[SOLVED] 21.1.6 possibly broke ipsec

[Jiffy]

I've reverted to the 21.1.5 snapshot, rebooted, upgraded to 21.1.6, rebooted and no errors during the health audit.

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 21.1.6 (amd64/OpenSSL) at Fri May 28 12:13:38 EDT 2021
>>> Check installed kernel version
Version 21.1.6 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.1.6 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 67 dependencies to check.
Checking packages: ..................................................................... done
***DONE***

[mircsicz]

Same here without the revert:

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 21.1.6 (amd64/OpenSSL) at Fri May 28 18:24:26 CEST 2021
>>> Check installed kernel version
Version 21.1.6 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.1.6 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 67 dependencies to check.
Checking packages: ..................................................................... done
***DONE***

[franco]

Frankly I'm out of ideas what this could be? Not saying there isn't a problem but it is hiding really well.


Cheers,
Franco

[Jiffy]

I've added static routes to System->Routes->Configuration
Now I can get to things on the other side of the tunnel.
These were normally accessible via OSPF

They (remote ip addresses) are also showing up under Routing->Diagnostics->General and Routing->Diagnostics->OSPF
but when I disable the statics, they are no longer reachable.

Jiffy

[franco]

Last guess of the day:

# opnsense-revert -r 21.1.5 frr7

Someone proposed a patch fixing an issue but apparently neither the reporter nor the patch lived up to the expectations and the patch was forgotten ;(


Cheers,
Franco

[Jiffy]

# opnsense-revert -r 21.1.5 frr7

That fixed it.

Thank you,
Jiffy

[mircsicz]

My issue was chained to the os-dyndns failure...

[franco]

Ok, we will replace the FRR package in 21.1.6 to avoid more people running into this issue.


Cheers,
Franco

[Jiffy]

Great, thank you for all your help, Franco.

Jiffy

[Pannacotta]

We also ran into this issue on one of our opnsense instances.

Can the

Code Select Expand

opnsense-revert -r 21.1.5 frr7 be run after a complete update to 21.1.6 or do we first have to downgrade the "base-system" to 21.1.5?

[franco]

Yes, revert is a targeted revert of a particular package for such situations so you would revert only the FRR package and leave the rest at 21.1.6 since it doesn't pose any issues.

In any case check for updates now. It should already advertise the fixed package as a separate update (along with security fix for expat library).


Cheers,
Franco

[Jiffy]

Hi,
I took the latest update and can confirm it is still working.

Thank you again,
Jiffy

[franco]

Thanks for the quick report!

[Pannacotta]

same here, did the update and everything started working again. Thanks for the quick solution.

[badgerbadger911]

Just saw this thread on the back of the FRR patch that apparently broke things for this user. I am on the other side of the fence, where this patch actually fixes things for me.

Can the original poster please describe how the tunnels runnins OSPF were configured? Was this IPSec + GRE or VTI? And specifically, what netmasks were configured on both ends of the tunnel?