Squid use all memory ram



  • Hi

    I have a box pfsense 2.3.3 with squid  0.4.36 and squidGuard 1.15. but  after sometime squid use all ram,  I restard the squid and memory back to normal.

    Squid was configure on mode transparent with HTTPS/SSL Interception and SSL/MITM Mode splice all..

    Any ideas?

    I have a bad english :v


  • Rebel Alliance Developer Netgate

    How much RAM is in the system?

    What cache size? What cache settings? Do you have Anti-Virus enabled?

    If it consumed all memory it could only be because it was configured to do that, intentionally or unintentionally.

    Also when all RAM was used, you should look at the output of "ps uxawwd" to see which processes are using up the RAM. It may not necessarily be squid.



  • Hi jimp

    **My box have 16 GB

    this problem start when I update to pf 2.3.3, i have reinstall squid and squidguard but to continue. when restar squid the memory returns to normal

    I'm disable packeges one to one




  • Hi,

    I have the same problem. I turned off transparent mode to normalize the memory consumption.



  • HI

    I have changed my setting in local cache, but problem continues.

    I use the option Clear Disk Cache NOW for free memory

    I'm still looking for the problem :v



  • I have had the issue since pfSense version 2.3 and the only way to help alleviate the issue was to set the Maximum Object size in Ram back to 256 kb.



  • I installed pfSense 2.4 Beta and I no longer have the issue.

    So far running for 48 hrs. and have 10gb's free out of 16gb's.



  • Impatient,

    Still working on 2.4?



  • I have been well pleased with 2.4 beta and so far memory usage has been much better.

    Currently after 7 day's since reboot I have 4gb's out of 8gb's allocated for Squid still free.

    When I installed pfSense 2.4 I used the ZFS file system and I used diskd for Squid with 128
    Level 1 Directories.

    The only package's I have installed is PfblockerNG,Snort on wan interface,and of course Squid.



  • I enable into squid "debug_options all,2" and find this messages.

    "clientPeekAndSpliceSSL: SSL_accept failed"

    this cause used all memory RAM



  • Hello, I'v two identical pfsense 2.3.2: one with squid 3.5.19 and one with 3.5.23. The first one have no problem, the second one consume all memory.

    [2.3.2-RELEASE][root@fw1]/root: squid -v
    Squid Cache: Version 3.5.19

    [2.3.2-RELEASE][root@fw2]/root: squid -v
    Squid Cache: Version 3.5.23

    the main difference between two are compile options:

    3.5.23:
    'build_alias=amd64-portbld-freebsd10.3'
    'CC=cc' 'CPPFLAGS=-I/usr/local/include'
    'CXX=c++'
    'CXXFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing  -Wno-unknown-warning-option -Wno-undefined-bool-conversion -Wno-tautological-undefined-compare -Wno-dynamic-class-memaccess'
    'CPP=cpp'
    –enable-ltdl-convenience

    3.5.19:
    '--build=amd64-portbld-freebsd10.3'
    'build_alias=amd64-portbld-freebsd10.3'
    'CC=cc'
    'CPPFLAGS=-I/usr/local/include'
    'CXX=c++'
    'CXXFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing '
    'CPP=cpp'
    –enable-ltdl-convenience

    Can I rollback to 3.5.19? if yes how? thanx.



  • Posted by: bbassotti

    your box pfsense with Squid Cache: Version 3.5.19 is filtering https?



  • @😄:

    Posted by: bbassotti

    your box pfsense with Squid Cache: Version 3.5.19 is filtering https?

    yes.



  • Hello

    Actually I have the problem of lato consumption of RAM, verify and is the Squid. Restarting the service returns to normal.

    Ttengo installed Pfsense 2.3.2 with Squid 3.5.23

    I could not solve the problem.

    Any solution?



  • Hi guys.

    Me too…
    Actually, I have the same problem...
    I think is the MITM.
    I work in a college and we are using pfsense on the latest version, with squid 3.5.23.
    Our server has 8GB of RAM and my impression is that, when my network is set without MITM filtering, the consuming of RAM is around 15%. If I activate MITM filtering for SSL package interception, the consuming of RAM slowly grows up to 100% and our PFsense system goes down.
    I've tried to change the settings of Local Cache, but I haven't found any conclusive results.
    If I restart the squid service the consuming of RAM decreases.

    Any idea?
    Thank you for help.



  • Where is the MITM configuration?



  • Hello

    SSL MITM is a acronym for SSL Man In The Midle Filtering.
    It is when we enable SSL filtering for the PFSense analise the HTTPS traffic beyond HTTP.

    Look MITM configuration in: Services > Squid Proxy Server > General > SSL Man In the Middle Filtering

    A provisory solution that I found was to create 2 cron jobs. The first to stop and the second for start the squid 10 seconds after stop.

    For exemple:
    30    * * * * root /usr/local/sbin/squid -k shutdown
    30 * * * * root sleep 10 && /usr/local/sbin/squid



  • Hello…

    Ummmm .... yes, the problem is that if I disable the HTTPS / SSL Interception, the squidguard will not filter me the sites with ssl (https) certificate.

    On the other hand, it is interesting to enable the cron that you indicate me.

    I'll try those cron



  • I have this problem too!
    any one has a update or downgread do works version?

    Tks!



  • No one has solved the problem?



  • I still have the problem



  • Me too,

    i just configure the cron for evey 30 min stop and start the squid service.

    You can install the Cron package and there you can add 2 news jobs

    */30 * * * * root /usr/local/sbin/squid -k shutdown
    */30 * * * * root sleep 10 && /usr/local/sbin/squid

    its work for me but is not the best solution.



  • The swapstate_check.php won't execute because there is no cache partition mounted found in the filesystem. I checked the source code line by line and by creating a test.php from there I can tell that it will never execute because of the conditions doesn't meet. We can modify the swapstate_check.php to monitor the swap.state file size and clean the cache if this file exceeds the specified amount we set in the script.



  • Yes, for now I think the best solution is to use a cron to stop and knit the squid, as says miquim. I think we have to wait for an update to see if they solve the problem. If someone finds the solution, please advise



  • It's hard to monitor the swap.state filesize and the SWAP usage percentage because it grows dynamically. In my case I modified the swapstate_check.php code to execute if the cache folder size reach 250MB or the swap.state filesize reach 640KB.



  • I'm also seeing this memory exhaustion problem on my box. I do not use any disk cache and only want to be prepared to be able to block web sites just in case I'm told to do so by government authorities or law enforcement. Currently, I'm not blocking any websites. One more thing I'm currently doing with Squid is creating log files (i.e. which web sites have been opened by the users)
    The system is an anonymous WiFi hotspot with approx. 300 users per day.
    For some reason, the memory consumption is slowly increasing. At first only the memory itself, but later also the swap space until all the free memory is occupied and the pfSense is crashing.

    I saw bbassotti's post and the configure differences in the squid versions… I'm using squid V 3.5.24 which has exactly the same configure options as V3.5.23 and it shows the same behavior... Could this be the root cause?
    What else could be the reason for this strange behavior?
    Is there anyone working on this issue? If there's a way I can contribute or help finding and fixing this issue, please just let me know.

    Best,
    TomS



  • @TomS:

    I'm also seeing this memory exhaustion problem on my box. I do not use any disk cache and only want to be prepared to be able to block web sites just in case I'm told to do so by government authorities or law enforcement. Currently, I'm not blocking any websites. One more thing I'm currently doing with Squid is creating log files (i.e. which web sites have been opened by the users)
    The system is an anonymous WiFi hotspot with approx. 300 users per day.
    For some reason, the memory consumption is slowly increasing. At first only the memory itself, but later also the swap space until all the free memory is occupied and the pfSense is crashing.

    I saw bbassotti's post and the configure differences in the squid versions… I'm using squid V 3.5.24 which has exactly the same configure options as V3.5.23 and it shows the same behavior... Could this be the root cause?
    What else could be the reason for this strange behavior?
    Is there anyone working on this issue? If there's a way I can contribute or help finding and fixing this issue, please just let me know.

    Best,
    TomS

    This was posted as a bug for pfSense v2.3.x I read someone posted that this issue doesn't exist in pfSense v2.4 beta. We hope they will release an update soon to fix this problem.



  • @remzej:

    @TomS:

    I'm also seeing this memory exhaustion problem on my box. I do not use any disk cache and only want to be prepared to be able to block web sites just in case I'm told to do so by government authorities or law enforcement. Currently, I'm not blocking any websites. One more thing I'm currently doing with Squid is creating log files (i.e. which web sites have been opened by the users)
    The system is an anonymous WiFi hotspot with approx. 300 users per day.
    For some reason, the memory consumption is slowly increasing. At first only the memory itself, but later also the swap space until all the free memory is occupied and the pfSense is crashing.

    I saw bbassotti's post and the configure differences in the squid versions… I'm using squid V 3.5.24 which has exactly the same configure options as V3.5.23 and it shows the same behavior... Could this be the root cause?
    What else could be the reason for this strange behavior?
    Is there anyone working on this issue? If there's a way I can contribute or help finding and fixing this issue, please just let me know.

    Best,
    TomS

    This was posted as a bug for pfSense v2.3.x I read someone posted that this issue doesn't exist in pfSense v2.4 beta. We hope they will release an update soon to fix this problem.

    Hopefully they will soon solve the problem, if anyone knows anything please let me know



  • I want to share my simple PHP code to monitor the memory and SWAP usage every 5 minutes using cron.

    This PHP code will automatically stop and restart squid services when memory and SWAP usage goes beyond 90% and 75% respectively without deleting the existing hard disk cache and swap.state file. The swapstate_check.php script will handle it if swap.state file goes beyond 1GB size.

    Attached here is the monitor_memory_usage.txt file you can download and save to your preferred location on your pfSense box. Don't forget to change the file extention from .txt to .php.

    In my case I saved it in /usr/local/pkg/ directory. Don't forget to set the file permission to rwxr-xr-r.

    Next thing to do, is to add a cron job that will look like this: (Be sure to install cron package to be able to do this)

    */5 * * * * root /usr/local/pkg/monitor_memory_usage.php

    then save it. That's it! I hope this simple hard work and research will help some of you that has high memory usage problem.

    Thanks!
    remzej

    monitor_memory_usage.txt



  • Thanks for the contribution. :)



  • @marcelloc:

    Thanks for the contribution. :)

    this change was in last update for squid?



  • @😄:

    this change was in last update for squid?

    Not sure, it was updated recently. Did you updated the package?



  • Update squid to 1.16.2

    And make changes

    • SystemAdvancedFirewall & NAT
      Firewall Optimization Options Agrresive

    • IP Do-Not-Fragment compatibility
      Clear invalid DF bits instead of dropping the packets

    *Disable Firewall Scrub
    Disables the PF scrubbing option which can sometimes interfere with NFS traffic.

    • SystemAdvancedNetworking

    Hardware Checksum Offloading *Disable
    Hardware TCP Segmentation Offloading *Disable
    Hardware Large Receive Offloading *Disable

    this for NIC realteck

    :)



  • Latest squid package v0.4.37 already fixed this bug.



  • Hello!

    Version PFSense:

    2.3.4-RELEASE (i386)
    built on Wed May 03 15:22:11 CDT 2017
    FreeBSD 10.3-RELEASE-p19

    Latest squid package v0.4.37 with SquidGuard 1.16.2 in transparent mode with SSL interception (strip all).

    Gradually increasing memory consumption, the overflow resets.

    @😄:

    Update squid to 1.16.2

    And make changes

    • SystemAdvancedFirewall & NAT
      Firewall Optimization Options Agrresive

    • IP Do-Not-Fragment compatibility
      Clear invalid DF bits instead of dropping the packets

    *Disable Firewall Scrub
    Disables the PF scrubbing option which can sometimes interfere with NFS traffic.

    • SystemAdvancedNetworking

    Hardware Checksum Offloading *Disable
    Hardware TCP Segmentation Offloading *Disable
    Hardware Large Receive Offloading *Disable

    this for NIC realteck

    :)

    These settings did not help.

    Will the transition to x64?



  • Hello gravitator

    With the update of Squid is enough for the solution of the problem, greetings!



  • @emax4:

    Hello gravitator

    With the update of Squid is enough for the solution of the problem, greetings!

    Hello…

    Unfortunately, you have the latest version of package squid - 0.4.37. The problem is not resolved.
    Pfsense is also updated to the version from 20.07.2017.



  • @Gravitator:

    @emax4:

    Hello gravitator

    With the update of Squid is enough for the solution of the problem, greetings!

    Hello…

    Unfortunately, you have the latest version of package squid - 0.4.37. The problem is not resolved.
    Pfsense is also updated to the version from 20.07.2017.

    Hello

    I have version 0.4.37 of squid and 2.3.4 of Pfsense, I no longer have the problem.

    With the update resolved



  • @Impatient:

    I have had the issue since pfSense version 2.3 and the only way to help alleviate the issue was to set the Maximum Object size in Ram back to 256 kb.

    Thank you, this helped me a lot. I was fiddling with squid settings, but it always ate all the RAM eventually. Setting 'Maximum Object Size in RAM' to default stopped it.

    pfSense 2.3.4_p1 (amd64)
    squid 0.4.37



  • Hello!
    Рroblem solved!

    This problem is observed only on i386. On amd-64 squid is working fine. Memory consumption was normal.

    PFSense 2.3.4-1 (x64).
    Squid packages 0.4.37.