Netgate 2100 Max CPu pings 100% when download large files
-
Are you using limiters?
-
Nope no limiters.
-
Suggestions :
The dashboard isn't a static page, content get refreshed every x seconds, and the data collection process costs CPU cycles.
Remove the totally useless process, like "servicewathdog", it's a real PITA.
I'm pretty sure most of your traffic is "TLS" (https, mail over TLS, etc) so you can stop using "ClamAV" as it can't see and check the payload of the traffic : it's encrypted.
I presume you don't visit any http sites anymore.Imho : remove "squid" also. It can be useful, bit normally you would have opted for a big iron, not a little arm processor.
About the 'dpinfger' pings that get lost : ICMP (ping) is a low priority protocol.
When you download at the max avaible ISP speed, the pipe "from the Internet to your pfSense is full". In that case, upstream, the decision is made for you : higher priotty traffic comes first, lower priority passes when there is room avaible. You wind up having packet loss as ping was the looser.
This can have a nasty side effect : loss is 100 %, and if the default action is : reset the WAN interface to re establish a good connection, the things get even worse : as now all interface (WAN) related processes get restarted, eating away even more CPU cycles. This included the resolver, that get restarted .... (and now the servciewathdog- mess kicks in and makes thing even more worse)
Solution : create limiters to leave some spare room for ICMP ?! Or just live with it an disable the action :
-
@northernsky The 2100 can do around/roughly 600 Mbps without additional packages. You could try disabling Clam and/squid (which is deprecated anyway) and testing. The web GUI not responding seems like it’s really overloaded? Try “top” at a command line.
-
@Gertjan Thank you! I took your advice and removed the packages you suggested. I did not disable the gateway action and will do some research in limiters to see if I even need them and if not I will disable the gateway action.
Thanks - Scott
-
@SteveITS I will putty in and run top when I test it again. I appreciate the guidance on this forum.
-
Yup, that. Try without the webgui connected at all.
The usage page you showed though has all the CPU usage in passing traffic as you'd expect for a large file maxing out the WAN bandwidth.
This was something that just started happening lately? Anything changed? You updated pfSense maybe?
-
@stephenw10
Nope no changes not since I updated to the latest patch a few days after it came out. -
@northernsky said in Netgate 2100 Max CPu pings 100% when download large files:
I took your advice and removed the packages you suggested. I did not disable the gateway action and will do some research in limiters to see if I even need them and if not I will disable the gateway action.
@Gertjan gave some excellent advice. Removing clamav and squid (and anything associated with squid) was an excellent decision.
FWIW, I would like to second the recommendation to disable the Gateway Monitoring Action. You have a single WAN, so there is usually no downside to doing this. All the monitoring action ends up doing is restarting a bunch of processes that usually don't need to be restarted in a single WAN configuration, which can result in a cascade failure as @Gertjan described.
-
@SteveITS so I deleted the Clam and squid packages and I ran the download closed out of the webgui with just putty running and the cpu looks fine. Unless someone sees something i don't.
I also ran it again with the download going with the webgui up and putty overlayed with steam capped at 60 megs. I was able to reload the webgui without issues or it giving me the 50x error message, but the cpu on that stills pings at 100% but in reality top is saying 17% for system. I guess don't believe the dashboard widgets? Also capping steam helps from saturating my pipe.
-
@northernsky said in Netgate 2100 Max CPu pings 100% when download large files:
@SteveITS so I deleted the Clam and squid packages and I ran the download closed out of the webgui with just putty running and the cpu looks fine. Unless someone sees something i don't.
Your CPU is still 100% pegged. 76% in interrupt, which seems really high to me... @stephenw10, does this seem high to you?
-
Yeah it's showing 0% idle, so 100% used. You need to use
top -HaSPto see everything using CPU cycles there.That seems very high usage if it's 60Mbps. It's in the ball park if that's 60MBps.
-
@stephenw10 Ok So here is the top again with the switch and the MB/s.
Steams cap setting:
Stream download:
-
@northernsky try 50000.
-
The switch on top gives you all the info in the table below the header there. It should show what's actually using that.
-
@SteveITS So 50000 had the same result. When I went down to 40000 then 30000 I was seeing a lot more cpu idle so it was not 0% all the time but just fluctuated around and looked better.
Is something wrong with my firewall or the configs or is it just at its limit with the bandwidth it can handle before getting stressed out?
Thats back at 50000.
-
It depends what's shown in the full top output. If it's all NIC loading then you probably are hitting the hardware limit with whatever config you have running.
With a basic config I expect to see something ~650Mbps LAN to WAN through a 2100 so ~80MBps
-
Oh you edited. So you can see netstat is using quite a bit. You have bandwidhd or traffic totals installed? Try disabling it as a test.
-
@stephenw10 I don't have those installed. Should I? I dont have anything crazy going on here as far as I know. I did run through some netgate forums on best practices when I got the 2100 Max a couple years ago.
-
Does that netstat line remain there constantly at 30% use?
What packages do you have installed?
