsense/changelog/changelog.txz
+ sha256 -q /usr/local/opnsense/changelog/changelog.txz
+ echo 0460d8ba23dc3cfb55db904b9d45dcf7755ff1d8bee2ea513a6a02ac0359e454
+ [ 6cdecc6510a5e297cfc7cb537996eca3f1ad8674710cec75b6f338369c5d3ed5 '!=' 0460d8ba23dc3cfb55d        b904b9d45dcf7755ff1d8bee2ea513a6a02ac0359e454 ]
+ fetch -qT 5 -o /usr/local/opnsense/changelog/changelog.txz.sig https://pkg.opnsense.org/Fre        eBSD:13:amd64/22.7/sets/changelog.txz.sig
fetch: transfer timed out

root@OPNsense:~ # curl -v google.com
*   Trying 172.217.17.142:80...
*   Trying 2a00:1450:4017:811::200e:80...
* Immediate connect fail for 2a00:1450:4017:811::200e: No route to host


^C
root@OPNsense:~ # curl -v -4 google.com
*   Trying 172.217.17.142:80...
* Connected to google.com (172.217.17.142) port 80 (#0)
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/7.85.0
> Accept: */*
>


root@OPNsense:~ # fetch -v -4 -o speedtest.py http://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py
resolving server address: raw.githubusercontent.com:80


failed to connect to raw.githubusercontent.com:80
fetch: transfer timed out

[h4ck3r]

Could the update problem have a dependency on these packages?

SYSTEM: FIRMWARE: LOG FILE

2022-10-06T15:41:24   Notice   pkg   pkgconf-1.8.0_1,1 deinstalled   
2022-10-06T15:41:24   Notice   pkg   libuv-1.44.2 deinstalled   
2022-10-06T15:41:24   Notice   pkg   bash-5.1.16 deinstalled   
2022-10-06T15:41:24   Notice   pkg   netdata-1.36.1_1 deinstalled   
2022-10-06T15:41:23   Notice   pkg   os-netdata-1.2 deinstalled

[franco]

Can you structure this a little better... from the firmware audit it would seem your local box cannot connect to the Internet using TCP packets, although ICMP seems to be fine... could be any sort of local misconfiguration (NAT or web proxy or who knows) or external network change.


Cheers,
Franco

[h4ck3r]

Thank you Franco i will check it but the same configuration is a hardware and we don't have these errors in opnsense 21.7 version. I am saying this for informational purposes.

I try to update from time to time. there is another log today :/

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.7.5 (amd64/OpenSSL) at Thu Oct 20 08:54:41 +03 2022
Fetching changelog information, please wait... opnsense-verify: error:04091068:rsa routines:int_rsa_verify:bad signature
Signature is not valid
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 808 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (28 candidates): .......... done
Processing candidates (28 candidates): .......... done
The following 28 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
   e2fsprogs-libuuid: 1.46.5 -> 1.46.5_1
   git: 2.37.3 -> 2.38.0
   isc-dhcp44-relay: 4.4.2P1 -> 4.4.3P1
   isc-dhcp44-server: 4.4.2P1_1 -> 4.4.3P1
   libffi: 3.4.2 -> 3.4.3
   libfido2: 1.11.0 -> 1.12.0
   mpd5: 5.9_10 -> 5.9_11
   opnsense: 22.7.5 -> 22.7.6
   php80: 8.0.23 -> 8.0.24
   php80-ctype: 8.0.23 -> 8.0.24
   php80-curl: 8.0.23 -> 8.0.24
   php80-dom: 8.0.23 -> 8.0.24
   php80-filter: 8.0.23 -> 8.0.24
   php80-gettext: 8.0.23 -> 8.0.24
   php80-ldap: 8.0.23 -> 8.0.24
   php80-mbstring: 8.0.23 -> 8.0.24
   php80-pdo: 8.0.23 -> 8.0.24
   php80-phalcon: 5.0.2 -> 5.0.3
   php80-session: 8.0.23 -> 8.0.24
   php80-simplexml: 8.0.23 -> 8.0.24
   php80-sockets: 8.0.23 -> 8.0.24
   php80-sqlite3: 8.0.23 -> 8.0.24
   php80-xml: 8.0.23 -> 8.0.24
   php80-zlib: 8.0.23 -> 8.0.24
   py39-certifi: 2022.6.15 -> 2022.9.24
   py39-idna: 3.3 -> 3.4
   strongswan: 5.9.6_2 -> 5.9.8

Installed packages to be REINSTALLED:
   squid-5.7 (options changed)

Number of packages to be upgraded: 27
Number of packages to be reinstalled: 1

The process will require 3 MiB more space.
22 MiB to be downloaded.
self: No packages available to install matching 'opnsense'

[franco]

To mee it seems that there is a connectivity error, proxy or otherwise:

opnsense-verify: error:04091068:rsa routines:int_rsa_verify:bad signature

I get that 21.7 worked but consider that the operating system major version changed and this brought a lot of changes in that could trigger the issue you are seeing now.

To add to the point, the behaviour seems erratic, which usually points to the reason NOT being the software, but either hardware or network equipment or ISP or or or.


Cheers,
Franco