pfSense Plus and SG-3100

stephenw10

A problem has been reported by some users of the Netgate SG-3100 appliance who have upgraded to pfSense Plus version 21.02. Our engineering team is working to correct the issue as quickly as possible. In the meantime, we have suspend the upgrade for the SG-3100 and SG-1000 (as precaution). We expect to provide a solution to the issue, which appears to be related to reloading the packet filter, as soon as testing is complete. We apologize for the inconvenience.

AKEGEC

@stephenw10 , I suggest users to downgrade.

mikesamo

@stephenw10 Hello, when do we expect to have the fix release? thanks!

stephenw10

As soon as possible. Hard to say anything more at this point.
It's a lot closer now that we have replicated it locally though.

Steve

mcury

@stephenw10 If you want me to test something, just tell me, I'm currently using the 21.02 in a SG-3100 and I would be glad to be able to help you folks..

stephenw10

Thanks for the offer. I'll reach out if we need more data points.
It's in the hands of our developers now though and they are able to replicate it on demand.

Steve

mikesamo

@mcury same for me!

sehiser

Is there an email alert we could get to know when this is fixed? (I'll poke around and see if I can find a way to sign up for an alert in the meantime).

We have 2 SG-3100's and 1 was upgraded.

va3mw

I have the same problem and I am not able to down grade as the package manager seems to be broken on the SG3100.

I need to get this stabilized for my customer. As a workaround, I am stating to build up a 'home edition' one just to get him stable.

Would I be correct in assuming that if I could roll back, I would not be having these random/every few hour/ halts?

Like others, I have been monitoring the Serial port, but very little information is available to move forward to resolving this.

pkg update -f

Updating pfSense-core repository catalogue...
pkg: https://files01.netgate.com/pkg/pfSense_plus-v21_02_armv7-core/meta.txz: Not Found
repository pfSense-core has no meta file, using default settings
pkg: https://files01.netgate.com/pkg/pfSense_plus-v21_02_armv7-core/packagesite.txz: Not Found
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
pkg: https://files00.netgate.com/pkg/pfSense_plus-v21_02_armv7-pfSense_plus-v21_02/meta.txz: Not Found
repository pfSense has no meta file, using default settings
pkg: https://files00.netgate.com/pkg/pfSense_plus-v21_02_armv7-pfSense_plus-v21_02/packagesite.txz: Not Found
Unable to update repository pfSense
Error updating repositories!

So, this likely should be a new thread. But, I checked

cat /usr/local/share/pfSense/pkg/repos/pfSense-repo.conf
FreeBSD: { enabled: no }

pfSense-core: {
url: "pkg+https://firmware.netgate.com/pkg/pfSense_plus-v21_02_armv7-core",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/local/share/pfSense/keys/pkg",
enabled: yes
}

pfSense: {
url: "pkg+https://firmware.netgate.com/pkg/pfSense_plus-v21_02_armv7-pfSense_plus-v21_02",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/local/share/pfSense/keys/pkg",
enabled: yes
}

And

https://firmware.netgate.com/pkg/pfSense_plus-v21_02_armv7-pfSense_plus-v21_02

Does not exist at firmware.netgate.com

thanks in advance,

artooro

@va3mw you'll need to backup your config and re-install pfSense 2.4.5. See https://docs.netgate.com/pfsense/en/latest/solutions/sg-3100/reinstall-pfsense.html

Amarand

Ahh, I've been experiencing the "wonkiness" today, so I'm glad it's not just me.

If someone has already upgraded, and doesn't really want to downgrade, is there any other workaround, or is it basically just restarting the firewall to get it operational again?

stephenw10

You can disable one CPU core and it will avoid ever hitting the lock. Obviously performance will be reduced but that may not be an issue for a lot of use cases. Run:

echo hw.ncpu=1 >> /boot/loader.conf.local

Then reboot.

Remove or comment out that line later after this is fixed.

Steve

Amarand

@stephenw10 said in pfSense Plus and SG-3100:

echo hw.ncpu=1 >> /boot/loader.conf.local

Done and done. Thank you Steve!

Will updates on the update be placed in this thread (that I'm watching)?

stephenw10

Yes, this thread will be updated.

Mr_AJ

@amarand said in pfSense Plus and SG-3100:

@stephenw10 said in pfSense Plus and SG-3100:

echo hw.ncpu=1 >> /boot/loader.conf.local

Done and done. Thank you Steve!

Will updates on the update be placed in this thread (that I'm watching)?

Did this work for you? Im stuck rebooting randomly during the day also.

Amarand

@mr_aj

Just added this entry to the file a few minutes ago, so we'll see!

I only had a single failure requiring a reboot during the day today...so I was hoping to avoid experiencing that again.

Glad there's a quick and easy workaround.

OldManNiko

@mr_aj So far so good for me, 3 hrs in on a single cpu.

Mr_AJ

@oldmanniko said in pfSense Plus and SG-3100:

@mr_aj So far so good for me, 3 hrs in on a single cpu.

All is well with this quick fix. Thanks!

stephenw10

Good to hear.

We think we have found the root cause of this and will be testing fixes imminently.
Technical details here for those who may be interested:
https://reviews.freebsd.org/D28821

Steve

va3mw

@artooro Thanks. That is what I did.