2.2.3 Inquest



  • Well, 2.2.3 described itself as low risk.
    My organisations firewall which as been up over 300 days now has no proxy or filter and I'm in on a Saturday trying to troubleshoot it.

    Looking at the message subjects below, 2.2.3 has been a total pain in the arse.
    Do we know why this is and how can it be avoided in the future?
    Let's not shoot ourselves in the foot twice!



  • Well - So far we know you had a working box before and that now you don't.
    And that you are less than happy.

    From this huge volume of provided info I have come to the conclusion that its caused by unfortunate planetary and lunar alignment.



  • I've been through so many similar situations (even commercial products).
    Many people laugh at me when my attitude is sometimes as they call it paranoic regarding network architecture, upgrade policies and spares. I've burned my hand too many times.


  • Galactic Empire Netgate

    How about telling what exactly is wrong? We have A LOT of pfSense boxes in production that have been upgrading without issues.

    Only actual issue with 2.2.3 is AES-NI cryptographic accelerator where IPsec doesn't work if you use non AES-GCM encryption. But if you disable AES-NI cryptographic acceleration it works with any AES encryption. Hopefully that will be fixed in 2.2.4 which is out soon.

    Mostly pfSense upgrades go bad due poor configuration, due layer 8 issues that is. It's also important to always have backup, so when shit hits the fan, you have nothing to worry about.



  • @ivor:

    It's also important to always have backup, so when shit hits the fan, you have nothing to worry about.

    True.

    And depending how mission critical the bussiness is, some factors/tips to be considered:

    • use Carp if you can
    • use a second, similar hardware as a spare if carp is not possible, upgrade that in test environment, and when prooved that all went fine, only exchange cables (this will also give you solution for hardware falults with minimal downtime)
    • never ever do upgrades remotely
    • use new CF cards for NanoBSD upgrades (I mean not purchase new cards every time, but keep a spare set of them pre-loaded with the latest image), instead of upgrading in-place, just remove the card with the system running well with the previous version, insert a new card flashed with the latest, and just restore the config xml. (handy to have the CF card accessible from outside the case or use a USB stick with the image)

    Steps like above might save you from tons of headaches and minimize downtime to maxium a reboot period. If anything goes wrong, you can always revert in a couple of seconds by placing back the cables to the old hw, or plugging the previous card back in.

    Note that these in general are not pfSense-specific. Cisco or any other device firmware upgrades can have the same risks.



  • Still no specifics from the original vague hit and run post…



  • @kejianshi:

    Still no specifics from the original vague hit and run post…

    I don't think this is about specifics. He was just mad that it happened to him.

    Who cares about the specifics? In 95% of the cases it takes less time to reinstall from scratch and restore the config, instead of repairing for hours.
    This is also true about Windows. Usually you can reinstall it in an hour with all the apps the user needs, which is much faster than spending time fixing and cleaning viruses/spyware.



  • Well - To rub salt in the wounds then…

    I installed 2.2.3 in several physical and virtual machines - zero problems.  Worked perfectly.

    Did them all remotely BTW.


  • Rebel Alliance Global Moderator

    "My organisations firewall which as been up over 300 days now"

    So you been up on 2.2 for over 300 days??  I find that highly unlikely since the 2.2 line has been out since jan 23 of this year.. So what roughly 150 days, or half the amount of time you stated your firewall has been up and stable
    https://blog.pfsense.org/?p=1546
    pfSense 2.2-RELEASE Now Available! by Chris Buechler on Jan 23, 2015

    The release notes I see call it low risk if your on 2.2, if your has been up for 300 there is no way you were on the 2.2 line
    For those already running any 2.2 version, this is a low risk upgrade. For those on 2.1.x or earlier versions, there are a number of significant changes which may impact you.



  • @johnpoz:

    The release notes I see call it low risk if your on 2.2, if your has been up for 300 there is no way you were on the 2.2 line
    For those already running any 2.2 version, this is a low risk upgrade. For those on 2.1.x or earlier versions, there are a number of significant changes which may impact you.

    Good catch! ;)



  • I'm a noob when it comes to pfSense, but I like to share my 2cents with you folks.

    Yes lots of times, things will go wrong with pfSense, but it happens to the other  firewalls (paid) as well. Every setup/firewall is different. Taking the time to dig into your issue will open up a door way of knowledge for you. There is a lot gain when you do it yourself. Your own time means saving money and not paying someone else to configure/fix your router/switch for you. If you're a noobie like me, you learn from the process.

    Unless you are loaded with $$ and don't have time, then please subscribe to the pay for service from pfSense. Someone there will be glad to help you. It still beats all other firewall providers



  • I have a 4G install (2.2.2 to 2.2.3) and it's got that 2 minute locking up while I change ANYTHING. That's not cool. But I just reverted back to 2.2.2 on the other slice.



  • I had to revert back as well could not get outside the lan after the upgrade. Not sure if it's related to packages not updated to match the upgrade to 2.2.3?


  • Galactic Empire Netgate

    @gazoo:

    I have a 4G install (2.2.2 to 2.2.3) and it's got that 2 minute locking up while I change ANYTHING. That's not cool. But I just reverted back to 2.2.2 on the other slice.

    If you're running pfSense on 4G CF or SD card this applies to you:

    "The forcesync patch for #2401 was considered harmful to the filesystem and removed. As such, there may be some noticeable slowness with NanoBSD on certain slower disks, especially CF cards and to a lesser extent, SD cards. If this is a problem, the filesystem may be kept read-write on a permanent basis using the option on Diagnostics > NanoBSD."

    From here https://doc.pfsense.org/index.php/2.2.3_New_Features_and_Changes



  • @robi:

    @johnpoz:

    The release notes I see call it low risk if your on 2.2, if your has been up for 300 there is no way you were on the 2.2 line
    For those already running any 2.2 version, this is a low risk upgrade. For those on 2.1.x or earlier versions, there are a number of significant changes which may impact you.

    Good catch! ;)

    Or 75 days on 4 different boxes.



  • @kejianshi:

    From this huge volume of provided info I have come to the conclusion that its caused by unfortunate planetary and lunar alignment.

    I thought it was solar flares!
    http://pages.cs.wisc.edu/~ballard/bofh/bofhserver.pl



  • As likely a cause as any (given the details)  :P



  • hummm.

    Let's be counter-productive (to this thread).
    Mine works.

    UP since week 26, when I installed 2.2.3

    (edit: I didn't try to reboot it yet - I'm done with the rest, all ok)



  • Hello.  I don't mean this to be a hit and run, I am simply too busy to check in as often as I'd like.

    Let me reset the message.  If you scan down the subjects of the Installation and Upgrades area of the forum and look at how many are 'broke or degraded since 2.2.3', it's more than 1 or two. In fact at the time of writing, I think I can see possibly 6 (not including this) on the first page alone.

    What I'm suggesting is that it may be a good idea to consider what can be done to reduce this in the future.  More testing?  More testers? Different test scripts or test harness?

    This was intended to help build up pfSense
    andy

    PS, For the record its the squid package that's causing me problems, but this isn't the forum.



  • I can see possibly 5 (not including this) on the first page alone.

    If the sample size is small then 5 glitches would be terrible.  But there are literally hundreds and thousands of installs out there.  I know of people who are managing more than 100+ instances by themselves.

    If you're having trouble with squid, head on over to the Cache/Proxy forum.


  • Galactic Empire Netgate

    @andyblackham:

    Hello.  I don't mean this to be a hit and run, I am simply too busy to check in as often as I'd like.

    Let me reset the message.  If you scan down the subjects of the Installation and Upgrades area of the forum and look at how many are 'broke or degraded since 2.2.3', it's more than 1 or two. In fact at the time of writing, I think I can see possibly 6 (not including this) on the first page alone.

    What I'm suggesting is that it may be a good idea to consider what can be done to reduce this in the future.  More testing?  More testers? Different test scripts or test harness?

    This was intended to help build up pfSense
    andy

    PS, For the record its the squid package that's causing me problems, but this isn't the forum.

    You are aware that pfSense is being ran in productions worldwide? So we're talking hundreds of thousands installs? Not to mention thousands of installs of pfSense / Netgate hardware as well?



  • At every upgrade and new release there are always many many "The update broke my pfsense" threads.

    Some are actual pfsense issues

    Some are hardware issues

    Lots are issues with the guy at the keyboard.

    No such thing as a release that goes perfect.

    Even if the code were 100% perfect, just when you assume its idiot proof a better idiot would come along.

    Just saying.  There are always problems.



  • And the funny part is that such problems (and even worse) usually occur in similar situation at most commercial products too.



  • One thing I've learned with pfsense, linux, windows, whatever…

    Don't install any feature unless you NEED it.

    The cleaner and simpler you keep an install the less problems you will have.

    Thats universally true.