Connectivity Check: Non-recoverable resolver failure

Started by GadgetAngel, July 31, 2025, 06:59:11 AM

Previous topic - Next topic
Hi,

I found that my Firmware -> Status -> Run an audit -> Connectivity check gets errors and I can not figure out why?

Output from Firmware -> Status -> Run an audit -> Connectivity:
***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 25.7 (amd64) at Wed Jul 30 23:57:03 EDT 2025
Checking connectivity for host: pkg.opnsense.org -> 89.149.222.99
PING 89.149.222.99 (89.149.222.99): 1500 data bytes

--- 89.149.222.99 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:14:amd64/25.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 898 packages processed.
All repositories are up to date.
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:5300:a010:1::1
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:14:amd64/25.7
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
Checking server certificate for host: pkg.opnsense.org
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1
verify return:1
depth=0 CN = pkg.opnsense.org
verify return:1
DONE
***DONE***

Put when ssh into the opnsense VM and perform a ping command I get the following output, which indicates I should not have any issues:

root@OPNsense:~ # ping 89.149.222.99
PING 89.149.222.99 (89.149.222.99): 56 data bytes
64 bytes from 89.149.222.99: icmp_seq=0 ttl=53 time=111.818 ms
64 bytes from 89.149.222.99: icmp_seq=1 ttl=53 time=110.708 ms
64 bytes from 89.149.222.99: icmp_seq=2 ttl=53 time=110.376 ms
64 bytes from 89.149.222.99: icmp_seq=3 ttl=53 time=109.883 ms
64 bytes from 89.149.222.99: icmp_seq=4 ttl=53 time=110.124 ms
64 bytes from 89.149.222.99: icmp_seq=5 ttl=53 time=111.180 ms
64 bytes from 89.149.222.99: icmp_seq=6 ttl=53 time=111.086 ms
64 bytes from 89.149.222.99: icmp_seq=7 ttl=53 time=111.339 ms
64 bytes from 89.149.222.99: icmp_seq=8 ttl=53 time=110.235 ms
64 bytes from 89.149.222.99: icmp_seq=9 ttl=53 time=110.006 ms
64 bytes from 89.149.222.99: icmp_seq=10 ttl=53 time=109.695 ms
^C
--- 89.149.222.99 ping statistics ---
11 packets transmitted, 11 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 109.695/110.586/111.818/0.654 ms
root@OPNsense:~ # ping pkg.opnsense.org
PING pkg.opnsense.org (89.149.222.99): 56 data bytes
64 bytes from 89.149.222.99: icmp_seq=0 ttl=53 time=112.371 ms
64 bytes from 89.149.222.99: icmp_seq=1 ttl=53 time=110.125 ms
64 bytes from 89.149.222.99: icmp_seq=2 ttl=53 time=110.330 ms
64 bytes from 89.149.222.99: icmp_seq=3 ttl=53 time=113.922 ms
64 bytes from 89.149.222.99: icmp_seq=4 ttl=53 time=112.484 ms
64 bytes from 89.149.222.99: icmp_seq=5 ttl=53 time=112.212 ms
64 bytes from 89.149.222.99: icmp_seq=6 ttl=53 time=111.215 ms
^C
--- pkg.opnsense.org ping statistics ---
7 packets transmitted, 7 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 110.125/111.808/113.922/1.241 ms
root@OPNsense:~ #

root@OPNsense:~ # ping 192.168.1.254
PING 192.168.1.254 (192.168.1.254): 56 data bytes
64 bytes from 192.168.1.254: icmp_seq=0 ttl=64 time=1.165 ms
64 bytes from 192.168.1.254: icmp_seq=1 ttl=64 time=1.123 ms
64 bytes from 192.168.1.254: icmp_seq=2 ttl=64 time=4.164 ms
64 bytes from 192.168.1.254: icmp_seq=3 ttl=64 time=0.808 ms
64 bytes from 192.168.1.254: icmp_seq=4 ttl=64 time=1.479 ms
^C
--- 192.168.1.254 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss

Can someone help me figure out why the connectivity check is showing 100.0% packet loss when it pings 89.149.22.99 and why I am getting an "Error updating repositories!"? The IPv6 repo error can be ignored since I only use IPv4 addresses.

Thanks for any help you can provide.  GadgetAngel

Fragmentation doesn't work on your end. It may cause large packets to be dropped and make your firmware updates fail for hard to debug reasons otherwise. That's why the ping is oversized at 1500 bytes in the connectivity check but you are using a short ping packet.


Cheers,
Franco

July 31, 2025, 06:06:25 PM #2 Last Edit: July 31, 2025, 06:59:32 PM by GadgetAngel
Quote from: franco on July 31, 2025, 11:13:23 AMFragmentation doesn't work on your end. It may cause large packets to be dropped and make your firmware updates fail for hard to debug reasons otherwise. That's why the ping is oversized at 1500 bytes in the connectivity check but you are using a short ping packet.


Cheers,
Franco

It has been a while since I got my education on networking. I googled Opnsense fragmentation, and I get results that talk about the packet size via IPsec Tunnels. I have not made any setting changes in Opnsense that I am aware of that affect the packet size. Is there a setting in Opnsense I am not aware of? 

Could this be due to the managed switches I am using on my LAN? All my switches support jumbo frames. What size should I use for the TCPIP frames? The following are my choices: 1522, 1536, 1552, 9216, 16383. It looks like I have it set to 16383. Should I go to 1522?



Thanks, GadgetAngel

EDIT: I changed the jumbo Frame setting to the two switches involved in my network setup, and I get the same result. I first used a jumbo frame of 9216 and reran the Firmware -> Status -> Run an audit -> Connectivity command, and still ended up with the same result. I then changed the jumbo frame size to 1522 (the lowest setting) and reran the firmware -> Status -> Run an audit -> Connectivity command, and still ended up with the same "Non-recoverable resolver failure" error. 

I just received the latest update to 25.7.1, and it downloaded without error. So now I am worried, are my updates getting corrupted? Is my Opnsense software 25.7.1 corrupted?

Here is the output of the latest update:
Update to 25.7.1

Ouput:
***GOT REQUEST TO UPDATE***
Currently running OPNsense 25.7 (amd64) at Thu Jul 31 12:29:40 EDT 2025
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (17 candidates): .......... done
Processing candidates (17 candidates): .......... done
The following 17 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
    abseil: 20250127.0 -> 20250127.1
    boost-libs: 1.88.0_1 -> 1.88.0_2
    crowdsec: 1.6.9 -> 1.6.10
    crowdsec-firewall-bouncer: 0.0.32_2 -> 0.0.32_3
    curl: 8.14.1 -> 8.15.0
    ivykis: 0.43.2 -> 0.43.2_1
    jq: 1.8.0 -> 1.8.1
    libucl: 0.9.2_1 -> 0.9.2_2
    nspr: 4.36 -> 4.37
    nss: 3.113.1_1 -> 3.114
    opnsense: 25.7 -> 25.7.1
    os-crowdsec: 1.0.11 -> 1.0.11_1
    py311-certifi: 2025.6.15 -> 2025.7.14
    py311-duckdb: 1.3.1_1 -> 1.3.2
    py311-typing-extensions: 4.14.0 -> 4.14.1
    re2: 20250626b -> 20250722
    sudo: 1.9.17p1 -> 1.9.17p2

Number of packages to be upgraded: 17

The operation will free 62 MiB.
88 MiB to be downloaded.
[1/17] Fetching re2-20250722.pkg: .......... done
[2/17] Fetching boost-libs-1.88.0_2.pkg: .......... done
[3/17] Fetching os-crowdsec-1.0.11_1.pkg: ... done
[4/17] Fetching nss-3.114.pkg: .......... done
[5/17] Fetching crowdsec-1.6.10.pkg: .......... done
[6/17] Fetching jq-1.8.1.pkg: .......... done
[7/17] Fetching crowdsec-firewall-bouncer-0.0.32_3.pkg: .......... done
[8/17] Fetching abseil-20250127.1.pkg: .......... done
[9/17] Fetching ivykis-0.43.2_1.pkg: .......... done
[10/17] Fetching py311-certifi-2025.7.14.pkg: .......... done
[11/17] Fetching curl-8.15.0.pkg: .......... done
[12/17] Fetching nspr-4.37.pkg: .......... done
[13/17] Fetching libucl-0.9.2_2.pkg: .......... done
[14/17] Fetching opnsense-25.7.1.pkg: .......... done
[15/17] Fetching py311-duckdb-1.3.2.pkg: .......... done
[16/17] Fetching py311-typing-extensions-4.14.1.pkg: .......... done
[17/17] Fetching sudo-1.9.17p2.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/17] Upgrading py311-typing-extensions from 4.14.0 to 4.14.1...
[1/17] Extracting py311-typing-extensions-4.14.1: .......... done
[2/17] Upgrading py311-certifi from 2025.6.15 to 2025.7.14...
[2/17] Extracting py311-certifi-2025.7.14: .......... done
[3/17] Upgrading abseil from 20250127.0 to 20250127.1...
[3/17] Extracting abseil-20250127.1: .......... done
[4/17] Upgrading nspr from 4.36 to 4.37...
[4/17] Extracting nspr-4.37: .......... done
[5/17] Upgrading re2 from 20250626b to 20250722...
[5/17] Extracting re2-20250722: .......... done
[6/17] Upgrading boost-libs from 1.88.0_1 to 1.88.0_2...
[6/17] Extracting boost-libs-1.88.0_2: .......... done
[7/17] Upgrading nss from 3.113.1_1 to 3.114...
[7/17] Extracting nss-3.114: .......... done
[8/17] Upgrading jq from 1.8.0 to 1.8.1...
[8/17] Extracting jq-1.8.1: .......... done
[9/17] Upgrading crowdsec-firewall-bouncer from 0.0.32_2 to 0.0.32_3...
[9/17] Extracting crowdsec-firewall-bouncer-0.0.32_3: ...... done
crowdsec_firewall is running as pid 43874.
Stopping crowdsec_firewall.
[10/17] Upgrading ivykis from 0.43.2 to 0.43.2_1...
[10/17] Extracting ivykis-0.43.2_1: .......... done
[11/17] Upgrading curl from 8.14.1 to 8.15.0...
[11/17] Extracting curl-8.15.0: .......... done
[12/17] Upgrading libucl from 0.9.2_1 to 0.9.2_2...
[12/17] Extracting libucl-0.9.2_2: .......... done
[13/17] Upgrading crowdsec from 1.6.9 to 1.6.10...
[13/17] Extracting crowdsec-1.6.10: .......... done
crowdsec is running as pid 38019.
Stopping crowdsec.
Waiting for PIDS: 38019.
Updating crowdsec hub data
Downloading /usr/local/etc/crowdsec/hub/.index.json
Loaded: 144 parsers, 10 postoverflows, 764 scenarios, 8 contexts, 4 appsec-configs, 118 appsec-rules, 139 collections
Starting crowdsec.
[14/17] Upgrading py311-duckdb from 1.3.1_1 to 1.3.2...
[14/17] Extracting py311-duckdb-1.3.2: .......... done
[15/17] Upgrading sudo from 1.9.17p1 to 1.9.17p2...
[15/17] Extracting sudo-1.9.17p2: .......... done
[16/17] Upgrading os-crowdsec from 1.0.11 to 1.0.11_1...
[16/17] Extracting os-crowdsec-1.0.11_1: .......... done
Stopping configd...done
Starting configd.
Reloading plugin configuration
Flushing all caches...done.
Configuring system logging...done.
Reloading template OPNsense/CrowdSec: OK
OK
[17/17] Upgrading opnsense from 25.7 to 25.7.1...
[17/17] Extracting opnsense-25.7.1: .......... done
Stopping configd...done
Resetting root shell
Updating /etc/shells
Unhooking from /etc/rc
Unhooking from /etc/rc.shutdown
Creating group 'wwwonly' with gid '789'
Creating user 'wwwonly' with uid '789'
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
Starting configd.
>>> Invoking update script 'refresh.sh'
Flushing all caches...done.
Writing firmware settings: FreeBSD OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: No changes to trust store were made.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Configuring system logging...done.
You may need to manually remove /usr/local/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/crowdsec/config.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/crowdsec/local_api_credentials.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/crowdsec/online_api_credentials.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/crowdsec/console.yaml if it is no longer needed.
=====
Message from opnsense-25.7.1:

--
Some will win, some will lose, some are born to sing the blues
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: .......... done
The following package files will be deleted:
    /var/cache/pkg/re2-20250722~807cc5b2ff.pkg
    /var/cache/pkg/boost-libs-1.88.0_2.pkg
    /var/cache/pkg/re2-20250722.pkg
    /var/cache/pkg/boost-libs-1.88.0_2~84617ed6cb.pkg
    /var/cache/pkg/os-crowdsec-1.0.11_1~e147a5ce92.pkg
    /var/cache/pkg/nss-3.114~812be4dfd0.pkg
    /var/cache/pkg/os-crowdsec-1.0.11_1.pkg
    /var/cache/pkg/crowdsec-1.6.10.pkg
    /var/cache/pkg/nss-3.114.pkg
    /var/cache/pkg/crowdsec-1.6.10~4045a53d44.pkg
    /var/cache/pkg/jq-1.8.1~e0b39fe77a.pkg
    /var/cache/pkg/jq-1.8.1.pkg
    /var/cache/pkg/crowdsec-firewall-bouncer-0.0.32_3~1284af5676.pkg
    /var/cache/pkg/curl-8.15.0.pkg
    /var/cache/pkg/abseil-20250127.1~005dabc6d3.pkg
    /var/cache/pkg/crowdsec-firewall-bouncer-0.0.32_3.pkg
    /var/cache/pkg/py311-certifi-2025.7.14.pkg
    /var/cache/pkg/abseil-20250127.1.pkg
    /var/cache/pkg/ivykis-0.43.2_1~4da3330166.pkg
    /var/cache/pkg/ivykis-0.43.2_1.pkg
    /var/cache/pkg/py311-certifi-2025.7.14~73c57b1c68.pkg
    /var/cache/pkg/curl-8.15.0~7af54c810b.pkg
    /var/cache/pkg/nspr-4.37~20f3aef2fd.pkg
    /var/cache/pkg/libucl-0.9.2_2.pkg
    /var/cache/pkg/nspr-4.37.pkg
    /var/cache/pkg/libucl-0.9.2_2~f9e1ab6893.pkg
    /var/cache/pkg/opnsense-25.7.1~0101b30d6c.pkg
    /var/cache/pkg/py311-duckdb-1.3.2.pkg
    /var/cache/pkg/opnsense-25.7.1.pkg
    /var/cache/pkg/py311-duckdb-1.3.2~de5609ff62.pkg
    /var/cache/pkg/py311-typing-extensions-4.14.1~2889561de3.pkg
    /var/cache/pkg/sudo-1.9.17p2~f6409351aa.pkg
    /var/cache/pkg/py311-typing-extensions-4.14.1.pkg
    /var/cache/pkg/sudo-1.9.17p2.pkg
The cleanup will free 88 MiB
Deleting files: .......... done
All done
Nothing to do.
Starting web GUI...done.
***DONE***

Here is the output (with jumbo frame size of 1522 on both the managed switches) from the firmware -> Status -> Run an audit -> Connectivity command after I did the update to Opnsense 25.7.1:

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 25.7.1 (amd64) at Thu Jul 31 12:33:07 EDT 2025
Checking connectivity for host: pkg.opnsense.org -> 89.149.222.99
PING 89.149.222.99 (89.149.222.99): 1500 data bytes

--- 89.149.222.99 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:14:amd64/25.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 898 packages processed.
All repositories are up to date.
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:5300:a010:1::1
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:14:amd64/25.7
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
Checking server certificate for host: pkg.opnsense.org
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1
verify return:1
depth=0 CN = pkg.opnsense.org
verify return:1
DONE
***DONE***

Is my Opnsense 25.7.1 software corrupted or is it OK.  From the output of the update everything appears to be ok but I can not figure out why I get this "Non-recoverable resolver failure" error from the firmware -> Status -> Run an audit -> Connectivity command.  If someone could point me to information on a setting in Opnsense to fix this issue I would appreciate it.  I have set the jumbo frame size on all the switch in my network to the lowest jumbo size I could. I can not turn the jumbo frame feature off on these managed switches.  Please any help that can point me in the correct direction would be very much appreciated. My worry is that my Opnsense Software is corrupted and the system does not know it.

BTW, I am NOT using any VPN on this system.  The only tunnel I am aware of: I "Enable DNSSEC Support" for Unbound.  Is there some OPNsense system settings tunables I need to adjust? If so which tuneables should I be looking at?

Franco is telling you that Path MTU Discovery (RFC 1191) is not working in your case.

Reasons usually are that one of the upstream router is not able to forward the packet in its original size (e.g. the 1500 bytes payload of the ping from the check, the sent packet is even bigger) and then should send back an ICMP messages to the source (your OPNsense system) and telling it that smaller packets need to be sent. Unfortunately some admins of routers / firewalls decide to block all ICMP messages (and even in both directions) and so are preventing that Path MTU Discovery can work.

If this is on your own systems, then adjust this and let at least this type of ICMP messages through. If it is out of your control, then you should force the WAN interface on your OPNsense to a lower MTU like 1500 (default), if you are behind ADSL / VDSL then 1492 would be a good value.

October 23, 2025, 05:16:02 PM #4 Last Edit: October 23, 2025, 05:19:33 PM by dbehrens Reason: added more system messages
I'm having a similar issue.  I'm running OPNsense 25.7.3_7-amd64 and running on an Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz.  DNS appears to work fine as it resolves pkg.opnsense.org just fine, and I've also forced my MTU to 1500 even though it had auto-selected that before I forced it.

root@repulse:~ # ping -s 1499 pkg.opnsense.org
PING pkg.opnsense.org (89.149.222.99): 1499 data bytes
1507 bytes from 89.149.222.99: icmp_seq=0 ttl=50 time=118.490 ms
1507 bytes from 89.149.222.99: icmp_seq=1 ttl=50 time=118.232 ms
1507 bytes from 89.149.222.99: icmp_seq=2 ttl=50 time=118.205 ms
1507 bytes from 89.149.222.99: icmp_seq=3 ttl=50 time=119.084 ms
1507 bytes from 89.149.222.99: icmp_seq=4 ttl=50 time=119.107 ms
1507 bytes from 89.149.222.99: icmp_seq=5 ttl=50 time=119.041 ms
1507 bytes from 89.149.222.99: icmp_seq=6 ttl=50 time=119.053 ms
1507 bytes from 89.149.222.99: icmp_seq=7 ttl=50 time=117.933 ms
1507 bytes from 89.149.222.99: icmp_seq=8 ttl=50 time=118.468 ms
1507 bytes from 89.149.222.99: icmp_seq=9 ttl=50 time=118.592 ms
^C
--- pkg.opnsense.org ping statistics ---
10 packets transmitted, 10 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 117.933/118.621/119.107/0.406 ms

root@repulse:~ # pkg update
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/meta.txz: Operation timed out
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/packagesite.pkg: Operation timed out
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/packagesite.txz: Operation timed out
Unable to update repository OPNsense
Error updating repositories!
root@repulse:~ #

Looks like running pkg update in debug mode helps it to not fail as often...


root@repulse:~ # pkg -d -4 update
DBG(1)[75326]> pkg initialized
Updating OPNsense repository catalogue...
DBG(1)[75326]> PkgRepo: verifying update for OPNsense
DBG(1)[75326]> Pkgrepo, begin update of '/var/db/pkg/repo-OPNsense.sqlite'
DBG(1)[75326]> Request to fetch https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/meta.conf
DBG(1)[75326]> opening libfetch fetcher
DBG(1)[75326]> Fetch > libfetch: connecting
DBG(1)[75326]> Fetch: fetching from: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/meta.conf with opts "i4"
DBG(1)[75326]> Fetch: fetching from: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/meta.conf with opts "i4"
DBG(1)[75326]> Fetch: fetching from: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/meta.conf with opts "i4"
DBG(1)[75326]> Request to fetch https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/meta.txz
DBG(1)[75326]> opening libfetch fetcher
DBG(1)[75326]> Fetch > libfetch: connecting
DBG(1)[75326]> Fetch: fetching from: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/meta.txz with opts "i4"
DBG(1)[75326]> Fetch: fetching from: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/meta.txz with opts "i4"
DBG(1)[75326]> Fetch: fetching from: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/meta.txz with opts "i4"
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/meta.txz: Operation timed out
repository OPNsense has no meta file, using default settings
DBG(1)[75326]> Request to fetch https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/packagesite.pkg
DBG(1)[75326]> opening libfetch fetcher
DBG(1)[75326]> Fetch > libfetch: connecting
DBG(1)[75326]> Fetch: fetching from: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/packagesite.pkg with opts "i4"
DBG(1)[75326]> Fetch: fetching from: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/packagesite.pkg with opts "i4"
DBG(1)[75326]> Fetch: fetching from: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/packagesite.pkg with opts "i4"
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/packagesite.pkg: Operation timed out
DBG(1)[75326]> Request to fetch https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/packagesite.txz
DBG(1)[75326]> opening libfetch fetcher
DBG(1)[75326]> Fetch > libfetch: connecting
DBG(1)[75326]> Fetch: fetching from: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/packagesite.txz with opts "i4"
DBG(1)[75326]> Fetch: fetching from: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/packagesite.txz with opts "i4"
DBG(1)[75326]> Fetch: fetching from: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/packagesite.txz with opts "i4"
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/25.7/latest/packagesite.txz: Operation timed out
Unable to update repository OPNsense
Error updating repositories!
root@repulse:~ #

You still don't know if it's trying to connect via IPv4 or IPv6 and disabling non-working IPv6 or preferring IPv4 via setting have always been good options.


Cheers,
Franco

Quote from: franco on October 24, 2025, 08:58:46 AMYou still don't know if it's trying to connect via IPv4 or IPv6 and disabling non-working IPv6 or preferring IPv4 via setting have always been good options.


Cheers,
Franco

True, I failed to mention that I disabled dhcp6 on my wan interface and even clicked to disable ipv6 to try to narrow things down.  My thoughts on that was when I set this instance up, I had it on my lan (ipv4 only) behind an older opnsense (21) instance and it updated just fine.  It stopped updating once I replaced the 21 instance with this one.  And the obvious difference was the ipv6 interface.  So that's where I began troubleshooting the update errors.

In troubleshooting mbuf errors that were showing up in dmesg, I disabled the following.
* hardware checksum offload
* hardware TCP segmentation offload
* hardware large receive offload

Once disabling those I didn't get any further messages appearing in dmesg or on the console.  Plus an added bonus that updates work again... :). Kinda weird that would be enough to do it.

root@repulse:~ # pkg update
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
root@repulse:~ #

After all of thie I've re-enabled ipv6, and I don't get errors when trying to update.