pfSense repeatedly rebooting at exactly 12:30
-
Just popped the cover off. It's basically dust free in there. I've been running it for about a year.
I do have it plugged into a UPS but I have another server managing it (usb is connected to the other server)
Took a look at the logs. There are too many of them for me to see what may have happened at 12:30. However everything that comes after that seems to indicate a restart just occurred. I'm increasing the maximum log entries and ill report back after 12:30
Thanks Guys!
-
Have you looked at your crontab? What runs at 12:30?
-
@jwj Really stupid question but how would I do that? Is that something I can access through the gui or should I ssh?
Thanks
-
Install the Cron package.
-
Sorry for the delay responding. There is a cron package you can install. That's the easiest way.
From mine I think it's the update URL tables job that is biting you.
-
@RonpfS Excellent thank you. I think I found the issue. it was running this
/usr/bin/nice -n20 /usr/local/bin/php-cgi -f
/usr/local/pkg/suricata/suricata_check_for_rule_updates.phpat exactly 12:30 every day
And that you to everyone else that helped! I really appreciate it!
-
@TBBZ8X8 said in pfSense repeatedly rebooting at exactly 12:30:
@RonpfS Excellent thank you. I think I found the issue. it was running this
/usr/bin/nice -n20 /usr/local/bin/php-cgi -f
/usr/local/pkg/suricata/suricata_check_for_rule_updates.phpat exactly 12:30 every day
And that you to everyone else that helped! I really appreciate it!
That job should not cause a reboot. It will restart Suricata at the end of the task, and if you have Suricata running with Inline IPS Mode enabled (which uses the kernel
netmap
device), that will cause the physical NIC interface to be disabled and then re-enabled during the restart. But it should not cause a physical reboot of the box itself.How do you have Suricata configured? Is it using Inline IPS Mode? If so, you can try enabling "Live Rule Swap" on the GLOBAL SETTINGS tab. That will not cause the Suricata daemon to stop and restart itself. Instead it will load new rules into memory and then swap over to using them. That will then prevent the
netmap
device from restarting the physical NIC interface. The downside of this option is that for a small interval Suricata will consume nearly twice normal memory as it will keep two copies of your enabled rules in memory until it can get pointers updated to use the new rules so the old ones can be deleted from memory. -
@bmeeks Thanks for the reply!
I had switched the time of the job to when I knew no one was on the network but turns out it resets that when suricata updates. So i changed it in the suricata settings and enabled live rule swap like you suggested.
Finger crossed it stays working this time!
Thanks again!
-
@TBBZ8X8 said in pfSense repeatedly rebooting at exactly 12:30:
@bmeeks Thanks for the reply!
I had switched the time of the job to when I knew no one was on the network but turns out it resets that when suricata updates. So i changed it in the suricata settings and enabled live rule swap like you suggested.
Finger crossed it stays working this time!
Thanks again!
You must change the update job time on the GLOBAL SETTINGS tab. Suricata rewrites its configuration, including things like the cron task start time, each time a change is made and saved in the GUI or the "resync packages" command is called by pfSense itself.
As mentioned in my earlier post (after coming back and fixing some terrible typos I made ... ), Suricata updating should never reboot the entire firewall. If that happens, something is really bad wrong. However, when using the
netmap
device in Inline IPS Mode, thenetmap
device itself will restart the NIC interface when Suricata is stopped and then restarted during the rules update. So swapping over to the Live Swap option will prevent the physical stop/start cycle of the Suricata daemon and thus also the cycling of the NIC interface bynetmap
. -
Is it really rebooting? What's the system uptime?