pfSense Plus 21.02-p1 Now Available

dennis_s

pfSense Plus version 21.02-p1 is now available. This minor release addresses a bug that causes stability and performance issues on Netgate SG-3100 security gateway appliances.

We also have published a more in-depth blog that details what exactly was happening.

rsherwood_va

@dennis_s Thanks for posting the blog post. Interesting and helpful.

mcury

Hi,

I'm facing the same problem with this version..
Downloaded the image, so it's a clean install.

This happens with pfblockerNG, same configuration as before, just ran the wizard.
Can you please check and advise?

mcury

Opened a TAC ticket, attached my full xml config, and described the actions taken to trigger the problem.
TAC: 76936

kphillips

@mcury I'm assuming you're referring to the Segmentation fault error? If so you likely have an issue with the package. I see your ticket and we will reply to it whenever we're able to do so.

mcury

@kphillips said in pfSense Plus 21.02-p1 Now Available:

I'm assuming you're referring to the Segmentation fault error?

Hello kphillips, hope you are doing fine.
Yes it is, same error as we spoke previously.

Kindly check and advise if I can help you with more information, thanks.

stephenw10

Just to confirm you were seeing that in 21.02 also?

The p1 release addresses only https://redmine.pfsense.org/issues/11444.
If we had included any additional fixes or updates it would have required a lot more testing and delayed the fix release significantly. That particular issue was impacting SG-3100 severely.

What you're seeing here does not appear to be that.

Steve

mcury

@stephenw10 said in pfSense Plus 21.02-p1 Now Available:

Just to confirm you were seeing that in 21.02 also?

The p1 release addresses only https://redmine.pfsense.org/issues/11444.
If we had included any additional fixes or updates it would have required a lot more testing and delayed the fix release significantly. That particular issue was impacting SG-3100 severely.

What you're seeing here does not appear to be that.

Steve

Hello stephenw10,
Yes, I was seeing this same behavior in 21.02.

It happens only with pfblockerNG-devel 3.0.0_10 installed.
Didn't test with pfblockerNG 2.1.4_24.

This happens during a reboot, after installing and configuring this package.
Without it, I can't see any problems.

mcury

inside this link: https://redmine.pfsense.org/issues/11444

Check the file OS-Message Buffer.txt

costanzo

@dennis_s I am experiencing random reboots with my SG-1100 since upgrading to 21.02. I applied the p1 update; however, still seeing random reboots. They seem to occur once or twice in a day, with no pattern.

I created a ticket, #INC-76956, and attached the file created from the status page.

Any idea what might be going on or have any suggestions that might help?

Thanks in advance

stephenw10

It's unlikely that was related to the update unfortunately. The p1 point release would not have done anything for that, it addressed only: https://redmine.pfsense.org/issues/11444

We should be able to resolve that on the ticket for you.

Steve

Traveller

@dennis_s Thanks for the links, and to Netgate for the extended blog on the details.

That was amazing work considering the time frame and everything else that was going on.

I'm an internals guy, and I thought there might be a deadlock involved when I saw the workaround.

Also, good on the team to provide a real fix rather than a patch that would reduce performance and increase technical debt.

Ramosel

I read through the blog. 48hr find/fix is quite an accomplishment. Good job.
Leaves me with a couple of questions that have zero urgency tied to them.

What is different in the SG-3100 hardware that made it susceptible to this lock condition?

If you are NOT running SG-3100 hardware, is there any merit/value in doing the -p1 update?

Rick

A Former User

@ramosel It's the processors architecture that is unique to the 3100. As to updating on other devices it can be assumed they tested that. Given the forum is not overrun with complaints I would conclude it's fine to upgrade.

Ramosel

@jwj Agreed, but I wasn't asking if it was safe or "fine"... I was asking if there was any merit/value in updating if one wasn't running an SG-3100.

A Former User

@ramosel It fixes the one issue that was specific to the 3100. It doesn't address any other issues (as per Netgate), so the value on other devices would be zero. The harm also appears to be zero. If you are staring at an 'update available' notice or flashing led I'd update just to make that go away.

stephenw10

Yeah, there no need to update if a reboot is inconvenient for example. On other architectures 21.02p1 is effectively unchanged. But it is safe to do so.

Steve

Ramosel

@stephenw10 Awesome... thank you.

johnpoz

@stephenw10 said in pfSense Plus 21.02-p1 Now Available:

if a reboot is inconvenient for example

Exactly... I am prob just going to wait til the zfs correction for
https://redmine.pfsense.org/issues/11483

Is implemented, I would assume 21.0X or if a p2 comes out..

Reboots are always "inconvenient" ;)

The 3100s I have are stuck running what they are running until such time that I can get to office(es) or someone is onsite as smart hands, etc. While it would be nice to get them current - just not worth "any" risk of something going wrong.. Since offices don't have any staff there currently.

pfBo

Hi,

After upgrading my SG-3100 I'm seeing issues with fq_codel. I have limiters configured and it has been running fine before upgrading to 21.02-p1.

The firewall stops passing traffic when limiters are enabled and connecting to console all I see is these error messages over and over again:

fq_codel_new_sched cannot allocate memory for fq_codel configuration parameters
si_new new_sched error

My limiters and rules are configures as follows:

Please let me know if I can provide and more details, logs or anything else that can help me (and you) resolve this issue.

Best regards,

Bo

pfBo

Apologies, I can't for the life of me figure out how to edit my own post ;)

I just wanted to add that I have a SG-5100 setup with the exact same limiters and rules and that works flawlessly after upgrading to SG-3100 so I suspect it's a model specific "bug".

Best regards,

Bo

StacyAnn33

Are they still expecting to have pfSense Plus available to 3rd party hardware later in the year, or has that been pushed ahead to an earlier date?

Ramosel

@stacyann33 According to the Blog announcement on Jan 21 of this year... (under item #11)

"We plan to make pfSense Plus available for use on 3rd party hardware and select virtual machines by June 2021, if not sooner."

Taz79

Why is there no posts about 21.02.2 being available? Or has it been pulled back?

I'm having issues, my VPN to public internet connection is not working since the upgrade.. Tunnel is up but no communications.. Hosts in the alias list defining what computers should go via the VPN cannot even ping the router on the LAN side which is really strang.e..

Taz79

Never mind.. a restart of the OpenVPN service seems to have fixed the issue.. but anyway strange that there is no post about this update in here??

Ramosel

@taz79 said in pfSense Plus 21.02-p1 Now Available:

but anyway strange that there is no post about this update in here??

Yeah, I'd have to agree that it's odd there was no announcement of the(ir) forum. It was on the blog though.

https://www.netgate.com/blog/

Between the Blog, this forum, redmine and reddit... it's hard to know where to go and when to get the latest info "straight from the horse's mouth".

Hopefully they are all just really busy working through the problems on the 2.5/21.02 release.