Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    The process fcgicli is CPU killer

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 4 Posters 1.3k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I Offline
      Ivan Nosko
      last edited by

      Hello Team! We use pfSense as an openvpn RA server, it is a virtual machine on VmWare. Everything was fine, but after updating to version 2.7.2 we had a problem with the fcgicli process, which was consuming all the CPU time and pfSense was freezing. We need help! This is the very important service.

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG Offline
        Gertjan @Ivan Nosko
        last edited by

        @Ivan-Nosko

        Which one :

        [23.09.1-RELEASE][root@pfSense.bhf.tld]/root: ps ax | grep 'fcgicli'
        59977  -  Is       0:00.00 /usr/local/bin/minicron 3600 /var/run/expire_accounts.pid /usr/local/sbin/fcgicli -f /etc/rc.expireaccounts
        60588  -  I        0:00.02 minicron: helper /usr/local/sbin/fcgicli -f /etc/rc.expireaccounts  (minicron)
        60645  -  Is       0:00.00 /usr/local/bin/minicron 86400 /var/run/update_alias_url_data.pid /usr/local/sbin/fcgicli -f /etc/rc.update_alias_url_data
        61399  -  I        0:00.00 minicron: helper /usr/local/sbin/fcgicli -f /etc/rc.update_alias_url_data  (minicron)
        

        The "rc.expireaccounts" runs ones every hour.
        Not much to do, or do you really have a zillion accounts ?

        The "rc.update_alias_url_data" :
        A problem with one of your aliases ?
        Do you use any "aliasurl" type ? If so, double check the URL : can you download it with a browser ? DNS works ? I can image : if the URL can't be reached, the file can't be loaded, you get the classic BS in - BS out.
        I can't be sure, as I don't use "aliasurl" myself.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        I 1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          Yes if you run ps -auxwwd you may be able to see the full command that is triggering it.

          1 Reply Last reply Reply Quote 0
          • I Offline
            Ivan Nosko @Gertjan
            last edited by

            @Gertjan
            After we used the #killall fcgicli command, PfSense works well, but I think it is not a solution to the problem. Now the server has many connections, I will try to see the output of the ps command later after reboot.

            1 Reply Last reply Reply Quote 0
            • demD Offline
              dem
              last edited by

              I've seen fcgicli spinning immediately after an upgrade once or twice in the past. In my case I think it was running rc.newwanipv6. I think #14386 might be related.

              1 Reply Last reply Reply Quote 0
              • I Offline
                Ivan Nosko
                last edited by

                Hi guys! I solved the problem with CPU leak and load of many "fcgicli" processes. As far as I understand, the problem is related to the certificate chain. In our company's certificate chain, we use [one ROOT srv]<>[two INTERMEDIATE srv]<>[four ISSUE srv]<>[openvpn server certificate]. Previously, I added all the certificates from the chain (7), but this time I added only four of them (ROOT<>INTEERMEDIATE_1<>ISSUE_3<>openvpn server certificate, three in the chain and one of the server itself). I thought this was enough and I had this problem. Now I have added all the certificates and everything is working correctly. I'll watch for a while and post baack later.

                1 Reply Last reply Reply Quote 1
                • I Offline
                  Ivan Nosko
                  last edited by Ivan Nosko

                  There was the same issue
                  https://forum.netgate.com/topic/153940/openvpn-not-working-with-certificates-after-updating-from-earlier-pfsense-to-latest

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.