21.02 Sudden lockup

mcury · Feb 19, 2021, 6:26 PM

@ffuentes The fix is to revert to 2.4.5p1 until we fix the issue. Please open a ticket for the firmware link.

My sg-3100 is working fine with the current 21.02, without pfblockerng.
I guess my network throughput is not high enough to trigger the problem discussed earlier..
Noticed a few other problems, but my topic wasn't answered.. Like status>monitor>traffic being empty, but I can live with it..

Do you think I should downgrade to 2.4.5p1 as well?
Some comments above from devices console not responding anymore are kind of worrying me..
I mean, is there a chance to happen a complete failure in which I won't be able to reinstall?

kphillips · Feb 19, 2021, 6:27 PM

@tommyg Personally attacking the support staff who are only trying to help troubleshoot and provide assistance is unacceptable. Enjoy your temporary ban.

kphillips · Feb 19, 2021, 6:33 PM

@mcury If you aren't have any issues, no need to downgrade yet. Just make sure you have your USB console cable handy if you do run into an issue, but if you avoid reloading your firewall filter for now under heavy load, you should be fine. We should have a fixed update soon.

mcury · Feb 19, 2021, 6:34 PM

@kphillips said in 21.02 Sudden lockup:

@mcury If you aren't have any issues, no need to downgrade yet. Just make sure you have your USB console cable handy if you do run into an issue, but if you avoid reloading your firewall filter for now under heavy load, you should be fine. We should have a fixed update soon.

Great, thanks, I'll just wait then, it's working fine here.

ffuentes · Feb 19, 2021, 6:41 PM

@kphillips I open the ticket.

kphillips · Feb 19, 2021, 7:15 PM

@ffuentes PM me the ticket number, if you didn't get a reply already. I'll make sure to buzz you the firmware.

alpharulez · Feb 19, 2021, 7:20 PM

I am having issues with snort on upgrade. have had to uninstall it completely.

dhcp issues to my access point - happens randomly where internet connection is steady but pfsense seems to kick off my access point which then thinks it is no longer in access point mode and reverts to routing starting to handout IPs... and loss of internet connectivity.

repeat issues with ntopng - had to reinstall - this seems to be stable-ish for the moment.

Now noticed that System/Package Manager/Available Packages is not showing any packages for me to install... especially Snort.

alpharulez · Feb 19, 2021, 7:25 PM

@alpharulez Forgot to add - no pfblockerng on my device... and it is a home setup so not a lot of traffic...

ffuentes · Feb 19, 2021, 7:35 PM

@alpharulez The issue is a general issue with pf reload. This means that snort will also contribute to a reload and cause the lock-up.

alpharulez · Feb 19, 2021, 7:37 PM

@ffuentes thanks. it is uninstalled for the moment and running as a standard firewall... hope the fixe comes out quick so it can go back to a proper IPS...

rloeb · Feb 19, 2021, 7:41 PM

@kphillips Is there likely to be a patch in the "near future"?

I have too many users to bring the network down while I load the firmware, reload the configuration, check the configuration to assure that it's reasonably correct, then go through the whole process again because I screwed it up, etc. Worse, they (and I) are working through the weekend to finish a critical deliverable.

ffuentes · Feb 19, 2021, 7:47 PM

@rloeb welcome to my club except that I made the mistake... HAHAHA!

My boss is getting impatient as I keep dropping, is a bit stable now so I am hoping I get through today at least.

ffuentes · Feb 19, 2021, 7:53 PM

@kphillips I got the firmware. I also didnt notice this but looks like I did receive an email from support stating the situation and advising me to roll back,

so kudos to support!

Thanks again!

kphillips · Feb 19, 2021, 8:16 PM

@alpharulez Because the repos for 21.02 were pulled to keep people from upgrading any more until we release a fix, packages are also affected. You'll need to revert to 2.4.5p1 to be able to install packages again (make sure you set the "Previous Stable Release" in your Update settings before trying).

kphillips · Feb 19, 2021, 8:23 PM

@rloeb If you are absolutely stuck and need to remain on 21.02, you can do the following:

Go to Diagnostics --> Command Prompt and run "echo hw.ncpu=1 >> /boot/loader.conf.local" without quotes.

Reboot.

This will halve your firewall's performance because it artificially limits your CPU to one core, but it also gets rid of the crashing.

However, if you can revert to 2.4.5p1 DO THAT. And if you do the above, don't forget to remove it later unless you like having your firewall be artificially limited in performance for the rest of it's life.

rloeb · Feb 19, 2021, 8:30 PM

Thank you!

rloeb · Feb 19, 2021, 9:07 PM

@kphillips FYI. Went to 1 CPU. Snort does not start. Snort does not appear in Services menu. Re-installing snort fails; Window just sits there. Would like to have that protection, but not sure what to do next.

lnguyen · Feb 19, 2021, 9:16 PM

@kphillips said in 21.02 Sudden lockup:

Command Prompt and run "echo hw.ncpu=1 >> /boot/loader.conf" without quotes.

I think what @jimp stated was:
Create /boot/loader.conf.local if it doesn't exist, as loader.conf can be overwritten by pfSense.

echo hw.ncpu=1 >> /boot/loader.conf.local

I agree with this as it won't be overwritten and easily reverted once a patch is released by simply issuing:

rm /boot/loader.conf.local

rloeb · Feb 19, 2021, 10:09 PM

@lnguyen Nice catch. The command did not create the file. My Linux is pretty feeble these days, so I'm unclear what to do next. I'll see if I can pull one of my techies off what they're doing and he can chase this. I'll go back to running the company, which is all I'm competent to do.

kphillips · Feb 19, 2021, 10:12 PM

@lnguyen You are correct. I've updated my original post.