Suricata inline mode with VPN IF produces WAN down symptom [Resolved]

  • Using 2.3.4-RELEASE-p1 (amd64) on bare metal
    Suricata version 3.2.1_2
    Intel PRO/1000 PT Quad Port Server Adapter (82571)  which is present here
    Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz
    Current: 2700 MHz, Max: 2701 MHz
    4 CPUs: 1 package(s) x 4 core(s)
    Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM
    Memory: 64050 MiB

    So I've been troubleshooting this problem casually for long while but I'd like to see it resolved at this point as the metal this appliance runs on was spec'd with inline mode in mind.

    That said, when starting suricata with an interface configured with inline mode while a VPN interface exists the wan IP will change to and multiple services will stop, no traffic passes, the web portal is extremely slow to respond (30 seconds or so). CPU usage while this is happening is nominal (low), RAM usage is nominal (low), disk usage, /tmp, /var all nominal (low).

    For the log file below, suricata was configured on (but disabled by configuration on) several interfaces including a VPN interface. Only the WAN interface had suricata enabled with inline mode enabled for the problem to manifest. I'm using default or conservative suricata interface settings for troubleshooting. (detection engine settings section: 1024, low, auto, auto, 3000, default, default)

    The issue does not occur in legacy mode

    Jul 24 22:04:10 kernel: arpresolve: can't allocate llinfo for <wanip>on em0
    Jul 24 22:04:10 check_reload_status: Reloading filter
    Jul 24 22:04:10 kernel: em0: link state changed to UP
    Jul 24 22:04:10 check_reload_status: Linkup starting em0
    Jul 24 22:04:09 php-fpm[43105]: /rc.linkup: DEVD Ethernet detached event for wan
    Jul 24 22:04:08 check_reload_status: Linkup starting em0
    Jul 24 22:04:08 kernel: em0: link state changed to DOWN
    Jul 24 22:04:08 kernel: em0: permanently promiscuous mode enabled
    Jul 24 22:04:08 kernel: 048.421904 [1233] netmap_mem_global_config reconfiguring
    Jul 24 22:04:06 dhcpleases: kqueue error: unkown
    Jul 24 22:04:06 dhcpleases: Could not deliver signal HUP to process because its pidfile (/var/run/ does not exist, No such process.
    Jul 24 22:04:06 dhcpleases: /var/etc/hosts changed size from original!
    Jul 24 22:04:04 syslogd: kernel boot file is /boot/kernel/kernel

    I'm a troubleshooter monkey by trade so you'll need to be patient/verbose with me while assisting me with this issue, if I may ask.

    Please let me know what additional information I can provide you with to assist in resolving this issue. I would be grateful!

    Thanks very much for your time!!


  • So, I know that Netmap is used with inline mode and it is problematic.

    I have noticed that Inline mode appears to work fine with the VPN interface removed. Is this a problem with the NIC (drivers) that can be alleviated with a different NIC? Or is it the case that inline mode (netmap) with a VPN interface simply doesn't play nice with each other. Any plan to move away from netmap in the works or some other update which should allow inline mode to work with a vpn interface? (Freebsd driver compatibility update, Suricata version update, pfsense version update)

    If there's a NIC whose drivers play nice with netmap, I'll just buy the NIC but some input from the more knowledgeable folks here would be appreciated prior to throwing more money at this problem.

    Thanks in advance for your time!

  • Just an update for anyone who is interested… my hardware has not changed and this issue is now resolved for me on pfSense 2.4.2 / suricata 4.0.1 - I believe it was resolved with 2.4.1 but was now able to confirm

Log in to reply