Strange Firewall/ipsec behaviour after upgrading to 6.2-11


Feb 27, 2019
I have recently updated a cluster with a few nodes having pretty similar network setup. Each node is connected with a few external networks over ipsec.

And just one node behaves crazy (this is really strange). I can't ping any of the networks that are tunneled through the ipsec. Tunnels are created successfully, routes are being added. Additional research with tcpdump showed that indeed ICMP replies are coming back through the tunnel, but are getting dropped! Disabling firewall completely on the node makes it work...

Attached the pve-firewall compile

What is more strange it worked perfectly fine before the upgrade and I did nothing besides upgrade and reboot...

I can easily imagine how difficult to diagnose such a thing, so just a point into right direction what I can dig/research would be appreciated too...


  • pve-firewall_compile.txt
    24.1 KB · Views: 12


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!