Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Now Available: pfSense® Plus 25.07-RELEASE

    Scheduled Pinned Locked Moved Messages from the pfSense Team
    81 Posts 30 Posters 9.9k Views 23 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      johan333
      last edited by

      Unsuccessful upgrade from 24.11 => 25.07.1 on an SG2100.

      Things to Note:

      • Performed upgrade from console using option 13
      • All went smooth with packages updated, boot code updated, and rebooted into 25.07
      • Got to Updating Configuration and abruptly stated "Shutdown Now!"
      • Rebooted itself into 24.11

      Sincerely welcome any ideas on what might be causing this and/or any diagnostic steps I should take.

      Thanks!

      Relevant Console Log Output:

      Welcome to Netgate pfSense Plus 25.07.1-RELEASE...
      
      ...ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/compat/pkg /usr/local/lib/compat/pkg /usr/local/lib/ipsec /usr/local/lib/mysql /usr/local/lib/perl5/5.36/mach/CORE
      32-bit compatibility ldconfig path:
      done.
      External config loader 1.0 is now starting... mmcsd0s1 mmcsd0s2 mmcsd0s3 mmcsd0s3a
      Launching the init system... done.
      Initializing.................... done.
      Starting device manager (devd)...done.
      Loading configuration...done.
      Updating configuration...2025-09-23T23:33:14.237019-07:00 - php-fpm 597 - - /rc.linkup: Ignoring link event during boot sequence.
      ....2025-09-23T23:33:14.562014-07:00 - php-fpm 597 - - /rc.linkup: Ignoring link event during boot sequence.
      2025-09-23T23:33:14.754643-07:00 - php-fpm 598 - - /rc.linkup: Ignoring link event during boot sequence.
      2025-09-23T23:33:14.755108-07:00 - php-fpm 1206 - - /rc.linkup: Ignoring link event during boot sequence.
      2025-09-23T23:33:14.888755-07:00 - php-fpm 597 - - /rc.linkup: Ignoring link event during boot sequence.
      2025-09-23T23:33:14.931626-07:00 - php-fpm 1203 - - /rc.linkup: Ignoring link event during boot sequence.
      2025-09-23T23:33:15.026406-07:00 - php-fpm 598 - - /rc.linkup: Ignoring link event during boot sequence.
      Shutdown NOW!
      shutdown: [pid 2086]
      2025-09-23T23:48:09.690216-07:00Waiting (max 60 seconds) for system process `vnlru' to stop... done
      Waiting (max 60 seconds) for system process `syncer' to stop... 
      Syncing disks, vnodes remaining... 0 done
      All buffers synced.
      

      Full Console Output: pfsense-console.zip

      GertjanG S 2 Replies Last reply Reply Quote 0
      • GertjanG Offline
        Gertjan @johan333
        last edited by

        @johan333 said in Now Available: pfSense® Plus 25.07-RELEASE:

        Performed upgrade from console using option 13

        ... and you've logged the console output.
        That's just 👍
        At least, you've put all changes on your side. If the upgrade goes well, you have the details, and you can forget about them.
        If it didn't, something went wrong, changes are high you know what happened, and why.

        Now for the bad news : about the shutdown.
        It happens in the very early boot sequence of the kernel.
        It's the kernel itself that bails out - or the kernel calls /sbin/shutdown - as this executable contains this exact text string "Shutdown NOW!" but afaik, the file system isn't even mounted yet, so the kernel can't even use "/sbin/shutdown" at that moment.
        The thing is, nothing, the why part, was logged.
        A work around could be : intercept the boot sequence, and activate verbose kernel logging ?

        There is a solution, and keep in mind : your pfSense works. So you have a backup of your pfSense config.
        Worse case situation : get the installer, and wipe clean / reinstall completely from scratch.
        This will take 10 minutes of your time. Success is guaranteed.
        ... and it will take the 'why this this happened' with it :(

        I hope you'll receive more helpful info from other forum readers.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          Hmm, nothing obviously wrong there. Do you see an alert after it reboots into 24.11?

          Check System > Boot Environments. Do you see the new 25.07.1 BE marked as failed?

          1 Reply Last reply Reply Quote 0
          • S Offline
            SteveITS Galactic Empire @johan333
            last edited by

            @johan333 Based on other posts…

            see if /cf/conf/backup is full. If so delete files or visit Diagnostics >Backup> Configuration history until it doesn’t time out. There was a bug where they weren’t automatically deleted.

            Delete old/unnecessary boot environments. (Ignore the “size” shown)

            Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
            Upvote 👍 helpful posts!

            1 Reply Last reply Reply Quote 1
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by

              Yup, very good point. Since it appears to be failing at 'updating configuration' check for far too many backups.

              1 Reply Last reply Reply Quote 0
              • J Offline
                johan333
                last edited by

                Thank you for the help.

                @stephenw10 - I would've expected to see some type of kernel panic notice based on this behavior, but no alerts whatsoever. I have the SG2100 console port connected via USB to a RaspberryPi device and logging the console output via screen. Yes, as per the screenshots, it states the BE failed to verify.

                675af835-8b12-4dc1-b9b9-19d63d69f1c8-image.png

                5b0c24d1-c9bc-46c5-ad5e-3e92bec5ed8e-image.png

                @SteveITS - Interesting...I'll give the GUI diagnostic screen a try. Here's what /cf/conf/backup has:

                [24.11-RELEASE][root@pfSense.home.lan]/: du -sh /cf/conf/backup
                2.0G    /cf/conf/backup
                [24.11-RELEASE][root@pfSense.home.lan]/: ls -l /cf/conf/backup | wc -l
                   12318
                
                
                S 1 Reply Last reply Reply Quote 0
                • S Offline
                  SteveITS Galactic Empire @johan333
                  last edited by

                  @johan333 said in Now Available: pfSense® Plus 25.07-RELEASE:

                  12318

                  That's it, then. Should be ~30 files by default.

                  There were a couple bugs at play, pfBlocker updates a timestamp in the file every cron run, and the backups were not being pruned automatically. So every hour for a year or more... I've seen a few posts here and on Reddit with similar update failure.

                  Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                  Upvote 👍 helpful posts!

                  M J 2 Replies Last reply Reply Quote 3
                  • M Offline
                    mcury Rebel Alliance @SteveITS
                    last edited by

                    @SteveITS said in Now Available: pfSense® Plus 25.07-RELEASE:

                    There were a couple bugs at play, pfBlocker updates a timestamp in the file every cron run,

                    25.07.1 has this issue with pfBlockerNG.
                    4e86827d-290d-42a9-9c35-7713ea20dd43-image.png

                    But Maximum Backups option is working.

                    dead on arrival, nowhere to be found.

                    S 1 Reply Last reply Reply Quote 0
                    • J Offline
                      johan333 @SteveITS
                      last edited by

                      @SteveITS Wow, very interesting and great insight. Based on the evidence, I would've never come to this discovery/conclusion. The diag page does time out BTW, so I'll just manually prune it and try the update again. Know if the bug was fixed in 25.07 and if not what is the work-around people are using (e.g. CRON job)?

                      1 Reply Last reply Reply Quote 0
                      • S Offline
                        SteveITS Galactic Empire @mcury
                        last edited by

                        @mcury said in Now Available: pfSense® Plus 25.07-RELEASE:

                        25.07.1 has this issue with pfBlockerNG

                        I don't have a link handy but I'm pretty sure Netgate posted that's been fixed in a later version? Or there was a patch in that forum somewhere. It's worse if using pfB in HA because the secondary was getting multiple config files because of its cron plus the sync at cron time.

                        I have a note to check config history before starting an update.

                        diag page does time out

                        It will but if you keep reloading after that, and be patient it should eventually load. I think mine timed out after 10 minutes and had deleted most of the files.

                        25.7 fixed the history retention.

                        Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                        When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                        Upvote 👍 helpful posts!

                        M 1 Reply Last reply Reply Quote 1
                        • M Offline
                          mcury Rebel Alliance @SteveITS
                          last edited by

                          @SteveITS said in Now Available: pfSense® Plus 25.07-RELEASE:

                          I don't have a link handy but I'm pretty sure Netgate posted that's been fixed in a later version?

                          Redmine #14409
                          DNSBL is also disabled here, so it seems that 25.07.1 didn't bring that fix?

                          dead on arrival, nowhere to be found.

                          M 1 Reply Last reply Reply Quote 1
                          • M Offline
                            mcury Rebel Alliance @mcury
                            last edited by

                            I'm opening a new thread about the pfBlockerNG and configuration history.

                            dead on arrival, nowhere to be found.

                            1 Reply Last reply Reply Quote 1
                            • stephenw10S Offline
                              stephenw10 Netgate Administrator
                              last edited by

                              Yeah the backup config trimming is fixed now.

                              Yes if you visit the backups page it will prune them. Eventually. And if you ever visited that page previously it would have done so many users never saw it.

                              1 Reply Last reply Reply Quote 1
                              • M Offline
                                mvikman
                                last edited by

                                btw does the link to the installer sent after the order (non-netgate device) always provide the latest version of the installer?
                                i.e. I can use the same link and not need to re-order to get the latest installer version?

                                pfSense Plus 25.07.1-RELEASE (amd64)
                                Dell Optiplex 7040 SFF
                                Core i5-6500, 24GB RAM, 2x 240GB SSD (ZFS Mirror)
                                HPE 561T (X540-AT2), 2-port 10Gb RJ45
                                HPE 562SFP+ (X710-DA2), 2-port 10Gb SFP+

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S Offline
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  Hmm, good question. But I believe it's a link to a single fixed file. And it expires after some time anyway so you would need to 'order' again.

                                  However the installer can install any number of pfSense versions so it's generally not necessary to update it for each pfSense release.

                                  That said the new installer version should be available soon with a number or fixes and additional features.

                                  M 1 Reply Last reply Reply Quote 0
                                  • M Offline
                                    mvikman @stephenw10
                                    last edited by

                                    @stephenw10 Yeah, I just like to have the latest version as you said, it fixes possible problems and might have additional features added :)
                                    Just tested with a link provided a bit over 2 moths ago and it still worked (it was1.0-RC-amd64-20240919-1435.img).
                                    Also if one has an active subscription, why not just provide the installer download under the My Account or something, would remove unnecessary $0 orders if needed to re-download for some reason.

                                    pfSense Plus 25.07.1-RELEASE (amd64)
                                    Dell Optiplex 7040 SFF
                                    Core i5-6500, 24GB RAM, 2x 240GB SSD (ZFS Mirror)
                                    HPE 561T (X540-AT2), 2-port 10Gb RJ45
                                    HPE 562SFP+ (X710-DA2), 2-port 10Gb SFP+

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S Offline
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      I believe there's a backend limitation because I know that has been discussed internally previously. Hopefully something we can work past at some point.

                                      johnpozJ 1 Reply Last reply Reply Quote 0
                                      • johnpozJ Offline
                                        johnpoz LAYER 8 Global Moderator @stephenw10
                                        last edited by

                                        @stephenw10 I recall back in the day you use to be able to grab your image from your account - or am I misremembering? This is going back many years.

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S Offline
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          Mmm, there have been many changes over the years. As far as I know though there is no way to re-download images after the link expires currently.

                                          1 Reply Last reply Reply Quote 0
                                          • P Offline
                                            phreed
                                            last edited by

                                            I notice that XML backups begin with the following:

                                            <?xml version="1.0"?>
                                            <pfsense>
                                            	<version>24.0</version>
                                            	<lastchange></lastchange>
                                            	...
                                            </pfsense>
                                            

                                            I expected the version to be 25.07.1 or something similar.
                                            Is this intended or is it a minor bug?

                                            S 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.