How long should SG-1100 upgrade take? Update: She dead. Update2: She on life support.

jlw52761 · Feb 19, 2021, 1:24 PM

My SG-1100 took about 20 minutes to do the upgrade after a fresh reboot. The reboot after the upgrade though took about 10 hours before the webGUI was even available, and still required another reboot via SSH before things returned to some normalcy. The upgrade did yank off telegraf with no install candidate, so if you run telegraf don’t upgrade yet. Also expect very long upgrade reboot times that has no traffic passing. And before folks want to go blaming packages and such, the only thing the SG-1100 does is local DHCP and IPSec.
Personally, the SG-1100 has been a disaster for me, woefully underpowered and the lackluster ARM support is rediculous for a consumer supported security product. It seems like the entire ARM based product line is lackluster, which is sad in my opinion for a commercial product. I will be moving off the ARM platform, and go with what has worked for me which is non-NetGate x86 hardware and the CE version of the product. I may try the + version on x86, not sure yet.

stephenw10 · Feb 19, 2021, 3:12 PM

10hours is extreme! Hard to imagine what it was doing for that long.
Telegraf should be there for arm64 but you're right it isn't for some reason. I'm investigating...

jlw52761 · Feb 19, 2021, 3:39 PM

@stephenw10 it’s a remote device so didn’t capture the console output and not sure if dmesg will go back far enough to be useful. While the device is accessible externally I can’t get any traffic to pass and the IPSsec has extreme packet loss so a lot of services are down. Making the two hour drive to get into the console and troubleshoot.

stephenw10 · Feb 19, 2021, 3:45 PM

There is an upgrade log in /conf you can check. If it was erroring out on something and having to wait for it to fail it should show there.

jlw52761 · Feb 19, 2021, 5:41 PM

@stephenw10 I do see errors with PHP modules failing to load and some other items, but I think the stuck part was during the reboot itself. Which I woulda thought to dump dmesg somewhere else before rebooting. I feel it may have something to do with the uboot upgrade, just not sure how much of that or any other firmware may have been done too.

ahking19 · Feb 19, 2021, 7:22 PM

@jlw52761 this is off topic but..

a disaster for me, woefully underpowered<<

sounds like you under spec'd based on your needs. That's your fault not a product fault. The IMIX Traffic/performance info is on the appliances product page.

lackluster ARM support is ridiculous<<

what does that mean? You want an ARM CE version so you can run it on Raspberry Pi, etc?

entire ARM based product line is lackluster<<

if you want to make a value/price argument on the ARM product line do that

stephenw10 · Feb 19, 2021, 7:55 PM

@jlw52761 Hmm, you shouldn't have seen a uboot update there unless you were somehow on a very old version. There has not been a uboot update for the SG-1100 in some time.

Steve

NGUSER6947 · Feb 20, 2021, 12:18 AM

@jlw52761 Mine lost the GUI too. Hopefully overnight it'll come back, as yours did?

Ugh this sucks.

stephenw10 · Feb 20, 2021, 12:57 AM

It can take a significantly long time to come back after it reboots, the upgrade to 2.5 is a large change. Most of the upgrade takes place after the reboot. But check the console to know for sure.

Steve

scurrier · Feb 20, 2021, 10:16 PM

Update2 from me, the OP, here. I got remote access to a computer connected to the SG-1100 lan port. Turns out, she's not dead, she's just having some WAN issues. I can't figure it out. I can ping the upstream WAN gateway, but nothing beyond it. An ICMP traceroute to an internet address strangely returns only repetitions of the SG-1100's own LAN gateway IP.

scurrier · Feb 21, 2021, 1:11 AM

@scurrier Got it working again, although I still don't know exactly what went wrong. Turns out the default gateway was set to automatic (as expected), but this was no longer automatically selecting the correct standard WAN_DHCP gateway. I changed the setting pictured and now everything seems to be working. What the heck? This is so basic.

stephenw10 · Feb 21, 2021, 12:13 AM

If you have an internal gateway like that you should always set the default to be the WAN.

When it's on automatic if the WAN gateway goes down it will choose the next available gateway and you don't ever want it to do that where you have a LAN gateway.

Steve

scurrier · Feb 21, 2021, 1:11 AM

@scurrier Only strange thing left at this point is the NTP server is down and won't start.

scurrier · Feb 21, 2021, 6:17 PM

@scurrier NTP server is magically back up today. Not sure what was going on with that.

So far, so good after fixing the default gateway problem.

stephenw10 · Feb 21, 2021, 7:18 PM

NTP can take a while to sync upstream and then start serving data. That's not entirely unexpected.

Steve

scurrier · Feb 24, 2021, 3:59 AM

I'm down again. Not responding to pings and the downstream network operator messeged me that my internal traffic from behind the firewall is leaking onto their network.

jlw52761 · Feb 24, 2021, 6:01 AM

@ahking19 said in How long should SG-1100 upgrade take? Update: She dead. Update2: She on life support.:

@jlw52761 this is off topic but..

a disaster for me, woefully underpowered<<

sounds like you under spec'd based on your needs. That's your fault not a product fault. The IMIX Traffic/performance info is on the appliances product page.

The site has 25Mbps down and 5Mbps up, only Site2Site IPSec, and DHCP/DNS. Hardly what one would expect to overload the SG-1100, even stripping all this back, the packet forwarding really is not good on the hardware due to the way the Marvell switch is implemented, IMHO The SG-1100 is really only good for the most basic of items, that a Walmart router at half the cost can do. The SG-1100 should really not be a product and I regret spending the $$$'s on it. I spent only slightly more on a x86 board and installed CE on it and that guy does all the heavy lifting such as pfBlocker, IPSec, OpenVPN, WireGuard, PBF/PBR, DNS, Snort, and absolutely takes all that without much more than a brief puff of hot air.

lackluster ARM support is ridiculous<<

what does that mean? You want an ARM CE version so you can run it on Raspberry Pi, etc?
Well, I wouldn't be opposed to a CE version, I get better support from the community to be honest. I had a problem with the SG-1100 that required a reflash as the device was good and well FUBAR'd, and it took almost two days to "prove" to support that I have a valid device and support on said device, even after providing the serial#, Netgate Device ID, and the Netgate Crypto ID. Once the person was "convinced" I had a supported device, it took another couple of days for the support person to figure out how to help me and eventually got ahold of an engineer that was able to provide the IMG file for relfashing. So yeah, lackluster to say the least.
A CE version would enable broader ARM support, possibly on something like an Odroid or LattePanda. There are a number of ARM based SoC's out there with multiple PHY's, which would be perfect.

entire ARM based product line is lackluster<<

if you want to make a value/price argument on the ARM product line do that

Just look at the forums, there are a ton of issues around the ARM platform, and these are supposed to fully supported and have no CE version, only a Plus version, so having to turn to the forums for support is really lackluster IMHO. For the price, one can get COTS x86 hardware and go to town.
You are correct, it is off topic, more of a "Here we go again with ARM" rant.

ahking19 · Feb 24, 2021, 10:04 PM

@jlw52761 I have 50/50 Mbps and pretty much the same services running here minus IPSec and Snort and it barely breaks a sweat.
CPU sits at 2% with occasional spike to 6-7% when PFBlocker updates or I access the WebGUI. I expect Snort or IDS/IPS would be a problem for this device. But then the SG-1100 is a SOHO device and as such IDS/IPS shouldn't apply IMHO.

I agree a couple days to get the image file is not good. Not making accuses for customer support but I have friends living in Texas and saw the Netgate blog post about the storm (https://www.netgate.com/blog/snowpocalypse-over-netgate-up-and-running.html) which made for really bad timing of 2.5/21.02 release.

pzanga · Feb 25, 2021, 4:09 PM

@stephenw10 said

It can take quite a long time on the SG-1100 but not 2 hours.

Does that include hanging at "Please wait while the update system initializes"? I am attempting to upgrade from 2.4.4_3 to 21.02 on my SG-1100. I made 2 attempts and waited about 10 minutes each time with the unit hanging at the above message. Do I just need more patience, or is this likely a separate issue?

Just checked conf/upgrade_log and all I see is this.

  >>> Updating repositories metadata... failed.

Thanks

stephenw10 · Mar 1, 2021, 1:51 PM

@pzanga said in How long should SG-1100 upgrade take? Update: She dead. Update2: She on life support.:

Does that include hanging at "Please wait while the update system initializes"?

No it doesn't. That should not normally take more than 20s or so.
If it takes longer there is probably some issue. Very occasionally we see the gui lose connection with the process and it upgrades as expected in the background.

If you upgrade from the the console menu, via SSH or serial console, you can see exactly what is happening and any errors that are produced. I would recommend upgrading that way if you can though we realise that the vast majority of users user the webgui to upgrade and that is the method we test.

Steve