Now Available: pfSense® Plus 25.07-RELEASE
-
Unsuccessful upgrade from 24.11 => 25.07.1 on an SG2100.
Things to Note:
- Performed upgrade from console using option 13
- All went smooth with packages updated, boot code updated, and rebooted into 25.07
- Got to Updating Configuration and abruptly stated "Shutdown Now!"
- Rebooted itself into 24.11
Sincerely welcome any ideas on what might be causing this and/or any diagnostic steps I should take.
Thanks!
Relevant Console Log Output:
Welcome to Netgate pfSense Plus 25.07.1-RELEASE... ...ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/compat/pkg /usr/local/lib/compat/pkg /usr/local/lib/ipsec /usr/local/lib/mysql /usr/local/lib/perl5/5.36/mach/CORE 32-bit compatibility ldconfig path: done. External config loader 1.0 is now starting... mmcsd0s1 mmcsd0s2 mmcsd0s3 mmcsd0s3a Launching the init system... done. Initializing.................... done. Starting device manager (devd)...done. Loading configuration...done. Updating configuration...2025-09-23T23:33:14.237019-07:00 - php-fpm 597 - - /rc.linkup: Ignoring link event during boot sequence. ....2025-09-23T23:33:14.562014-07:00 - php-fpm 597 - - /rc.linkup: Ignoring link event during boot sequence. 2025-09-23T23:33:14.754643-07:00 - php-fpm 598 - - /rc.linkup: Ignoring link event during boot sequence. 2025-09-23T23:33:14.755108-07:00 - php-fpm 1206 - - /rc.linkup: Ignoring link event during boot sequence. 2025-09-23T23:33:14.888755-07:00 - php-fpm 597 - - /rc.linkup: Ignoring link event during boot sequence. 2025-09-23T23:33:14.931626-07:00 - php-fpm 1203 - - /rc.linkup: Ignoring link event during boot sequence. 2025-09-23T23:33:15.026406-07:00 - php-fpm 598 - - /rc.linkup: Ignoring link event during boot sequence. Shutdown NOW! shutdown: [pid 2086] 2025-09-23T23:48:09.690216-07:00Waiting (max 60 seconds) for system process `vnlru' to stop... done Waiting (max 60 seconds) for system process `syncer' to stop... Syncing disks, vnodes remaining... 0 done All buffers synced.Full Console Output: pfsense-console.zip
-
@johan333 said in Now Available: pfSense
Plus 25.07-RELEASE:Performed upgrade from console using option 13
... and you've logged the console output.
That's just
At least, you've put all changes on your side. If the upgrade goes well, you have the details, and you can forget about them.
If it didn't, something went wrong, changes are high you know what happened, and why.Now for the bad news : about the shutdown.
It happens in the very early boot sequence of the kernel.
It's the kernel itself that bails out - or the kernel calls /sbin/shutdown - as this executable contains this exact text string "Shutdown NOW!" but afaik, the file system isn't even mounted yet, so the kernel can't even use "/sbin/shutdown" at that moment.
The thing is, nothing, the why part, was logged.
A work around could be : intercept the boot sequence, and activate verbose kernel logging ?There is a solution, and keep in mind : your pfSense works. So you have a backup of your pfSense config.
Worse case situation : get the installer, and wipe clean / reinstall completely from scratch.
This will take 10 minutes of your time. Success is guaranteed.
... and it will take the 'why this this happened' with it :(I hope you'll receive more helpful info from other forum readers.
-
Hmm, nothing obviously wrong there. Do you see an alert after it reboots into 24.11?
Check System > Boot Environments. Do you see the new 25.07.1 BE marked as failed?
-
@johan333 Based on other posts…
see if /cf/conf/backup is full. If so delete files or visit Diagnostics >Backup> Configuration history until it doesn’t time out. There was a bug where they weren’t automatically deleted.
Delete old/unnecessary boot environments. (Ignore the “size” shown)
-
Yup, very good point. Since it appears to be failing at 'updating configuration' check for far too many backups.
-
Thank you for the help.
@stephenw10 - I would've expected to see some type of kernel panic notice based on this behavior, but no alerts whatsoever. I have the SG2100 console port connected via USB to a RaspberryPi device and logging the console output via
screen. Yes, as per the screenshots, it states the BE failed to verify.
@SteveITS - Interesting...I'll give the GUI diagnostic screen a try. Here's what /cf/conf/backup has:
[24.11-RELEASE][root@pfSense.home.lan]/: du -sh /cf/conf/backup 2.0G /cf/conf/backup [24.11-RELEASE][root@pfSense.home.lan]/: ls -l /cf/conf/backup | wc -l 12318 -
@johan333 said in Now Available: pfSense
Plus 25.07-RELEASE:12318
That's it, then. Should be ~30 files by default.
There were a couple bugs at play, pfBlocker updates a timestamp in the file every cron run, and the backups were not being pruned automatically. So every hour for a year or more... I've seen a few posts here and on Reddit with similar update failure.
-
@SteveITS said in Now Available: pfSense
Plus 25.07-RELEASE:There were a couple bugs at play, pfBlocker updates a timestamp in the file every cron run,
25.07.1 has this issue with pfBlockerNG.
But Maximum Backups option is working.
-
@SteveITS Wow, very interesting and great insight. Based on the evidence, I would've never come to this discovery/conclusion. The diag page does time out BTW, so I'll just manually prune it and try the update again. Know if the bug was fixed in 25.07 and if not what is the work-around people are using (e.g. CRON job)?
-
@mcury said in Now Available: pfSense
Plus 25.07-RELEASE:25.07.1 has this issue with pfBlockerNG
I don't have a link handy but I'm pretty sure Netgate posted that's been fixed in a later version? Or there was a patch in that forum somewhere. It's worse if using pfB in HA because the secondary was getting multiple config files because of its cron plus the sync at cron time.
I have a note to check config history before starting an update.
diag page does time out
It will but if you keep reloading after that, and be patient it should eventually load. I think mine timed out after 10 minutes and had deleted most of the files.
25.7 fixed the history retention.
-
@SteveITS said in Now Available: pfSense
Plus 25.07-RELEASE:I don't have a link handy but I'm pretty sure Netgate posted that's been fixed in a later version?
Redmine #14409
DNSBL is also disabled here, so it seems that 25.07.1 didn't bring that fix? -
I'm opening a new thread about the pfBlockerNG and configuration history.
-
Yeah the backup config trimming is fixed now.
Yes if you visit the backups page it will prune them. Eventually. And if you ever visited that page previously it would have done so many users never saw it.
-
btw does the link to the installer sent after the order (non-netgate device) always provide the latest version of the installer?
i.e. I can use the same link and not need to re-order to get the latest installer version? -
Hmm, good question. But I believe it's a link to a single fixed file. And it expires after some time anyway so you would need to 'order' again.
However the installer can install any number of pfSense versions so it's generally not necessary to update it for each pfSense release.
That said the new installer version should be available soon with a number or fixes and additional features.
-
@stephenw10 Yeah, I just like to have the latest version as you said, it fixes possible problems and might have additional features added :)
Just tested with a link provided a bit over 2 moths ago and it still worked (it was1.0-RC-amd64-20240919-1435.img).
Also if one has an active subscription, why not just provide the installer download under the My Account or something, would remove unnecessary $0 orders if needed to re-download for some reason. -
I believe there's a backend limitation because I know that has been discussed internally previously. Hopefully something we can work past at some point.
-
@stephenw10 I recall back in the day you use to be able to grab your image from your account - or am I misremembering? This is going back many years.
-
Mmm, there have been many changes over the years. As far as I know though there is no way to re-download images after the link expires currently.
-
I notice that XML backups begin with the following:
<?xml version="1.0"?> <pfsense> <version>24.0</version> <lastchange></lastchange> ... </pfsense>I expected the version to be
25.07.1or something similar.
Is this intended or is it a minor bug?
