Troubleshooting Playbooks

Synopsis #

This chapter provides deterministic troubleshooting playbooks for common production faults: High Availability (HA) role flaps, asymmetric paths at multi-WAN edges, tunnel MTU black holes, IPv6 Neighbor Discovery (ND) and Router Advertisement (RA) problems, and practical Quality-of-Service (QoS) verification. Each playbook uses base tools only: packet filter policy in pf.conf(5) inspected with pfctl(8), interfaces via ifconfig(8), live captures with tcpdump(8), system controls with sysctl(8), reachability tests with ping(8) and ping6(8), path inspection with traceroute(8), IPv6 neighbor tools in ndp(8), and service-specific helpers such as ikectl(8) for IPsec or relayctl(8) for relayd when relevant. Device-level features include carp(4), pfsync(4), wg(4), gif(4), and gre(4).

Design Considerations #

• Reproduce, then narrow. Reproduce the failure, capture once near the fault, and use counters and states to avoid guessing.
• Prefer egress perspective. At policy edges, states and NAT pin flows to egress. Inspect states before changing routes.
• One change at a time. Introduce a reversible change, observe, revert if inconclusive.
• Clocks and logs. Ensure accurate time (see ntpd(8)). Use /var/log/messages and PF rule counters to align observations.
• Safety. During production incidents, demote a node or isolate a path rather than wholesale restarts. Keep a failsafe PF anchor for management access (see the Hardening chapter).

Configuration (Operator Toolbox) #

Prepare a minimal, reusable toolbox on each device.

# rcctl enable pflogd ; rcctl start pflogd
  # Persist and start PF log capture to /var/log/pflog

# pfctl -sr | sed -n '1,40p'
  # Snapshot of the active rule order for later correlation

# sysctl net.inet.carp
  # Baseline CARP preempt/log/demotion values (on HA nodes)

# install -d -m 700 /root/ts ; date > /root/ts/incident.start
  # Create a working scratch area with a start timestamp

Playbook 1 — HA Role Flaps (CARP/pfsync) #

Symptoms. Frequent MASTER↔BACKUP flips, brief outages, or state desynchronization.

Likely causes. Unstable SYNC link, VHID/password mismatch, asymmetric upstream reachability, or aggressive preemption.

Steps #

1. Observe CARP status and demotion.

$ ifconfig carp0 carp1
  # Expect one MASTER and one BACKUP per VIP
$ sysctl net.inet.carp.demotion
  # Non-zero indicates a fault (e.g., interface down, pfsync issues)
$ tail -n 100 /var/log/messages | egrep -i 'carp|pfsync'
  # Timeline of role changes and reasons

2. Verify the SYNC domain and state replication.

$ ifconfig pfsync0
  # Confirm syncdev and UP status
# tcpdump -ni pfsync0
  # Observe steady updates under load; bursts during new flows/failover
$ pfctl -vvss | head
  # States present with creators and counters on both nodes

3. Check HA control-plane allowances and VHID/secret.

$ pfctl -sr | egrep 'proto (carp|pfsync)'
  # Rules allowing carp and pfsync
$ grep -H carpdev /etc/hostname.carp*
  # Same VHIDs and sharedsecret on both nodes?

4. Stabilize now, investigate next.

# ifconfig carp0 advskew 240 ; ifconfig carp1 advskew 240
  # Demote this node (prefer peer as MASTER)
# sysctl net.inet.carp.preempt=0
  # Temporarily disable preemption to avoid ping-pong

5. Common fixes. Replace or isolate the SYNC cable/VLAN, ensure set skip on pfsync0 in PF, align rulesets and NAT, and only then re-enable preemption and restore advskew.

Playbook 2 — Asymmetric Paths and Broken Inbound NAT #

Symptoms. Some destinations work; others time out. Inbound services connect but replies exit via the wrong WAN. Outbound policies appear ignored.

Likely causes. Missing reply-to on WAN pass rules for NAT’d services, stale states, or rule ordering issues for route-to.

Steps #

1. Confirm rule matches and state egress.

$ pfctl -vvsr | egrep 'route-to|reply-to'
  # Ensure per-WAN pinning rules exist and are ordered correctly
$ pfctl -vvss | egrep 'em0|em3|Gateway'
  # Inspect states for selected egress interface/gateway

2. Capture on both WANs while reproducing.

# tcpdump -ni em0 host <client-or-server> and port 443
# tcpdump -ni em3 host <client-or-server> and port 443
  # Verify which interface carries SYN/ACK or replies

3. Apply corrective actions.

# pfctl -K 10.10.10.50
  # Kill states for a published server so new states pick up corrected policy
# pfctl -f /etc/pf.conf
  # Reload after adding missing reply-to/route-to
$ route -n show -inet | head
  # Remember: system default route affects firewall-originated traffic only

Playbook 3 — Tunnel MTU / Black-Hole Detection (IPsec, WireGuard, gif/gre) #

Symptoms. Small packets succeed; large transfers stall. TLS handshakes complete but large responses hang. ICMP “Too Big” not seen.

Likely causes. Encapsulation overhead exceeding underlay MTU; PMTUD blocked; excessive MSS.

Steps #

1. Probe with increasing payload sizes.

$ ping -n -c 3 -s 1400 <remote-ipv4>
  # Try large payload; decrease (e.g., 1380, 1360) until it works
$ ping6 -n -c 3 -s 1400 <remote-ipv6>
  # IPv6 is more sensitive; adjust until success

2. Inspect the tunnel and adjust MTU/MSS.

• IPsec (IKEv2):

$ ikectl show sa ; ikectl show flows
  # Confirm SAs/flows up
# tcpdump -ni enc0 host <peer-inside>
  # Plaintext post-decrypt traffic

Add a conservative scrub during mitigation, then refine:

## pf.conf excerpt — temporary MSS clamp
scrub in on egress max-mss 1452

• WireGuard:

$ ifconfig wg0
  # Review wgpeer stats; note current MTU
# ifconfig wg0 mtu 1380
  # Lower MTU to accommodate overhead

• gif/gre:

$ ifconfig gif0 ; ifconfig gre0
  # Check configured MTU
# ifconfig gif0 mtu 1400
  # Lower and re-test; adjust per path measurements

3. Confirm ICMP visibility.

# tcpdump -ni egress icmp or icmp6
  # Look for “Fragmentation needed” (v4) or “Packet Too Big” (v6)

Playbook 4 — IPv6 ND and RA Failures (Hosts Not Getting IPv6) #

Symptoms. Clients lack global IPv6, show only link-local, or lose default route. Duplicate Address Detection (DAD) failures appear.

Likely causes. RA not sent on the right interface, ICMPv6 blocked, multiple routers advertising, or stale ND cache.

Steps #

1. Check the router side (RA sender).

# rcctl check rad
  # RA daemon running?
$ ifconfig em1 | grep inet6
  # Router has an on-link address for the /64
# tcpdump -ni em1 icmp6
  # Observe Router Advertisements on the segment

2. Allow mandatory ICMPv6 in PF and reload.

## pf.conf excerpt — ensure ICMPv6 is permitted
pass inet6 proto icmp6 keep state

# pfctl -f /etc/pf.conf

3. Inspect from a host (client side).

$ ndp -an | head
  # Router entries should appear with reachable MAC
# rcctl check slaacd
  # Autoconf client running?
$ route -n show -inet6 | egrep '::/0|2001:'
  # Default route via router; global address present

4. Resolve duplicates or rogue RAs.

$ ndp -an | egrep -i 'incomplete|failed'
  # Identify anomalies
# ndp -d <IPv6-or-mac>
  # Clear a problematic cache entry (repopulates via ND)

If two routers advertise the same /64 unintentionally, disable RA on the retiring router first, then withdraw addresses.

Playbook 5 — QoS Verification (PF Queues) #

Symptoms. Interactive traffic suffers under load; queue counters do not move as expected.

Likely causes. Classification direction mismatch, incorrect queue names, or parents allowing unlimited borrowing.

Steps #

1. Confirm the queue tree and counters.

$ pfctl -vvsq
  # Tree, bandwidth/min/max, packets/bytes per queue

2. Validate classification rules and hits.

$ pfctl -vvsr | egrep 'set queue|set prio'
  # Verify intended rules exist and order is correct
# tcpdump -ni egress port 22 or port 443
  # Generate traffic and correlate with queue counters

3. Exercise under load and observe.

$ scp largefile user@remote:/dev/null &
  # Create bulk load
$ ssh user@remote
  # Verify keystroke latency while watching 'pfctl -vvsq'

4. Adjust and re-test.

• Lower bandwidth or set max on default/bulk queues.
• Use two-queue assignment, for example set queue (web_bulk, web_prio), to prioritize ACKs.

Verification #

• Repeatable tests. Keep a short script that pings, curls a known endpoint, and emits a syslog marker before and after changes.
• Counters before/after. Record pfctl -vvsr, pfctl -vvsq, and pfctl -s state | wc -l before and after each step.
• Packet captures. Save tcpdump traces with timestamps during failures; retain them alongside the PF snapshot for later analysis.

$ date && pfctl -vvsr | wc -l && pfctl -vvsq | wc -l
  # Quick sanity of rule/queue counts with a timestamp
# tcpdump -ni egress -w /root/ts/egress.pcap host <peer> and port <svc>
  # Capture for offline review

Troubleshooting #

• Changes did not take effect. Ensure you reloaded PF (pfctl -f) and killed stale states where path selection must change.
• Data path differs from captures. Verify you are capturing on the correct interface (physical vs. VLAN vs. tunnel) and that set skip on is not hiding traffic from PF.
• HA “works” but drops occur. Confirm identical rulesets and NAT on both nodes; states replicate, rules do not.
• MTU still inconsistent. Check intermediate links (PPPoE, VPNs, or VLAN stacks). If ICMP control is filtered upstream, keep MSS clamping in place.

See Also #

• Networking
• OpenBGBD
• Related: High Availability and State Replication
• Related: Multi-WAN and Policy-Based Routing
• Related: VPN and Cryptographic Tunneling
• Related: IPv6 at Scale
• Related: QoS and Traffic Shaping