frozen pfsense, administration interface, openvpn...

rds25

Hello,

After 24 hours or more of operation, I find that I can no longer log in to the administration interface,

OpenVPN is also unresponsive.

For the moment my only issue is to restart by stop signal.

Can you tell me the procedure to know the reason?
Waiting for your response,
Rémi

Gertjan

@rds25 said in frozen pfsense, administration interface, openvpn...:

Can you tell me the procedure to know the reason?

At a distance with no connection ?
Not that I know.

If you can access the device, console/SSH into it and check the logs. That why they are there.
Still, a hardware failure, or some power spike failure doesn't produce any logs, the machine just locks up.
Use option 11 to restart the webConfigurator - and check the logs for good startup.
Re try the GUI.

rds25

@gertjan
Hello,

Nslookup revolver - OK
ping - OK
Access internet - OK
access to webconfigurator on LAN - KO
Access to OpenVPN on WAN and LAN - KO

I have not enabled SSH access and I have no screen
I will have to reboot in any case, I have a 502 Bad Gateway nginx. on IP PFsense.

However, I don't think it's just the web configuration service, because I can't connect to the OpenVPN either, or is it related to the webconfigurator?

I saw the logs, but I'm not sure where. in any case hardware side everything is OK.

edit:
In the log I have 6 files system.log Gz :
example:
Dec 26 17:15:16 check_reload_status 404 Could not connect to /var/run/php-fpm.socket

Do you have a command to extract from the logs the critical errors related to the webgui and OpenVPN which falls?

The oldest system log I have dates back not even an hour:

Impossible to have the logs of the day...

helpme :'(

Gertjan

@rds25 said in frozen pfsense, administration interface, openvpn...:

I have not enabled SSH access and I have no screen

For later : "never leave home without it". But a console access is also good.

@rds25 said in frozen pfsense, administration interface, openvpn...:

The oldest system log I have dates back not even an hour:

Look at your first image.
During the same second '40' you have many identical lines telling that PHP isn't running.
pfSense panics because it needs PHP to do some maintenance tasks, and of course, PHP is used together with nginx, the web server, to handle the GUI.
So log files are filled up very fast, and rotated as soon as they are 'full'. Which happens very fast right now.

Btw : what happens here :

Is this just an isolated case ? Did you attached the LAN cable ?

@rds25 said in frozen pfsense, administration interface, openvpn...:

Do you have a command to extract from the logs

Also : the gateway 502 error means to me : nginx, the web server is running, but not the PHP part.

Normally, you would run
tail -f /var/log/system.log
in SSH sessions,
and you use option 11 in the other to retestart PHP + nginx.

Now, use option 11, and then go to 8, and paste
ee /var/log/system.log
(ee is an text editr never used ee myself, prefer nano, but that editor has to be installed as a manually as a freebsd/pfSense using "pkg ..." )

OpenVPN is start by the same web server + PHP. So, when the GUI is back online, OpenVPN will most probably also start working again.

rds25

Is this just an isolated case ? Did you attached the LAN cable ?

Unfortunately no, this is not an isolated case, I have to restart the router almost every day.

For the cable, I'm not at home and the only PC connected to the lan interface is off.

I activated SSH like that when I come back if PHP is dead without explanation I paste the logs to you.

Cool_Corona

Can you pls. check if you have any kind of power management on the pfsense machine?

It could be a NIC going into hybernation.

Gertjan

@rds25 said in frozen pfsense, administration interface, openvpn...:

the only PC connected to the lan interface is off.

Poor router firewall. It needs two interfaces to exist, and you disable one ?
Maybe it works just fine, but I'm not a member of the club that tries to run a router with one or even less interfaces. As it makes no sense.
What about adding a switch between that one PC and pfSense ?
At least pfsense will have its two NIC up all the time.

Btw : this is just me thinking out loud. Dono what happens when LAN goes away. Never tried that. If LAN goes away, might as well shut down pfSense all together.

rds25

@cool_corona
indeed if PFsense attach services on an int which goes into hibernation, this is a problem.

rds25

@gertjan

Indeed, Pfsense needs two interfaces.
I have a Wan a Lan and two other interfaces used for servers.
The Lan interface is only used to manage the firewall in my case.
So, if the interface has a hibernation option, I will not add a switch which is not very ecological, just to have a UP port to look pretty.

In the case of figure, if the Lan Switch is down that to crash the firewall by domino effect?
Why not link Pfsense’s vital services to a virtual interface??

Gertjan

@rds25 said in frozen pfsense, administration interface, openvpn...:

which is not very ecological

I fully agree.
Your pfSense also agrees : a frozen pfSense .... what about removing the power cord ?
With just the WAN active, pfSense will check every 12 hours if there is a package update.
It will sync NTP.
And according to the resolver settings, keep the DNS cache up to date.
I mean : what's that good for ?

Still, now serious : it should work with LAN going down = no carrier.
If it works well if the NIC device goes into sleep mode : that's more a hardware question, like : does the driver support that ? The OS ? pfSense ?
It's not a common scenario.

rds25

@gertjan

now that the cause is identified.
solution 1: connect a switch to the port called LAN which I only use to configure the fw.

solution 2: does pfsense offer a function to deactivate hibernation.

ps: I have 2.5gbps ports that only work with unstable 2.7.0.

fireodo

@rds25 said in frozen pfsense, administration interface, openvpn...:

solution 2: does pfsense offer a function to deactivate hibernation.

In my knowledge hibernation should be turned off in the BIOS of the machine ...

rds25

@fireodo

I only "disabled HCPI hibernation" but if I'm not mistaken, it's for the general sleep mode of the machine and not of one or more interfaces?

fireodo

@rds25 said in frozen pfsense, administration interface, openvpn...:

@fireodo

I only "disabled HCPI hibernation" but if I'm not mistaken, it's for the general sleep mode of the machine and not of one or more interfaces?

Power management for individual interfaces is specifically to the interface hardware - you have to dig deep if you want to manipulate that (AFAIK)

rds25

@fireodo

So to summarize I will plug a switch on the port to force the lifeline.
And I’ll tell you again if the workaround works.

fireodo

@rds25 said in frozen pfsense, administration interface, openvpn...:

So to summarize I will plug a switch on the port to force the lifeline.

That could be a workaround. If you dont mind - what hardware (machine) are we talking about?

rds25

@fireodo
Good morning,
Don’t worry, it’s a prototype from the future.
All I can say is that the interfaces are "intel i226-v"
Or the norm is hibernating non-active interfaces.

fireodo

@rds25 said in frozen pfsense, administration interface, openvpn...:

Don’t worry, it’s a prototype from the future.

... then I hope the Flux capacitor is still OK!

rds25

@fireodo said in frozen pfsense, administration interface, openvpn...:

Flux capacitor

Yeah, doc, but we gotta cool it!
Thank you all for your intelligence of mind, and your responsiveness, long life to pfSense community.