Why is my pfSense Firewall Lagging and Giving 504 Gateway Timeout Errors?
-
Hello, I have multiple IPsec tunnels set up on my pfSense firewall. Recently, while adding a new tunnel, pfSense started to hang and continuously load, eventually giving me a 504 Gateway Timeout error. After that, the web interface was completely inaccessible for about 10-15 minutes. Eventually, I was able to access the web GUI again.
As a temporary fix, I disabled the dpinger service, and for some reason, this made pfSense run faster. However, the issue persists because dpinger still starts automatically, and the process repeats itself. I’m not sure why disabling dpinger works, but it does seem to help.
I’ll also be attaching the crash report to this post for further analysis. Does anyone have any insights into why this is happening or how I can resolve it permanently?
-
anybody ?
-
Any errors logged?
If not errors then what is logged? It's clearly doing something that's using a lot of resources.
-
@stephenw10
Hey, sorry for late response... Here is a new crash, I've captured logs too, so the problem started at 18:12:26, and somewhere at 18:18 i was able to get in GUI again, before that it was constantly loading and giving 504 gateway timeout error.
-
What happened 900s (15m) before that error though? Something triggered a script that stalled.
-
@stephenw10 before 18:12:26, what I see is mostly /rc.newipsecdns: Gateway, none 'available' for inet6, use the first one configured. 'OPT87_VPNV6' and sshguard Exiting on signal and Now monitoring attacks. messages repeating from 18:03:09 to 18:12:26, but, on 18:02:53 and 18:03:06 I have the following errors
-
@stephenw10 here are logs at the time of around 15m mark
-
What was the interface you added there at 17:58:48?
If you manually run a Filter Reload from Status > Filter Reload do you see any errors? Do you get another php crash 900s after the reload?
-
@stephenw10 after 17:58:55, i have many 60676 /rc.filter_configure_sync: dpinger: No dpinger session running for gateway and /vpn_ipsec.php: dpinger: No dpinger session running for gateway messages, starting from 17:58:58 and finishing at the same second. after that at 17:59:00 gateway alarm 100% loses of tunnel VTI, the only different things i've seen that are not usual are these, at time 17:59:22 and 17:59:43.
-
@stephenw10 the interfaces I'm adding are mostly IPsec VTI tunnels that i've created and then giving those interfaces a gateway and static route
-
@stephenw10 i've did a filter reload and no errors in system logs and it was completed successfully.
-
Hmm. The log entry that looks closest to it is for rc.openvpn. Do you have any openvpn incidences defined? Do they have dynamic gateways set?
-
@stephenw10 I have checked my OpenVPN configuration, and it is set to use the WAN interface, which has a static IPv4 address and a static upstream gateway.
-
How many tunnels/gateways do you have?
-
@stephenw10 one default WANGW and 69 for tunnels
-
But are those all VTI tunnels with assigned interfaces that create gateways?
Because if so that is lot of gateways for anything that triggers a script when it bounces.
-
@stephenw10 sorry again for late response, yeah, they all have assigned interfaces. What script is being triggered ?
-
They are seen by pfSense as a WAN interface because they have a gateway. So you get the gateway and WAN IP scripts run for each one.
You might try disabling the gateway monitoring action for those gateways to reduce the churn.
-
@stephenw10 Ah, so that's why disabling dpinger helps. But should pinging 60 interfaces really be this difficult for pfSense?
-
It's not the pinging that causes the issue it's the scripts that get run when it sees the gateway as changing state. You can disable dpinger entirely or you can just disable the 'monitor action' in the gateway settings. Disabling the action keeps the ping data logging but stops it running scripts if/when the gateway goes down. Does that is usually preferable to disabling it entirely.
