WAN periodically Rebooting
-
@diyhouse Update:..
Although runnning 'smoother',.. I only seem to be able to get run times on the WAN of around 15hrs...
Looking in system=>general log.. filtered by layer down...I have the following... is my issue related to suricata, they seem to occur and each layer down,.. but appreciate could just be a consequence of the WAN failure...Aug 13 05:28:03 ppp 71373 [wan] IPCP: LayerDown Aug 13 00:24:36 kernel igb1: link state changed to DOWN Aug 13 00:24:30 kernel igb1: link state changed to DOWN Aug 13 00:23:46 suricata 38573 [100852] <Error> -- error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)" from file /usr/local/etc/suricata/suricata_41945_igb1/rules/suricata.rules at line 162 Aug 13 00:23:26 php-cgi 21038 [Suricata] ERROR: Snort VRT rules md5 download failed... Aug 13 00:23:25 php-cgi 21038 [Suricata] Emerging Threats Open rules file update downloaded successfully. Aug 13 00:23:24 php-cgi 21038 [Suricata] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz... Aug 12 19:23:14 ppp 71373 [wan_link0] LCP: LayerDown Aug 12 19:23:14 ppp 71373 [wan] IPCP: Down event Aug 12 19:23:14 ppp 71373 [wan] IFACE: Down event Aug 12 19:23:13 ppp 71373 [wan] IPCP: LayerDown Aug 12 19:23:13 ppp 71373 [wan_link0] LCP: Down event Aug 12 19:23:13 ppp 71373 [wan_link0] Link: DOWN event Aug 12 18:42:07 kernel igb1: link state changed to DOWN Aug 12 18:42:01 kernel igb1: link state changed to DOWN Aug 12 18:41:14 suricata 67299 [100333] <Error> -- error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)" from file /usr/local/etc/suricata/suricata_41945_igb1/rules/suricata.rules at line 162 Aug 12 18:40:54 kernel igb1: link state changed to DOWN Aug 12 18:37:28 kernel igb1: link state changed to DOWN Aug 12 18:37:22 kernel igb1: link state changed to DOWN Aug 12 18:36:35 suricata 85777 [100429] <Error> -- error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)" from file /usr/local/etc/suricata/suricata_41945_igb1/rules/suricata.rules at line 162 Aug 12 18:36:16 kernel igb1: link state changed to DOWN Aug 12 18:34:32 shutdown 18862 power-down by root: Aug 12 18:13:02 ppp 19091 [wan_link0] LCP: Down event Aug 12 18:13:02 ppp 19091 [wan_link0] Link: DOWN event
-
That seems more likely to be a symptom rather than a cause. I assume you have Suricata running on LAN there and it's igb1? If it's running in in-line mode that will cause the re-link on igb1 when Suricata reloads. Suricata will be reloaded when the WAN reconnects. It still looks like the WAN disconnecting is the first thing that happens.
-
@stephenw10
Yes,.. that's what I wondered,. but was not sure,...
Thinking about connectivity,.. and stability,... A year or so ago,.. my system would run for months,.. even during power cuts,.. so 100+ day of run time was no issue,..
the WAN on the other hand would run for a week or so,.. maybe 3,.. then reboot,... which I took/assumed was BT enforcing their ( you cannot keep the same IP ),..
But now I wonder if this was a symptom,.. of the line performance degrading,... as it is now happening more and more,..
I was hoping that a 'weekly' WAN reboot would keep 'BT happy',.. and stop them forcing reboots an inopportune moments,.. during the day... but no.
The frequency of WAN reboots has over the last several months increased,.. and ( like things that change slowly ) you don't seem to notice the trend..
So looking at the big picture as they say,.. I think I need to contact BT support for some 'line performance help'... as things seem to point to line degradation,.. over the last 6+ months... or do you think i'm barking up the wrong tree....
pls feel free to disagree -
Well I've never had that issue. BT only disconnects their end when there's a problem. So I wouldn't expect you to have to reconnect at all.
So, yes, it could be some upstream issue. It's odd though that it doesn't just time out. It would be nice to get some logs showing whatever triggers it. Somehow.
Ah OK edit the mpd custom conf file you created and uncomment the 'log' line there. If you change it to
log +all
you will see a lot of logging. Possibly too much!
But you should be able enable or disable the options there to get reasonable logging and see what's happening. -
And by a lot I mean it logs every second:
Aug 15 22:27:27 ppp 4348 EVENT: Processing timer "BundBm" BundBmTimeout() Aug 15 22:27:27 ppp 4348 EVENT: Processing event EVENT_TIMEOUT TimerExpires() Aug 15 22:27:26 ppp 4348 EVENT: Processing event EVENT_TIMEOUT TimerExpires() done Aug 15 22:27:26 ppp 4348 EVENT: Processing timer "BundBm" BundBmTimeout() done Aug 15 22:27:26 ppp 4348 EVENT: Registering event EVENT_TIMEOUT TimerExpires() done at timer.c:50 Aug 15 22:27:26 ppp 4348 EVENT: Registering event EVENT_TIMEOUT TimerExpires() at timer.c:50 Aug 15 22:27:26 ppp 4348 EVENT: Starting timer "BundBm" BundBmTimeout() for 1000 ms at bund.c:1678 Aug 15 22:27:26 ppp 4348 [opt4] OUT util: total 6% 0% 1% 0% 1% 36% 1% Aug 15 22:27:26 ppp 4348 [opt4] IN util: total 18% 0% 1% 0% 1% 103% 3% Aug 15 22:27:26 ppp 4348 [opt4] 1 1 1 1 1 1 Aug 15 22:27:26 ppp 4348 EVENT: Processing timer "BundBm" BundBmTimeout() Aug 15 22:27:26 ppp 4348 EVENT: Processing event EVENT_TIMEOUT TimerExpires() Aug 15 22:27:25 ppp 4348 EVENT: Processing event EVENT_TIMEOUT TimerExpires() done Aug 15 22:27:25 ppp 4348 EVENT: Processing timer "BundBm" BundBmTimeout() done Aug 15 22:27:25 ppp 4348 EVENT: Registering event EVENT_TIMEOUT TimerExpires() done at timer.c:50 Aug 15 22:27:25 ppp 4348 EVENT: Registering event EVENT_TIMEOUT TimerExpires() at timer.c:50 Aug 15 22:27:25 ppp 4348 EVENT: Starting timer "BundBm" BundBmTimeout() for 1000 ms at bund.c:1678 Aug 15 22:27:25 ppp 4348 [opt4] OUT util: total 6% 1% 0% 1% 0% 1% 36% Aug 15 22:27:25 ppp 4348 [opt4] IN util: total 18% 1% 0% 1% 0% 1% 103% Aug 15 22:27:25 ppp 4348 [opt4] 1 1 1 1 1 1
-
@stephenw10
Tx Stephen,.. File edited,.. and logging enabled... WAN re-started 8:30amAug 16 09:17:24 ppp 9394 EVENT: Processing event EVENT_TIMEOUT TimerExpires() done Aug 16 09:17:24 ppp 9394 EVENT: Processing timer "BundBm" BundBmTimeout() done Aug 16 09:17:24 ppp 9394 EVENT: Registering event EVENT_TIMEOUT TimerExpires() done at timer.c:50 Aug 16 09:17:24 ppp 9394 EVENT: Registering event EVENT_TIMEOUT TimerExpires() at timer.c:50 Aug 16 09:17:24 ppp 9394 EVENT: Starting timer "BundBm" BundBmTimeout() for 1000 ms at bund.c:1678 Aug 16 09:17:24 ppp 9394 [wan] OUT util: total 32% 30% 15% 60% 33% 3% 50% Aug 16 09:17:24 ppp 9394 [wan] IN util: total 207% 11% 5% 1119% 21% 2% 84% Aug 16 09:17:24 ppp 9394 [wan] 1 1 1 1 1 1 Aug 16 09:17:24 ppp 9394 EVENT: Processing timer "BundBm" BundBmTimeout() Aug 16 09:17:24 ppp 9394 EVENT: Processing event EVENT_TIMEOUT TimerExpires() Aug 16 09:17:23 ppp 9394 EVENT: Processing event EVENT_TIMEOUT TimerExpires() done Aug 16 09:17:23 ppp 9394 EVENT: Processing timer "BundBm" BundBmTimeout() done Aug 16 09:17:23 ppp 9394 EVENT: Registering event EVENT_TIMEOUT TimerExpires() done at timer.c:50 Aug 16 09:17:23 ppp 9394 EVENT: Registering event EVENT_TIMEOUT TimerExpires() at timer.c:50 Aug 16 09:17:23 ppp 9394 EVENT: Starting timer "BundBm" BundBmTimeout() for 1000 ms at bund.c:1678 Aug 16 09:17:23 ppp 9394 [wan] OUT util: total 25% 6% 30% 15% 60% 33% 3% Aug 16 09:17:23 ppp 9394 [wan] IN util: total 196% 21% 11% 5% 1119% 21% 2% Aug 16 09:17:23 ppp 9394 [wan] 1 1 1 1 1 1
-
Nothing else shown? Nothing at 8.30? I imagine there are a massive amount of logs!
-
@stephenw10
Yes I had an event at 4:05pm this afternoon,.. unfortunately I was out,.. just got back and extened log length. to 20000 lines,.. and this still only takes me back 15 mins,..
So will have to wait a little longer... dam -
@diyhouse
This is a typical log throughput ATM,...Aug 16 18:19:03 ppp 9394 [wan] 1 1 1 1 1 1 Aug 16 18:19:03 ppp 9394 EVENT: Processing timer "BundBm" BundBmTimeout() Aug 16 18:19:03 ppp 9394 EVENT: Processing event EVENT_TIMEOUT TimerExpires() Aug 16 18:19:02 ppp 9394 EVENT: Processing event EVENT_TIMEOUT TimerExpires() done Aug 16 18:19:02 ppp 9394 EVENT: Processing timer "BundBm" BundBmTimeout() done Aug 16 18:19:02 ppp 9394 EVENT: Registering event EVENT_TIMEOUT TimerExpires() done at timer.c:50 Aug 16 18:19:02 ppp 9394 EVENT: Registering event EVENT_TIMEOUT TimerExpires() at timer.c:50 Aug 16 18:19:02 ppp 9394 EVENT: Starting timer "BundBm" BundBmTimeout() for 1000 ms at bund.c:1678 Aug 16 18:19:02 ppp 9394 [wan] OUT util: total 132% 32% 5% 350% 41% 27% 337% Aug 16 18:19:02 ppp 9394 [wan] IN util: total 8052% 821% 6% 30182% 108% 6% 17191% Aug 16 18:19:02 ppp 9394 [wan] 1 1 1 1 1 1 Aug 16 18:19:02 ppp 9394 EVENT: Processing timer "BundBm" BundBmTimeout() Aug 16 18:19:02 ppp 9394 EVENT: Processing event EVENT_TIMEOUT TimerExpires() Aug 16 18:19:01 ppp 9394 EVENT: Processing event EVENT_TIMEOUT TimerExpires() done Aug 16 18:19:01 ppp 9394 EVENT: Processing timer "BundBm" BundBmTimeout() done Aug 16 18:19:01 ppp 9394 EVENT: Registering event EVENT_TIMEOUT TimerExpires() done at timer.c:50 Aug 16 18:19:01 ppp 9394 EVENT: Registering event EVENT_TIMEOUT TimerExpires() at timer.c:50 Aug 16 18:19:01 ppp 9394 EVENT: Starting timer "BundBm" BundBmTimeout() for 1000 ms at bund.c:1678 Aug 16 18:19:01 ppp 9394 [wan] OUT util: total 82% 37% 32% 5% 350% 41% 27% Aug 16 18:19:01 ppp 9394 [wan] IN util: total 5191% 26% 821% 6% 30182% 108% 6% Aug 16 18:19:01 ppp 9394 [wan] 1 1 1 1 1 1
-
Yeah
+all
is probably more than you need. You should be able to enable those things individually. Though I'm not sure which one you would need. -
@diyhouse said in WAN periodically Rebooting:
and this still only takes me back 15 mins
IF you have some disk space left, you could goto Status > System Logs > Settings and make the log files (way) bigger :
-
@Gertjan Yes many tx,.. I wondered if there was a parameter to limit log file size.
Although I had created at listing limit of 100000lines... it didn't seem that big.
One thing I might add the the wonderful pfsense dev. boys/girls,... is it would be nice to set the size limit in some more appro. units,.. eg meg bytes, or gig bytes,... pls
thankyou
BTW gone as big as system lets me,.. 2000000000bytes,.. or 2gigs as I recokon.. I have 99G free,.. but guess system is considering all log files,.. -
@diyhouse said in WAN periodically Rebooting:
Although I had created at listing limit of 100000lines...
That a GUI setting.
100000 lines in a GUI is ... 'bad' as PHP is very low with 'thoudands' and things go downhill after hundreds of thousands. Until PHP breaks trying to show it.
Big log files are meant to be show 'on the command line'. Or use SSH+FTP = SFTP, which supports stuf like this in the blink of an eye.@diyhouse said in WAN periodically Rebooting:
some more appro. units,.. eg meg bytes, or gig bytes,... pls
thankyouWould be nice for the ones who are asking ... but never looked / found the log files.
The ones who 'know', don't bother, they go straight to the source, as things down there are the same dor the last several decades already ^^Btw : huge log files are 'nice', because it gives you a big overview of what heppens.
But then pfSense has to rotate them, and that takes a lot of resource (CPU power etc) and not every pfSense has big drives, and endless write cycles, etc.
Running out of disk space is a known issue also. -
@Gertjan Tx for the comments,..
I will drop the GUI max lines down though,...
BTW,.. Log files,.. where are they stored in the file structure?
this is my current file systemFilesystem Size Used Avail Capacity Mounted on zroot/ROOT/default 100G 1.2G 99G 1% / devfs 1.0K 0B 1.0K 0% /dev zroot/tmp 99G 356K 99G 0% /tmp zroot/var 99G 413M 99G 0% /var zroot 99G 88K 99G 0% /zroot zroot/reservation 110G 96K 110G 0% /zroot/reservation zroot/ROOT/default/var_cache_pkg 99G 177M 99G 0% /var/cache/pkg zroot/ROOT/default/var_db_pkg 99G 5.4M 99G 0% /var/db/pkg tmpfs 4.0M 152K 3.9M 4% /var/run
-
They are in /var/log. For the purposes of testing here I wouldn't worry about having larger log files but I would probably set them back when you're done.
-
@stephenw10
Just a quick up date,.. still waiting for a failure event,.. had been running for 15hrs+ then hit midnight Sunday forced WAN reset,.. 7.5hrs on the clock and counting,..
disk space still good,.. although I have used / lost 1gig of available storage..
But looking in /var/log I have this now as the big hitters on files,
I guess as folks have commented,. we'll see how much horsepower my cpu has to cope with the compression etc,.. when the file get rotated..-rw------- 1 root wheel 68420964 Aug 18 07:42 system.log -rw------- 1 root wheel 68386081 Aug 18 07:42 ppp.log -rw------- 1 root wheel 10161552 Aug 18 07:42 filter.log -rw------- 1 root wheel 4329357 Aug 18 07:42 nginx.log -rw------- 1 root wheel 1226791 Aug 18 07:42 dhcpd.log -rw------- 1 root wheel 511488 Sep 6 2020 relayd.log -rw-r--r-- 1 root wheel 135309 Sep 6 2020 bsdinstall_log -rw------- 1 root wheel 99799 Aug 18 07:37 gateways.log -rw------- 1 root wheel 66259 Aug 13 22:12 dhcpd.log.1.bz2
-
@diyhouse
PPP_Log Failure.zip
WAN has just fallen over @14:10
My the 'force' be with you,... ( hope this is the bits you need )
EDIT: replace txt file with compressed zip file -
@diyhouse
Had to save file as attachment,.. as broke the 32K char. submission limit
Thanks... -
@diyhouse
Just realised these statements entries are the indicators that things have failed, I think... IMHO,..Aug 18 14:32:14 ppp 67004 [wan] OUT util: total 81% 10% 67% 109% 4% 39% 255% Aug 18 14:32:14 ppp 67004 [wan] IN util: total 5511% 8% 8374% 0% 5% 7560% 17117%
So have gone back trough the logs pre 14:10...
PPP_PreFailog.zip
compressed Log file attached
As background,.. Netflix was in full HD stream,.. as well as streaming some YouTube,.. and there was an Alexa sound streaming going on as well...
And its just died again...
EDIT: changed file to compressed version -
Hope this helps some more,.. 2nd event will full events before and after