21.02 Sudden lockup
-
@kphillips Is there likely to be a patch in the "near future"?
I have too many users to bring the network down while I load the firmware, reload the configuration, check the configuration to assure that it's reasonably correct, then go through the whole process again because I screwed it up, etc. Worse, they (and I) are working through the weekend to finish a critical deliverable.
-
@rloeb welcome to my club except that I made the mistake... HAHAHA!
My boss is getting impatient as I keep dropping, is a bit stable now so I am hoping I get through today at least.
-
@kphillips I got the firmware. I also didnt notice this but looks like I did receive an email from support stating the situation and advising me to roll back,
so kudos to support!
Thanks again!
-
@alpharulez Because the repos for 21.02 were pulled to keep people from upgrading any more until we release a fix, packages are also affected. You'll need to revert to 2.4.5p1 to be able to install packages again (make sure you set the "Previous Stable Release" in your Update settings before trying).
-
@rloeb If you are absolutely stuck and need to remain on 21.02, you can do the following:
Go to Diagnostics --> Command Prompt and run "echo hw.ncpu=1 >> /boot/loader.conf.local" without quotes.
Reboot.
This will halve your firewall's performance because it artificially limits your CPU to one core, but it also gets rid of the crashing.
However, if you can revert to 2.4.5p1 DO THAT. And if you do the above, don't forget to remove it later unless you like having your firewall be artificially limited in performance for the rest of it's life.
-
Thank you!
-
@kphillips FYI. Went to 1 CPU. Snort does not start. Snort does not appear in Services menu. Re-installing snort fails; Window just sits there. Would like to have that protection, but not sure what to do next.
-
@kphillips said in 21.02 Sudden lockup:
Command Prompt and run "echo hw.ncpu=1 >> /boot/loader.conf" without quotes.
I think what @jimp stated was:
Create /boot/loader.conf.local if it doesn't exist, as loader.conf can be overwritten by pfSense.echo hw.ncpu=1 >> /boot/loader.conf.local
I agree with this as it won't be overwritten and easily reverted once a patch is released by simply issuing:
rm /boot/loader.conf.local
-
@lnguyen Nice catch. The command did not create the file. My Linux is pretty feeble these days, so I'm unclear what to do next. I'll see if I can pull one of my techies off what they're doing and he can chase this. I'll go back to running the company, which is all I'm competent to do.
-
@lnguyen You are correct. I've updated my original post.
-
@rloeb Snort is broken on the SG-3100 and pfSense Plus 21.02. This is due to a bug in the package, not pfSense Plus. Snort has some badly coded components that Intel CPUs usually just "auto fix", but on ARM that mechanism doesn't exist. As such, something appears to have broken during the move to 21.02. We have a bug report for that, but if you need snort you'll want to be on 2.4.5p1 until that is sorted. Otherwise, Suricata works fine on the SG-3100 AFAIK right now on 21.02.
-
@kphillips Thank you. Good to know. Going to try to tough it out. Alternative is to switch to a gateway router with no filtering, just to keep folks productive.
-
@kphillips did they block all packages from 2.4.5-p1? i rolled back and restored from 21.02 now i cannot re-install all the packages for 2.4.5-p1 what is going on?
-
@styxl Did you set System/Update/Update Settings to "previous stable version (2.4.5)"? I can see packages on a 3100 that wasn't upgraded.
You might try https://docs.netgate.com/pfsense/en/latest/troubleshooting/pkg-broken-database.html. -
@styxl Make sure you select "Previous Stable Version (2.4.x)" under System --> Update. The repos for 21.02 are now offline to keep people from upgrading to it for the SG-3100 right now.
-
@teamits i just did and it worked, thx
-
Does anyone know if Suricata on 21.02 is impacted the same as Snort? Thanks!
-
On the SG-3100 it would be, in blocking mode at least. Like Snort it has to reload the ruleset whenever a new IP is added to the block table.
Steve
-
@stephenw10 ok thanks for the response
Will hold fire. -
....unless you're seeing this: https://redmine.pfsense.org/issues/11466
That applies to Snort only.