PfSense VM freeze



  • Problem:
    The primary pfSense server will freeze randomly after running 1-2 hours.

    Info:
    VM host server : 2 Dell R310 server, one host master pfSense virtual machine, another one host backup pfSense virtual machine, each with 1 pair of 300GB harddisk setup with RAID1 1 (PERC H700), 1 unit of 2port Broadcom NetExtreme II 5709 and 1 unit 2 ports Broadcom NetExtreme II 5716,
    Inter Xeon X3440 2.54 GHz processor with 4 CPU cores x 2.526 GHz

    BIOS: Intel-VT enabled.

    Switch: The 8 network cables of the 2 Dell server (each have 4 NIC port) share one physical switch.
    No VLAN setup for the switch. Network cables connected the same physical switch with 2 routers for WAN connection.

    ESXi host: Total 4 NIC, each NIC is within its own standard vSwitch. No vCenter.

    pfsense version 2.01 AMD64 VM hosted on ESXi 5.1

    pfSense VM info: Virtual Machine Version 8, 2 vCPU, 2GB RAM, 5 virtual NIC (em0,em1,em2,em3,em4) using e1000

    pfSense setup:
    Open-VM-Tools package installed.
    Setup Multi WAN for OPT1 interface only
    CARP with 3 VIP,  OPT1(Second WAN), LAN (a lan network), OPT2(another lan network).
    NO VIP for both WAN and OPT4 interface .
    OPT3 is pfSync interface.
    Site to Site OpenVPN with LAN interface as OpenVPN server (NAT traffic from both WAN and OPT1)
    No VLAN setup.

    Remote syslog not showing any error relating to pfSense freeze.
    /var/crash directory show nothing.
    MBUF number look OK.
    The performance chart of the Virtual Machine showing CPU and Memory only consume little resource, not peaking at all.

    Already try below tests but the pfSense Virtual machine still freeze…
    Need to restart the Virtual Machine every time after it freeze.

    test 1:
    System->Advanced->System Tunables, add one new field, key in "kern.timecounter.hardware" for "Tunable Name" field , key in "ACPI-safe" for "Value" field.
    test 2:
    Create /boot/loader.conf.local file, key in below content,
    hint.acpi.0.disabled=1
    test 3:
    Stop the CARP's pfSnyc and XMLRPC Sync, uncheck "Synchronize States".
    test 4:
    Increase ram from 2GB to 3GB for both primary pfSense and seconday pfSense
    test 5:
    In /boot/loader.conf.local - Add the following (or create the file if it does not exist):
    kern.ipc.nmbclusters="131072"
    hw.bce.tso_enable=0
    hw.pci.enable_msix=0
    test 6:
    Replace the network cables for pfSense1 server
    test 7:
    Remove those unnecessary firewall rules that allow access from Internet.
    test 8:
    Remove CARP/VIP and disable pfSync interface.

    Anyone can light me out on why the primary pfSense freeze?



  • Switch: The 8 network cables of the 2 Dell server (each have 4 NIC port) share one physical switch.
    No VLAN setup for the switch. Network cables connected the same physical switch with 2 routers for WAN connection.

    ???



  • @biggsy:

    Switch: The 8 network cables of the 2 Dell server (each have 4 NIC port) share one physical switch.
    No VLAN setup for the switch. Network cables connected the same physical switch with 2 routers for WAN connection.

    ???

    There is no VLAN in entire network setup.



  • I think what he's trying to point out is that with 1 switch and no VLAN you're negating the effect of the router in terms of security.

    Anyway, as regards the freeze issue this sounds like similar issues to my thread (albeit in different measures) and I traced those to me running 32bit pfSense in a 64bit FreeBSD container.  I would suggest downloading the 32bit pfSense version and trying to stick it in a 32bit FreeBSD container and see how the freeze goes (the backups are cross-portable).



  • Well the proper way to say it is the entire network is in single VLAN.
    Have not setup multiple VLAN in this test stage. Light me out if the single VLAN setup is the culprit of the pfSense freeze.

    Currently checking on whether the current setup is causing a network loop though.
    Will try the 32bit later on, and see it still freeze or not.

    I am wondering is there anyone using version amd64 on ESXi 5.1 successfully and already in production?
    Any hint on solving this freezing issue is welcome  :)


  • Rebel Alliance Global Moderator

    What would be the point of running amd64 version in a vm?

    I just don't see what it gets you?

    Im running 32bit on esxi 5.1 that was upgraded from 5.0, which was updated to u1 and have not had any issues with pfsense as vm at all.  Not one.  Runs and Runs and Runs -  I am running 2.1 for the record.  Even update pfsense to version 9 vm once upgraded to 5.1 without any issues at all.



  • @johnpoz:

    What would be the point of running amd64 version in a vm?

    I just don't see what it gets you?

    Im running 32bit on esxi 5.1 that was upgraded from 5.0, which was updated to u1 and have not had any issues with pfsense as vm at all.  Not one.  Runs and Runs and Runs -  I am running 2.1 for the record.  Even update pfsense to version 9 vm once upgraded to 5.1 without any issues at all.

    True, in this case, he's only giving his VM 2GB of ram.  Unless you have an expectation that your pfSense would actually use more than 4GB of ram, (as far as I know) there's zero reason to use 64 bit pfSense.  32 bit is more mature and usually better supported.



  • Connect the WAN interfaces' NIC ports directly to the routers seem to solved the freeze issue. :)
    Now the server been running 23 hours without issue.

    Will increase RAM for the VM in future for packages thus opt for AMD64.

    Been running a few 32bit pfSense on PIII bare metal in production though. :)



  • Server been running a month without issue.
    For those who face pfSense freeze issue may want to check for any network loop or network traffic related issue as i found out most pfSense freeze issue was related to overloading network traffic or faulty/incorrectly setup NIC.


  • Banned

    Maybe because you had both WAN and LAN in the same physical network on the switch??



  • @Supermule:

    Maybe because you had both WAN and LAN in the same physical network on the switch??

    yup, with heavy network traffic, it would took few hours to freeze the pfsense box.


Locked