Suricata hangs in inline mode with "netmap_mem_global_config reconfiguring" msg
-
As soon as I switched any of the network cards in Suricata into Inline mode (Alert and Block Settings)
all Internet connections are cut off immediately, pfSense manual reboot doesn't help, and after boot of pfSense is complete white massage on the screen:
"pfsense 082.315525 [1233] netmap_mem_global_config reconfiguring".
For my situation the nearest reference is found here: https://forum.pfsense.org/index.php?topic=110534.0Network cadrs: Intel(R) 82574L Gigabit Network
Screenshot of (Suricata's?) message type here:
http://dropmefiles.com/oYw5c
http://ks.mf-image.ru/d/eyJ0IjoiMjAxNy0wNS0yN1QxMDoyMToyMy4wNDI0OTQ2WiIsInRtIjoxNSwiYmQiOjEsImZkIjo0NDEyNjI1LCJyZiI6bnVsbCwic2wiOjAsImZuIjpudWxsLCJyIjoiaHR0cDovL215LWZpbGVzLnJ1L2w3b2ZycCIsImwiOm51bGx9.6A3F8AE135B9ADF8BEA90B9CCF225863./IMG_20170526_190338_.jpgscreenshot of mainboard type here:
http://dropmefiles.com/oYw5c - second picture
or
http://4c.mf-image.ru/d/eyJ0IjoiMjAxNy0wNS0yN1QxMDoyMzoxNS4zNzU5MzUzWiIsInRtIjoxNSwiYmQiOjEsImZkIjo0NDEyNjI4LCJyZiI6bnVsbCwic2wiOjAsImZuIjpudWxsLCJyIjoiaHR0cDovL215LWZpbGVzLnJ1L3o4dXU3ZyIsImwiOm51bGx9.0F0451CD8844BFA27D25987C8AEF20F2./Mainboard.pngNIC #1:
http://dropmefiles.com/oYw5c - picture #3
or
http://7y.mf-image.ru/d/eyJ0IjoiMjAxNy0wNS0yN1QxMDozMjozMS4xOTA5MjY5WiIsInRtIjoxNSwiYmQiOjEsImZkIjo0NDEyNjM4LCJyZiI6bnVsbCwic2wiOjAsImZuIjpudWxsLCJyIjoiaHR0cDovL215LWZpbGVzLnJ1L3Q0Y2UxcSIsImwiOm51bGx9.63DCAFC4E7EDCD91DDF5B46D417C18E5./NIC-1.pngNIC #2:
http://dropmefiles.com/oYw5c - picture #4
or
http://xg.mf-image.ru/d/eyJ0IjoiMjAxNy0wNS0yN1QxMDozNzoyMy4zNzk5NDI2WiIsInRtIjoxNSwiYmQiOjEsImZkIjo0NDEyNjQ1LCJyZiI6bnVsbCwic2wiOjAsImZuIjpudWxsLCJyIjoiaHR0cDovL215LWZpbGVzLnJ1L3E0c3V4YSIsImwiOm51bGx9.AE7358079919236B81FA5A0F1FA48FE3./NIC-2.pngNICs both:
http://dropmefiles.com/oYw5c - picture #5
or
http://ko.mf-image.ru/d/eyJ0IjoiMjAxNy0wNS0yN1QxMDozODozMC4wMTE1NzkyWiIsInRtIjoxNSwiYmQiOjEsImZkIjo0NDEyNjQ3LCJyZiI6bnVsbCwic2wiOjAsImZuIjpudWxsLCJyIjoiaHR0cDovL215LWZpbGVzLnJ1LzV1dHk2ayIsImwiOm51bGx9.0A805D2770EADBA2C889082B77F52AC7./NICs-Both.pngSouthBridge with NICs controller:
http://dropmefiles.com/oYw5c - picture #6
or
http://j3.mf-image.ru/d/eyJ0IjoiMjAxNy0wNS0yN1QxMDozOTowNy4xNTk5NTc4WiIsInRtIjoxNSwiYmQiOjEsImZkIjo0NDEyNjQ5LCJyZiI6bnVsbCwic2wiOjAsImZuIjpudWxsLCJyIjoiaHR0cDovL215LWZpbGVzLnJ1L2gxYmM3bSIsImwiOm51bGx9.F6281DA9EFC7222CD3DCABADC9A35DB2./SouthBridge.png -
https://forum.pfsense.org/index.php?topic=125456.0
-
There are issues with Inline mode and many NICs. The links provided to another thread here on the forum provides the evidence. The problems with Inline IPS mode are related to compatibility issues between various NIC drivers and the Netmap module. This is complicated even further on pfSense because some things done to help with limiters seem to have a negative impact on Netmap. In short, if you have problems with Inline mode it is almost certainly due to something with your specific NIC driver and Netmap.
There is a known issue with traffic shaping on pfSense and Netmap (that's the limiter thing mentioned above). Those two absolutely don't play well together at this point. Things will eventually improve as Netmap bugs are ironed out. Until then, you may have to be content with Legacy Mode blocking. Usually em drivers are OK, so do you by chance have a traffic shaper enabled? If so, try disabling it and see if Inline mode works then.
Bill