21.02 Sudden lockup
-
@kphillips said in 21.02 Sudden lockup:
@mcury If you aren't have any issues, no need to downgrade yet. Just make sure you have your USB console cable handy if you do run into an issue, but if you avoid reloading your firewall filter for now under heavy load, you should be fine. We should have a fixed update soon.
Great, thanks, I'll just wait then, it's working fine here.
-
@kphillips I open the ticket.
-
@ffuentes PM me the ticket number, if you didn't get a reply already. I'll make sure to buzz you the firmware.
-
I am having issues with snort on upgrade. have had to uninstall it completely.
dhcp issues to my access point - happens randomly where internet connection is steady but pfsense seems to kick off my access point which then thinks it is no longer in access point mode and reverts to routing starting to handout IPs... and loss of internet connectivity.
repeat issues with ntopng - had to reinstall - this seems to be stable-ish for the moment.
Now noticed that System/Package Manager/Available Packages is not showing any packages for me to install... especially Snort.
-
@alpharulez Forgot to add - no pfblockerng on my device... and it is a home setup so not a lot of traffic...
-
@alpharulez The issue is a general issue with pf reload. This means that snort will also contribute to a reload and cause the lock-up.
-
@ffuentes thanks. it is uninstalled for the moment and running as a standard firewall... hope the fixe comes out quick so it can go back to a proper IPS...
-
@kphillips Is there likely to be a patch in the "near future"?
I have too many users to bring the network down while I load the firmware, reload the configuration, check the configuration to assure that it's reasonably correct, then go through the whole process again because I screwed it up, etc. Worse, they (and I) are working through the weekend to finish a critical deliverable.
-
@rloeb welcome to my club except that I made the mistake... HAHAHA!
My boss is getting impatient as I keep dropping, is a bit stable now so I am hoping I get through today at least.
-
@kphillips I got the firmware. I also didnt notice this but looks like I did receive an email from support stating the situation and advising me to roll back,
so kudos to support!
Thanks again!
-
@alpharulez Because the repos for 21.02 were pulled to keep people from upgrading any more until we release a fix, packages are also affected. You'll need to revert to 2.4.5p1 to be able to install packages again (make sure you set the "Previous Stable Release" in your Update settings before trying).
-
@rloeb If you are absolutely stuck and need to remain on 21.02, you can do the following:
Go to Diagnostics --> Command Prompt and run "echo hw.ncpu=1 >> /boot/loader.conf.local" without quotes.
Reboot.
This will halve your firewall's performance because it artificially limits your CPU to one core, but it also gets rid of the crashing.
However, if you can revert to 2.4.5p1 DO THAT. And if you do the above, don't forget to remove it later unless you like having your firewall be artificially limited in performance for the rest of it's life.
-
Thank you!
-
@kphillips FYI. Went to 1 CPU. Snort does not start. Snort does not appear in Services menu. Re-installing snort fails; Window just sits there. Would like to have that protection, but not sure what to do next.
-
@kphillips said in 21.02 Sudden lockup:
Command Prompt and run "echo hw.ncpu=1 >> /boot/loader.conf" without quotes.
I think what @jimp stated was:
Create /boot/loader.conf.local if it doesn't exist, as loader.conf can be overwritten by pfSense.echo hw.ncpu=1 >> /boot/loader.conf.local
I agree with this as it won't be overwritten and easily reverted once a patch is released by simply issuing:
rm /boot/loader.conf.local
-
@lnguyen Nice catch. The command did not create the file. My Linux is pretty feeble these days, so I'm unclear what to do next. I'll see if I can pull one of my techies off what they're doing and he can chase this. I'll go back to running the company, which is all I'm competent to do.
-
@lnguyen You are correct. I've updated my original post.
-
@rloeb Snort is broken on the SG-3100 and pfSense Plus 21.02. This is due to a bug in the package, not pfSense Plus. Snort has some badly coded components that Intel CPUs usually just "auto fix", but on ARM that mechanism doesn't exist. As such, something appears to have broken during the move to 21.02. We have a bug report for that, but if you need snort you'll want to be on 2.4.5p1 until that is sorted. Otherwise, Suricata works fine on the SG-3100 AFAIK right now on 21.02.
-
@kphillips Thank you. Good to know. Going to try to tough it out. Alternative is to switch to a gateway router with no filtering, just to keep folks productive.
-
@kphillips did they block all packages from 2.4.5-p1? i rolled back and restored from 21.02 now i cannot re-install all the packages for 2.4.5-p1 what is going on?