When modify the IPsec config, I can't access vía webConfigurator and the OpenVPN connections hang.



  • When modify the IPsec config or I do somethink related with the IPsec, some minutes later, I can't connect to pfSense to webConfigurator and the OpenVPN connections hang.

    I can access to the pfSense vía SSH Console.

    If I Connect to pfSense vía SSH Console and restar th PHP-FPM (Menu Option 16) solves the issue and I can access to pfSense vía webConfigurator and reconnect the OpenVPN connection.

    Well, I found this BUG:

    https://redmine.pfsense.org/issues/6406

    The solution appear that is to edit the /usr/local/etc/php-fpm.conf file and increase the "max_children=5" value.

    What would the right value to "max_children" parameter?

    I have pfSense 2.3 with 4Gb RAM in migration proccess but It's in production yet.

    Regards,

    Ramsés


  • Netgate Administrator

    If you are hitting that it's because something is using all available processes. Increasing them can hide it but does not solve the problem. Check what is using the processes, try running: ps -auxwwd

    You can enter that in the GUI in Sys > Adv > Admin Access in the 'Max Processes' filed. Start by increasing it to 4.

    Steve



  • Hi @stephenw10, thanks so much by your anwer.

    You tell that I access to "System > Advanced > Admin Access" and increase the "Max Processes" field to "4" but in the BUG the solution that they give is to edit the "/usr/local/etc/php-fpm.conf" file and increase the "max_children" to 10 or 15.

    That is the same, I need to do the to things or only one?

    What would be the solution?

    Regards,

    Ramsés


  • Netgate Administrator

    Either may help workaround the problem, try it.

    However having to do that is usually a sign of some other issue.

    Steve



  • Hi @stephenw10,

    I have open, habitually, about 6 Chrome Tabs connecteds to pfSense to monitor and to do changes and I haven't problems, even having the "System > Advanced > Admin Access > Max Processes=2"

    If I increase the "System > Advanced > Admin Access > Max Processes" help me in something?

    If I change the value of "System > Advanced > Admin Access > Max Processes" to 4, how you tell, can I apply the changes in production without problems or connections drops?

    Only have problems when I do something with IPsec (show / change config, monitoring, etc...)

    If I change and increase the "/etc/php-fpm.conf > max_children", for example, to 10, what need I do to apply the changes, to execute the "16) Restart PHP-FPM" option of Console Menu?

    If so, can I execute the "16) Restart PHP-FPM" option of Console Menu without problems or connections drops?

    Regards,

    Ramsés


  • Netgate Administrator

    Yes I would restart php if you edit that file and yes you can restart php without excessive disruption.

    Steve



  • Hi @stephenw10

    Well, I have done the two things:

    I have changed the value of "System > Advanced > Admin Access > Max Processes" to 4.

    I have increased the "/etc/php-fpm.conf > max_children" to 10 and I have executed the "16) Restart PHP-FPM" option of Console Menu to apply the changes.

    But nothing have improved, when I leave the WEBConfigurator in the "VPN > IPsec" for a few minutes without working on it, the PHP-FPH hangs, I lost the access to the WEBConfigurator and all OpenVPN connections are lost. I need execute "16) Restart PHP-FPM" option of Console Menu again.

    Any idea?

    Regards,

    Ramsés


  • Netgate Administrator

    Do you mean Status > IPSec?

    I just saw you are running pfSense 2.3. Is that actually 2.3-release? There are numerous bugs in that, you should upgrade to current when you can. This issue is fixed in 2.4.X.

    Steve



  • @stephenw10 I'm not sure now if "VPN > IPsec" or "Status > IPSec" or in both.

    Yes, I am running pfSense 2.3.

    I know that I must update to latest version but I can't yet and less at the actual moment.

    Regards,

    Ramsés


  • Netgate Administrator

    If it's the status page (or the status widget on the dashboard) there have been a number of bugs affecting that. All fixed in current.

    Do not sit on the status page for any longer than is necessary. Remove the widget if you have it.

    If you're really running 2.3-rel though you are probably hitting this: https://redmine.pfsense.org/issues/6296
    The only workaround for that at the time was to disable all but one CPU core.

    Steve



  • Hi @stephenw10,

    That is that I do, I change IPsec config or I see the IPsec status and then rapidly go to another page.

    I haven't problem with the CPU because I don't have mucho UDP traffic. I only have some DNS request through the VPN IPsec.

    How could I see if SMP is active and in use?

    With "uname":

    /root: **uname -a**
    FreeBSD pfsense1.domain.info 10.3-RELEASE FreeBSD 10.3-RELEASE #6 05adf0a(RELENG_2_3_0): Mon Apr 11 18:52:07 CDT 2016     root@ce23-amd64-builder:/builder/pfsense-230/tmp/obj/builder/pfsense-230/tmp/FreeBSD-src/sys/pfSense  amd64
    

    Regards,

    Ramsés


  • Netgate Administrator

    If it's not even in production why are you not simply upgrading which would almost certainly remove these problems?

    Steve



  • Hi @stephenw10,

    Yes, yes It's in production.

    It's supporting about 400 users (LAN / OpenVPN / IPsec), because this, I can't upgrade It now, because We are many teleworking now.

    Regards,

    Ramsés


  • Netgate Administrator

    You will continue to have problems as long as you're on 2.3. That was only current for about 1 month waaay back in April 2016: https://docs.netgate.com/pfsense/en/latest/releases/versions-of-pfsense-and-freebsd.html#id7

    You could try creating the file /boot/loader.conf.local (if it doesn't already exist) and adding to it the line:
    kern.smp.disabled=1

    Then rebooting. Otherwise you might have to disable all but one CPU core manually which we did as a workaround at the time for a few systems. It was fixed for 2.3.1.

    Steve


Log in to reply