Hi, I was hoping someone may be able to help make heads or tails of this frustrating issue I'm having.
Background I use a VPN configured as-per the Qubes recommended config for VPNs ([https://www.qubes-os.org/doc/vpn/).](https://www.qubes-os.org/doc/vpn/)https://www.qubes-os.org/doc/vpn/ I have used this configuration with the following VM hierarchy for some months without a problem: sys-net -> sys-firewall -> vpn -> vpn-firewall -> * [where "vpn-firewall" runs the qubes-yum-proxy service (verified TCP listener is showing up in netstat on 0.0.0.0:8082)] Problem Recently I have encountered a problem where whenever I go to update a TemplateVM, or dom0 - any VM that is configured to use the qubes update proxy - the dnf update times out. The following is the output of "sudo dnf -vvv --refresh update" on a Fedora 26 TemplateVM: Cannot download 'https://mirrors.fedoraproject.org/metalink?repo=updates-released-f26&arch=x86_64': Cannot prepare internal mirrorlist: Curl error (28): Timeout was reached for https://mirrors.fedoraproject.org/metalink?repo=updates-released-f26&arch=x86_64 [Connection timed out after 30003 milliseconds]. Error: Failed to synchronize cache for repo 'updates' If we watch netstat during this attempted update, we see that a SYN is sent to the correct update proxy address of 10.137.255.254:8082, but no SYN-ACK is received: tcp 0 1 10.137.5.14:57914 10.137.255.254:8082 SYN_SENT Leaving this running, no TCP connection is ever established with the qubes-updates-proxy service at "vpn-firewall". Similarly, watching for inbound connections on "vpn-firewall" yields no results for an incoming connection from the TemplateVM. During this time, all AppVMs continue to have full network connectivity via the vpn-firewall gateway. Now here's the weird bit... The problem is sporadic. Sometimes I can reboot my host machine and the updates proxy is broken, other times it works fine. To my untrained eye, this appears to be a routing issue internal to Xen. Does anyone have some advice on how I can investigate further? Many thanks in advance, Alex Sent with [ProtonMail](https://protonmail.com) Secure Email. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/Lth6ihnbfp4s5zsCVYegGf-9dijq0Jm7DsSoXVNj5Es2S1zk0Fa-liAh-0mRV7XZI3DywKoicTOdThqrcKbfUfMJesBz7C-YLAs-6epw47k%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
