Pfsense crash after package update ...
-
My virtualized pfsense is no longer stable after updating packages.
I see this in the console :vmx0 TX0: fail 'head > kring->rtail && head < kring->rhead' h 378 c 378 t 350 rh 379 rc 379 rt 350 hc 379 ht 350
617.404235 [1766] netmap_ring_reinit called for vmx0 TX0Crash report begins. Anonymous machine information:
amd64
11.3-STABLE
FreeBSD 11.3-STABLE #243 abf8cba50ce(RELENG_2_4_5): Tue Jun 2 17:53:37 EDT 2020 root@buildbot1-nyi.netgate.com:/build/ce-crossbuild-245/obj/amd64/YNx4Qq3j/build/ce-crossbuild-245/sources/FreeBSD-src/sys/pfSenseCrash report details:
No PHP errors found.
Filename: /var/crash/info.0 textdump.tar.0
Dump header from device: /dev/gptid/3612226b-10fe-11e8-9ca2-000c29b82252
Architecture: amd64
Architecture Version: 1
Dump Length: 96256
Blocksize: 512
Dumptime: Tue Aug 25 02:01:25 2020
Hostname: XXXX
Magic: FreeBSD Text Dump
Version String: FreeBSD 11.3-STABLE #243 abf8cba50ce(RELENG_2_4_5): Tue Jun 2 17:53:37 EDT 2020
root@buildbot1-nyi.netgate.com:/build/ce-crossbuild-245/obj/amd64/YNx4Qq3j/build/ce-crossbuild-245/source
Panic String: general protection fault
Dump Parity: 4031454225
Bounds: 0
Dump Status: goodFilename: /var/crash/info.1.0 textdump.tar.1.0
Dump header from device: /dev/gptid/3612226b-10fe-11e8-9ca2-000c29b82252
Architecture: amd64
Architecture Version: 1
Dump Length: 123904
Blocksize: 512
Dumptime: Tue Aug 25 03:34:54 2020
Hostname: XXX
Magic: FreeBSD Text Dump
Version String: FreeBSD 11.3-STABLE #243 abf8cba50ce(RELENG_2_4_5): Tue Jun 2 17:53:37 EDT 2020
root@buildbot1-nyi.netgate.com:/build/ce-crossbuild-245/obj/amd64/YNx4Qq3j/build/ce-crossbuild-245/source
Panic String: general protection fault
Dump Parity: 2615745553
Bounds: 1
Dump Status: goodAny thoughts before trying restoring snapshot ?
[1_1598367588690_info.0](Uploading 100%) [0_1598367588688_info.1](Uploading 100%)
-
i use suricata and inline mode blocking since june ... so far so good so why now it is crashing ? i think crash come from it. inline mode is not compatible with esxi and vmx driver ?
the line i see in log seems to be suricata related when i stop service ... no line anymore ...
I used snort until now ... but you remove barnyard fonctionnality ... so i switch to suricata AND HAVE STOP UPDATING IT (i have the last version with barnyard) ...
it's very not easy to switch to other log monitoring solution (barnyard and snorby is sooo easy to deploy with docker and need very few ressources ....
a docker with at least elasticsearch nodes / and some sort of grafana need soooo much ram ... and seem less easy to understand and deploy ...
So for now i have switch to suricate LEGACY block mode and see if crash stops ...
LONG LIVE BARNYARD !!!!! (and if you have easy solution to replace TELL ME HOW !!! ;)))
have nice days people !
-
Barnyard2 is dead, so you really need to start looking for an alternative. It will no longer be in any of the IDS/IPS packages available for pfSense. In fact, Suricata upstream has totally removed Unified2 file support needed by Barnyard effective with version 6 which will be out in about a month or so.
If you are trying to use the old version of the Suricata package with the latest pfSense update (2.4.5_p1), then you are going to have some issues. Switching to Legacy Mode Blocking will help with the netmap device incompatibility, but you may run into other stability problems due to the older shared libraries pulled in with the older Suricata package.
The older Suricata binary also contained a netmap code bug that was fixed by Suricata upstream. By using the older Suricata binary in the older pfSense package, you very well may be encountering that Netmap bug and subsequent crash.
-
Thanks for your answer bmeeks ;) Switching to legacy mode seem to have fixed the crashes .
Please tell me what are the alternative to have "the same thing" , to point me to the right direction ...
the only way i see is to use packet traffik / graphdb or elasticsearch and a third content displayer like grafana ??? IT'S SUPER HEAVY TO DEPLOY and need third grade in IT management !!
and worst , it need a lot of RAM (maybe ... 3 Go ???) ... a docker with snorby and a database it's 300 Mo RAM (for home use) ....
rhhaaaa ... sun is shining, it's summer ! ... don't wan't to pass 15 hours to deploy that ... please tell me there is another easy solution to do the same thing ;)
have nice days !
-
@maba said in Pfsense crash after package update ...:
Thanks for your answer bmeeks ;) Switching to legacy mode seem to have fixed the crashes .
Please tell me what are the alternative to have "the same thing" , to point me to the right direction ...
the only way i see is to use packet traffik / graphdb or elasticsearch and a third content displayer like grafana ??? IT'S SUPER HEAVY TO DEPLOY and need third grade in IT management !!
and worst , it need a lot of RAM (maybe ... 3 Go ???) ... a docker with snorby and a database it's 300 Mo RAM (for home use) ....
rhhaaaa ... sun is shining, it's summer ! ... don't wan't to pass 15 hours to deploy that ... please tell me there is another easy solution to do the same thing ;)
have nice days !
Is Snorby still being actively maintained? I took a quick look at the Github site and all the changes seemed to be several years old. I once ran Snorby as well, but Barnyard2 and MySQL frequently misbehaved and pegged my firewall at 100% CPU. I also nearly always had issues trying to update Snorby through the very frustrating Ruby on Rails architecture. Not now, and never have been, a fan of Ruby ...
.The most common tools I've seen and heard about from users are Grafana and ELK (in various forms). The two most popular methods for exporting logs from pfSense to the database and monitoring platform are logstash and filebeats.
pfSense user @kiokoman posted details about his Grafana setup in this thread.
-
snorby is old and abandonned ... it's nearly impossible to install on last debian with the ruby crap (dependency problems) ...
But docker save the day ! it can install old crapy library on last version of server ;)) with docker, snorby is easy to install AND you can remove old ruby crap in one click if not needed anymore ;)
Ok i will go with the ELK thing ... i will learn something at least ...
thanks for your link ;) i will look ;) have nice days ;))
