SWAP USAGE 100%
-
Hello,
We have two pfsense's firewalls configured on cluster (primary and secondary). recently, we noticed only on primary pfsense that swap USAGE at 100%. We are currently on pfsense version 2.5.2 for primary and secondary pfsense. We searched quiclky on internet about this issue and found about leak memory usage about pcscd's service. it's true ? What do you recommend please ?
Thank you for your help and your reply at this topic
Regards
-
@pfsense7515 said in SWAP USAGE 100%:
We searched quiclky on internet about this issue and found about leak memory usage about pcscd's service.
You'd better check out the RAM usage on your box to find out the reason for that.
You can run
top -n -o res
to get the biggest memory eater at the top.
But yes, it's propably pcscd.
I've disabled log compression to get rid of it:
Status > System Logs > Settings > Log Compression -
Hello @viragomann
Thank You for quick reply. Please see screenshot of command mentioned above. What is the purpose of pcscd PC/SC Smart Card Daemon service ? Can it be turned off without disturbing the normal operation of the pfsense
[2.5.2-RELEASE][admin@xxxxxxxxxxxx]/root: top -n -o res
last pid: 42763; load averages: 1.94, 2.16, 2.15 up 181+23:49:10 13:31:45
75 processes: 2 running, 73 sleeping
CPU: 0.7% user, 3.2% nice, 3.6% system, 0.1% interrupt, 92.3% idle
Mem: 600M Active, 1420M Inact, 4422M Laundry, 1184M Wired, 777M Buf, 214M Free
Swap: 8192M Total, 8191M Used, 1072K Free, 99% InusePID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
8128 root 5 20 0 12G 4145M select 5 240:10 0.00% pcscd
16950 root 2 113 20 587M 540M CPU1 1 31.8H 72.56% snort
18630 root 2 40 20 465M 420M bpf 0 60:03 0.49% snort
46316 root 2 44 20 311M 263M bpf 4 61:05 7.76% snort
87514 root 2 40 20 203M 154M bpf 5 8:11 0.00% snort
90204 root 1 20 0 113M 67M select 3 378:48 0.00% bsnmpd
34137 root 1 20 0 147M 37M accept 0 3:10 0.00% php-fpm
41301 root 1 52 0 146M 37M accept 4 2:12 0.00% php-fpm
27761 root 1 20 0 146M 37M accept 1 2:18 0.00% php-fpm
81169 root 1 52 0 146M 36M accept 4 2:54 0.00% php-fpm
67405 root 1 52 0 146M 36M accept 1 2:33 0.00% php-fpm
92864 root 1 52 0 118M 35M accept 5 1:25 0.00% php-fpm
95371 root 1 52 0 108M 30M accept 6 0:02 0.00% php-fpm
89419 root 19 52 0 95M 21M sigwai 3 929:03 0.00% charon
331 root 1 20 0 102M 15M kqread 3 23:25 0.00% php-fpm
76807 root 1 20 0 20M 7976K select 4 0:00 0.00% sshd
98843 root 88 20 0 98M 7804K uwait 1 36:45 0.00% filterdns
12886 nobody 1 20 0 16M 5764K select 1 5:22 0.39% softflowdThank you for your help and your reply at this topic
Regards
-
@pfsense7515
Here is some information about what it is needed for and how to disable the service: https://redmine.pfsense.org/issues/11933 -
Yup, apply the patch listed there and reboot to prevent it re-starting.
Or upgrade to 2.6 where it's disabled by default.
Steve
-
Hello @viragomann
Thank You for your last reply. It's possible before upgrade to latest version pfsense (2.6 to just stop service (pcscd PC/SC Smart Card Daemon) without impact ?
Thank you for your help and your reply at this topic
Regards
-
Yes, and the safest way to do that is to apply the patch via the system patches package and then reboot.
Since you are running 2.5.2 make sure the update repo in System > Update > Settings is set to '2.5.2 deprecated'.
Then install the System Patches package.
Then add the patch by the commit ID as shown here:
afcc0e9c97c1993ae6b95f886665fcb4375d26c7
Then reboot and pcscd will be disabled by default.
Steve
-
FYI- The latest version of the System Patches package for 2.5.2 has the Recommended Patches list function and the pcscd patch is present there.
So you can set the upgrade branch to 2.5.2, update the package, then apply it from the list without creating a manual entry.
If you intend to remain on 2.5.2 for any length of time, you should probably apply all of the recommended patches in the list.
-
@pfsense7515 said in SWAP USAGE 100%:
It's possible before upgrade to latest version pfsense (2.6 to just stop service (pcscd PC/SC Smart Card Daemon) without impact
If you don't use IPSec you can just stop the service as a temporary fix.
You can also just restart your router. That will of course start pcscd again but it will not be using all that memory for a few weeks/months.
I would not try to upgrade to 2.6 while in an out-of-memory situation.
-
Thank You after applied new version. It's works fine