pfsense 2.6.0 sshguard @ web gui bug/crash

VioletDragon

@stephenw10 Okay cool nothing to worry about then, Do you think i should do a fresh install of pfSense on a hypervisor moving the same configuration over just changing the interfaces ? would this be a problem?

stephenw10

It would be a good test to prove if it's a config or an install issue.

Gertjan

@violetdragon said in pfsense 2.6.0 sshguard @ web gui bug/crash:

pfSense on a hypervisor moving the same configuration

Try also : not the same config.

Keep in mind : you and me are using the same, identical code == pfSense. It works well for me
Only our config is different.
And, of course, the hardware.

The default config with just interface set up so networking works.
Packages like snort or pfBlockerNG are not mission critical.
acme settings (and certs) are imported back in and do not demand any resources.

I'll look up if there is a way to make PHP logs what it is doing. This will strain the the system even more, but, while "tailing" the PHP log, and then opening the GUI using a browser, you can see where it stops / waits executing.

Do you have many :

in the Status > System Logs > System > General ?

VioletDragon

@stephenw10 Hi, This problem has got worst. I can't access the Gui completely now I keep getting a ERR_CONNECTION_CLOSED. Nothing seems to have fixed this problem.

Update,

It's got to be one of these widgets removed them all has fixed it as we speak

Gertjan

@violetdragon

Add one widget, use pfSense as normal, do reboot, be patient and test + test.
Then add one other widget, and repeat the process.
As soon as the issue comes back, you have found the widget.
Easy to do, all you need is some time.

Or use other hardware / use another file system, and call it a day.

VioletDragon

@gertjan I have done a fresh install on a VM but the problem is still there,

I think i am going to roll back to 2.5.2 because this issue is only on 2.6.0.

VioletDragon

@gertjan I am seeing this in the System Logs now,

Apr 27 10:36:27	check_reload_status	435	Syncing firewall
Apr 27 10:36:23	check_reload_status	435	Syncing firewall
Apr 27 10:36:22	check_reload_status	435	Syncing firewall
Apr 27 10:36:20	check_reload_status	435	Syncing firewall

Gertjan

@violetdragon

You think the other 95000+** "2.6.0" users have the same problem ?
I can assure you, they use the same - byte by byte code.
So, it boils down to : 2.6.0 in combination with what you have/use/do with it.

I'm just making this up. The number is probably way bigger.

edit : I'm just trying to motivate you to find the issue ;)

VioletDragon

@gertjan Then why is the problem still there after a fresh install? this problem has started when installing 2.6.0 there has to be a problem somewhere because on a base install the gui crashes. The logs are fulled up with,

Apr 27 10:36:27	check_reload_status	435	Syncing firewall
Apr 27 10:36:23	check_reload_status	435	Syncing firewall
Apr 27 10:36:22	check_reload_status	435	Syncing firewall
Apr 27 10:36:20	check_reload_status	435	Syncing firewall

VioletDragon

@gertjan deleting everything on the homepage except for System Information seems to fix it but when adding other widgets is causing the problem, time to revert back to 2.5.2!

Gertjan

@violetdragon said in pfsense 2.6.0 sshguard @ web gui bug/crash:

after a fresh install?

??
You put gasoline in your car : it won't start.
You put better gasoline in your car : it still doesn't start.
You develop "just made for you" gasoline in your car : still a no go.
Because the motor is/was dead.

Look for the common factors.
Use a bare metal system, any ancient desktop device with a double NIC will do.
VM's are great, but add another boatload of possible issues.

VioletDragon

@gertjan That is what I have done, I have tested on a Xen Hypervisor and a Dell T3600 and the problem is still there. I am going to revert back to 2.5.2 because 2.6.0 seems to be unreliable with the Gui Crashing left right and center!

stephenw10

@violetdragon said in pfsense 2.6.0 sshguard @ web gui bug/crash:

The logs are fulled up with,

Apr 27 10:36:27	check_reload_status	435	Syncing firewall
Apr 27 10:36:23	check_reload_status	435	Syncing firewall
Apr 27 10:36:22	check_reload_status	435	Syncing firewall
Apr 27 10:36:20	check_reload_status	435	Syncing firewall

Ok, this is good. That's the first evidence we've seen of some process misbehaving. Something is continually reloading the firewall. Did you apply the keep-counters patch?
It's one of the recommended patches in the System Patches package. If your system is reloading that frequently it will be affected by that.
It's fixed in 2.7 if you're able to test a snapshot.
Now that may be a symptom and not the cause of course.

Any config that works in 2.5.2 should work in 2.6 but clearly there are edge cases and you seem to have found one. Since most users are not hitting it though we have no way to replicate it to try to fix it without your input. Something in your config is unique.

Steve

VioletDragon

@stephenw10 hi, what is the patched? Do you have any documentation of it? I have removed all widgets leaving system information and it is behaving itself. It's a strange one but I think it's one of the widgets.

stephenw10

Sure it's this: https://redmine.pfsense.org/issues/12827

I suspect the problem showing the dashboard is showing up because one of the widgets id trying to access some data that isn't available during a filter reload and it's apparently reloading all the time. That bug might mean that there is no access when that happens but it should not cause it. Unless it's stuck in a race condition for some reason.

Steve

VioletDragon

@stephenw10 Hi sorry for such a slow reply been a bit busy. However it seems that the problem has gone away by removing the widget then putting them back again however my suspicion is it's either that NTP Widget which is broken or its pfblockerng widget. I have all the other widgets and it seems fine.

Thanks.

Jack.

stephenw10

Of the two I would suspect the ntp widget more since it pulls in real-time data whereas the pfBlocker widget shows only counts which I believe is cached. Though I've never really dug into it that deep!
I assume it was not immediately obvious which it is from enabling them?

VioletDragon

@stephenw10 I have not determined which it is but I have removed both widget and seems to be behaving itself right now, I need NTP to be functional because I use Time Based security for the Yubikey's i have.

stephenw10

Well you obvuoiusly don't actually need the widget for NTP to work but it's nice to check it that way. I have the NTP widget up here, complete with GPS info, and it's never given trouble.

Try querying ntp at the command line, is there a delay?

[2.6.0-RELEASE][admin@pfsensemirror.stevew.lan]/root: ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 2.pfsense.pool. .POOL.          16 p    -   64    0    0.000   +0.000   0.000
+time.cloudflare 10.20.14.167     3 u  142  512  377   12.333   -0.083   0.149
-ns1.do.steersne 114.199.6.79     2 u   72  512  377    7.008   -0.542   0.375
*103.219.22.112  193.67.79.202    2 u  193  512  377    6.833   +0.117   1.862
+1fv-x-e0001-e7a 193.150.34.2     3 u  175  512  377    8.463   +0.730   2.103

It tries to use reverse dns on those which can take a second or two.

Steve

VioletDragon

@stephenw10 Yeah that is why I use the Widget can just log into the home page and it's there but it is no biggie, I can always check it via CLI. I have actually been looking at GPS modules that plug into the Serial on the Firewall but not sure what is recommended and what isn't.

Only 3 Widgets that are not on the home page now is Services, pfBlockerng & NTP it is behaving itself as we speak.