The process fcgicli is CPU killer

Ivan Nosko

Hello Team! We use pfSense as an openvpn RA server, it is a virtual machine on VmWare. Everything was fine, but after updating to version 2.7.2 we had a problem with the fcgicli process, which was consuming all the CPU time and pfSense was freezing. We need help! This is the very important service.

Gertjan

@Ivan-Nosko

Which one :

[23.09.1-RELEASE][root@pfSense.bhf.tld]/root: ps ax | grep 'fcgicli'
59977  -  Is       0:00.00 /usr/local/bin/minicron 3600 /var/run/expire_accounts.pid /usr/local/sbin/fcgicli -f /etc/rc.expireaccounts
60588  -  I        0:00.02 minicron: helper /usr/local/sbin/fcgicli -f /etc/rc.expireaccounts  (minicron)
60645  -  Is       0:00.00 /usr/local/bin/minicron 86400 /var/run/update_alias_url_data.pid /usr/local/sbin/fcgicli -f /etc/rc.update_alias_url_data
61399  -  I        0:00.00 minicron: helper /usr/local/sbin/fcgicli -f /etc/rc.update_alias_url_data  (minicron)

The "rc.expireaccounts" runs ones every hour.
Not much to do, or do you really have a zillion accounts ?

The "rc.update_alias_url_data" :
A problem with one of your aliases ?
Do you use any "aliasurl" type ? If so, double check the URL : can you download it with a browser ? DNS works ? I can image : if the URL can't be reached, the file can't be loaded, you get the classic BS in - BS out.
I can't be sure, as I don't use "aliasurl" myself.

stephenw10

Yes if you run ps -auxwwd you may be able to see the full command that is triggering it.

Ivan Nosko

@Gertjan
After we used the #killall fcgicli command, PfSense works well, but I think it is not a solution to the problem. Now the server has many connections, I will try to see the output of the ps command later after reboot.

dem

I've seen fcgicli spinning immediately after an upgrade once or twice in the past. In my case I think it was running rc.newwanipv6. I think #14386 might be related.

Ivan Nosko

Hi guys! I solved the problem with CPU leak and load of many "fcgicli" processes. As far as I understand, the problem is related to the certificate chain. In our company's certificate chain, we use [one ROOT srv]<>[two INTERMEDIATE srv]<>[four ISSUE srv]<>[openvpn server certificate]. Previously, I added all the certificates from the chain (7), but this time I added only four of them (ROOT<>INTEERMEDIATE_1<>ISSUE_3<>openvpn server certificate, three in the chain and one of the server itself). I thought this was enough and I had this problem. Now I have added all the certificates and everything is working correctly. I'll watch for a while and post baack later.

Ivan Nosko

There was the same issue
https://forum.netgate.com/topic/153940/openvpn-not-working-with-certificates-after-updating-from-earlier-pfsense-to-latest