Web GUI crashes after upgrade from 22.05 to 23.01
-
@jimp any way to disable from the cli so I don't have to go back to 22.05, change and re-update?
-
Not easily, though you could use
viconfig
and find theaesni
line and remove it.It would look like one of the following:
<crypto_hardware>aesni</crypto_hardware>
or
<crypto_hardware>aesni_cryptodev</crypto_hardware>
If you delete that and reboot it will not load the aesni module.
-
@jimp Disabled AES-NI,
AES-NI module is not loaded anymore:
/root: kldstat
Id Refs Address Size Name
1 21 0xffffffff80200000 39a4240 kernel
2 1 0xffffffff83ba6000 5b2878 zfs.ko
3 1 0xffffffff84159000 aab0 opensolaris.ko
4 1 0xffffffff84720000 2220 cpuctl.ko
5 1 0xffffffff84723000 3248 ichsmb.ko
6 1 0xffffffff84727000 2178 smbus.ko
7 1 0xffffffff8472a000 20e8 coretemp.koStill same crash.
-
Can we assume this only happens when you try to access the GUI over IPSec? Or is that the only way you can test it?
-
Assuming it's policy based IPSec do you have static route via LAN in place to allow that access on the remote pfSense?
-
@stephenw10 this is the only way I can test it. At the moment I don't have local access to this firewall. Once I do have local access I want to try a default config and if it works add ipsec and then packages. It will be a few weeks before I can go to the other house.
-
Do you have something behind it you could try accessing it via? Something you could remote desktop to maybe?
-
@stephenw10 Not at the moment. maybe tomorrow I can remote to my son Macbook and try local access.
Don't know if it does matter but the problem firewall is running both ipv4 and ipv6
-
The IPSec tunnel is IPv4 only though?
-
@stephenw10 yes
-
@stephenw10 Ok, local login to the firewall works without crashes. So it is the combination of logging in to the GUI through the ipsec vpn that is causing the problem.
Weird enough I can access webcams, ssh without issues.
The configuration is the same I was using on 22.05 without issues.
-
Ok, that's good info. Our devs are looking into this I'll try to replicate it...
-
@stephenw10 Were you guys able to replicate the issue?
I may be able to go to the other house this weekend. Should I try a fresh reinstall? -
I haven't replicated it yet.
Do you have SWAP enabled on that device? What size if so? Getting a full core dump from that would be useful.Steve
-
@stephenw10
/root: swapinfo
Device 1K-blocks Used Avail Capacity
/dev/ada0p3 1048576 0 1048576 0%How do I get you a full core dump?
-
If you install the debug kernel with:
[23.01-RC][root@6100.stevew.lan]/root: pkg install pfSense-kernel-debug-pfSense Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. The following 1 package(s) will be affected (of 0 checked): New packages to be INSTALLED: pfSense-kernel-debug-pfSense: 23.01.b.20230106.0600 [pfSense-core] Number of packages to be installed: 1 The process will require 709 MiB more space. 145 MiB to be downloaded. Proceed with this action? [y/N]: y [1/1] Fetching pfSense-kernel-debug-pfSense-23.01.b.20230106.0600.pkg: 100% 145 MiB 5.2MB/s 00:29 Checking integrity... done (0 conflicting) [1/1] Installing pfSense-kernel-debug-pfSense-23.01.b.20230106.0600... [1/1] Extracting pfSense-kernel-debug-pfSense-23.01.b.20230106.0600: 100%
Then when you reboot you can select that by hitting option 6 at the boot loader menu. However if you only have remote access that could be a problem.
Steve
-
Still failing to replicate this.
What IPSec config are you using?
What firewall rules do you have?
-
@stephenw10 I will be at the other house this weekend and I am going to try to get core dumps with the debug kernel.
As far as ipsec config, it is a tunnel between the two firewall.
Phase1: Key exchange is IKEv2, protocol is ipv4 only, auth is Mutual PSK, identifiers are the ip addresses. auth is AES 256 SHA256 DH 14, life time 31680 sec, rekey time at default 90% of lifetime.
Phase2: mode is Tunnel ipv4, Local network is my lan subnet, remote network is set to the remote network ip/24, no nat. Key exchange/SA mode is ESP, encryption is AES256-GCM 128bits PFS key group 14, life time 5400, rekey time 4860 sec.Once I get to the other house (the remote pfsense), the first thing I want to try is to access the firewall GUI of my primary pfsense through the ipsec vpn and see if it crashes or not. The two firewalls run on different hardware with different packages installed.
I will then try to get you core dumps. I will try to see if going back to a default config with just the ipsec configuration makes any difference.
Anything else I should try?
-
Do you have any special gateways/route table entries setup which refer to the IPsec network(s)? Or any other config in other areas of the firewall itself that relates to the tunnel outside of the IPsec config you described?
Things like this sort of setup:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.html -
@jimp yes I had to add gateways and static routes on both end points