@kiokoman

Redmine issue created:
https://redmine.pfsense.org/issues/11878

For this particular issue it would be the same on both

@daplumber and now an official Comcast Advanced Gateway, and an Arris S33. I don't think it's the CM.

Props to @Beerman

I was having the same issue at a site where fortunately the VPN is not mission critical. Your post pointed me in the right direction and it's now resolved.

New CA, server cert, user cert applied to the existing OpenVPN setup, new client config exported and it all works like it should.

It can be fun if you are into such things. In my younger days I did this with embedded systems things. Many of those used Intel or Texas Instruments embedded microprocessors with the code in EPROM. Dump the EPROM using a reader, start at the power-on reset vector in the EPROM code for the CPU and start disassembling the binary. I often wrote my own disassemblers using the datasheets from the CPU manufacturers to get the binary opcodes and their assembler mnemonics so I could properly code the disassembler.

I did it to satisfy my curiosity and not for nefarious purposes. Mostly just to see if I could do it. My wife did question my sanity at times when she found me poring over a stack of paper from a dot-matrix printer composed of pages of assembly code. I would be writing in comments as I figured out what a section of code was likely doing.

Luckily I recovered ... 😀, and no longer suffer from that yearning.

@virgiliomi

I think multiple factors may cause the crash, I think it involves FRR and wireguard.

i have report to wireguard admin.

@kinch

Yes that is exactly what I observed. It was a mix of new defaults in line with best practices that come with FRR 7.5 vs the 7.3 you would have been running on pfSense 2.4.5 as well as some bugs that are now in redmine.

If you see your BGP session as "Established" but your prefixes are not being announced checklist here:

In your environment, are the prefixes to be announced in your local RIB or are they not ? If not, you need to set a flag no bgp network import-check

This is sort of exposed in the GUI but currently broken because if you uncheck it in the GUI the new FRR 7.5 default means it is inherently enabled anyway. Thus you need to work with RAW CONFIG for now.

Do you have any sort of filtering for your announcements ? A route map or prefix list ? Or do you just go Services -> FRR BGP and drop the prefixes in there. If so, you will need to enable a policy to satisfy the new default of bgp ebgp-requires-policy

You could, but probably should not disabled this check with

no bgp ebgp-requires-policy

This is exposed in the GUI and seems to work but it is not regarded best practice. Better you create a prefix list with the stuff you want to announce and then attach it to your neighbor(s).

Edit: Since this effects 2.5.0-release and we are no longer using a dev snapshot: There is more detail in this thread I have in the FRR sub-forum

sysctl dev.cpu dev.cpu.3.temperature: 59.1C dev.cpu.3.cx_method: C1/hlt dev.cpu.3.cx_usage_counters: 32910065 dev.cpu.3.cx_usage: 100.00% last 214us dev.cpu.3.cx_lowest: C1 dev.cpu.3.cx_supported: C1/1/0 dev.cpu.3.%parent: acpi0 dev.cpu.3.%pnpinfo: _HID=none _UID=0 dev.cpu.3.%location: handle=\_PR_.P003 dev.cpu.3.%driver: cpu dev.cpu.3.%desc: ACPI CPU dev.cpu.2.temperature: 59.1C dev.cpu.2.cx_method: C1/hlt dev.cpu.2.cx_usage_counters: 37679235 dev.cpu.2.cx_usage: 100.00% last 236us dev.cpu.2.cx_lowest: C1 dev.cpu.2.cx_supported: C1/1/0 dev.cpu.2.%parent: acpi0 dev.cpu.2.%pnpinfo: _HID=none _UID=0 dev.cpu.2.%location: handle=\_PR_.P002 dev.cpu.2.%driver: cpu dev.cpu.2.%desc: ACPI CPU dev.cpu.1.temperature: 59.1C dev.cpu.1.cx_method: C1/hlt dev.cpu.1.cx_usage_counters: 32443366 dev.cpu.1.cx_usage: 100.00% last 337us dev.cpu.1.cx_lowest: C1 dev.cpu.1.cx_supported: C1/1/0 dev.cpu.1.%parent: acpi0 dev.cpu.1.%pnpinfo: _HID=none _UID=0 dev.cpu.1.%location: handle=\_PR_.P001 dev.cpu.1.%driver: cpu dev.cpu.1.%desc: ACPI CPU dev.cpu.0.temperature: 59.1C dev.cpu.0.cx_method: C1/hlt dev.cpu.0.cx_usage_counters: 35826705 dev.cpu.0.cx_usage: 100.00% last 195us dev.cpu.0.cx_lowest: C1 dev.cpu.0.cx_supported: C1/1/0 dev.cpu.0.freq_levels: 3600/19240 3200/14577 2800/10578 2400/6951 1900/4162 1400/2887 dev.cpu.0.freq: 3600 dev.cpu.0.%parent: acpi0 dev.cpu.0.%pnpinfo: _HID=none _UID=0 dev.cpu.0.%location: handle=\_PR_.P000 dev.cpu.0.%driver: cpu dev.cpu.0.%desc: ACPI CPU dev.cpu.%parent:

@bcruze no worries. The images for official Netgate appliances are never available on the website. Those are CE images for use with amd64 devices. I could use one on my SG-5100 for example. However, for the official images you will always have to request them from Netgate via a support ticket. They are super quick to respond when you do. I tend to do a clean install every time a new version is released so I back up my configuration, send the request to Netgate, and then get down to business once they give me a link to the image.

@behemyth

"When it is ready" (tm)

@griffo said in Updated and not sure what state it's in:

I've always logged in as root.

I just tried 'root' : works also. had the menu etc.
That is : it works for 2.4.5-p1 - I just noticed that your using a newer version....

@mfld

i have reply it. I have been reporting this problem for several years, and Jim doesn't believe it. This problem has always existed in this 2.5 system.But it runs much better in the 2.4.x system.I’m not a programmer, so I don’t know what has changed in the system, only Jim knows what has changed in the system.