I've updated from 25.7.10 to 25.7.11_1 yesterday. It's now impossible to access WebGUI because after the login screen when dashboard starts loading the UI spawns hundreds of PHP processes which causes system load to raise above 100 and after few minutes sytem runs out of memory and also consumes all the allocated swap space finally killing the network traffic completely.
System recovers from the situation after closing the WebGUI browser tab but it might take 30-60 minutes when all the PHP processes are finished and memory consumption and system load returns back to normal values.
Spin up the system isolated and only your desktop/laptop connected to LAN. No WAN, no switch, no other devices.
System working? No problems? Also no Internet, of course.
If yes, go to Interfaces: Neighbors: Automatic Discovery and disable that. Then reconnect.
HTH,
Patrick
Hi,
System is fully functional and stable after reboot if I don't open the WebGUI. So clean start and staying away from management keeps the load and memory consumption in similar levels what were before the 25.7.11_1 update. Is it sure that my case is connected to this Neighbors: Automatic Discovery feature?
Wrong post
Quote from: wide on January 18, 2026, 01:10:36 PMIs it sure that my case is connected to this Neighbors: Automatic Discovery feature?
No but this is the single change in the latest release which seems to impact folks negatively the most. Including filling disks, 100% CPU load, ... so I would not be surprised if it would also spawn a lot of processes.
I had exactly the same issue. The disk filled up completely and all processes stopped.
It looks to be the logs in /var/log/hostwatch are so large that the disk is full and nothing else will work. The GUI dies.
I had to reboot, connect locally to the OPNsense device, turn off/disable the Interfaces:Neighborhood (see post in German forum) and then manually delete the logs from /var/log/hostwatch.
Once the logs were deleted and I rebooted again, everything appears to be back to normal.
BTW, check out the other posts about hostwatch in the forum. It appears they are all related to this.
I managed to update to version 25.7.11_2 by using opnsense-shell and then run restart all the services from shell also.
System remains stable. No exessive disk writes, normal memory consuption and regular CPU load.
But still immediately after I open the WebGUI the systems goes haywire. Tens and then hundreds of PHP processes spawn and system runs out of memory.
I was able to isolate this issue to WebGUI Dashboard. When I have shell open at the same time when I login to WebGUI and tens of php processes starts to spawn I then run killall php from the shell and then go to some other part of the WebGUI without any issues. So there is something in the Dashboard itself or in my particular Dashboard view which gets Opnsense to go haywire.
Most likely this was not related to 25.7.11_1 update but changes in IDS configuration I had done right after the update. Finally today I restored the Opnsense VM from the backup taken before 25.7.11_1 update and updated the VM then to latest 25.7.11_2 and now all good so far.
Signed up to the forum to report exactly the same issue. The box appears stable until I login, then memory consumption quickly climbs to 100% and the UI becomes unresponsive. I've tried disabling host / neighbourhood discovery but this makes zero difference.
Update 1:
I've now identified the problem process:
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 51727 0.1 58.8 11386908 2316112 - Ss 17:35 1:52.31 /usr/local/bin/suricata -D --netmap --pidfile /var/run/suricata.pid -c /usr/local/etc/suricata/suricata.yaml
After identifying this, I disabled intrusion detection and now everything is back to normal.
Update 2:
Re-enabling IDS (and IPS) immediately causes the issue again. However, I'm now wondering if new rules/changes may have increased memory usage; perhaps using the web UI is adding to this demand/exhaustion. Either way, disabling IDS has solved my immediate problem.
OPNsense 25.7.11_2, 4GB RAM, i5-4570.
Two people ending up identifying Suricata as the culprit on 25.7.11 when it was updated to 8.0.3? Hmm... try reverting, restarting the service and see if that's better.
# opnsense-revert -r 25.7.10 suricata
Cheers,
Franco
Thanks Franco!
I have reverted suricata to 25.7.10 as you suggested. With IDS/IPS enabled I now have very high memory consumption, but not to the point where everything falls apart.
last pid: 45631; load averages: 0.60, 0.62, 0.42 up 0+18:34:05 12:46:35
77 processes: 1 running, 76 sleeping
CPU: 0.1% user, 0.0% nice, 0.2% system, 0.0% interrupt, 99.7% idle
Mem: 2151M Active, 92M Inact, 369M Laundry, 919M Wired, 56K Buf, 191M Free
ARC: 158M Total, 57M MFU, 59M MRU, 623K Anon, 1231K Header, 40M Other
75M Compressed, 167M Uncompressed, 2.24:1 Ratio
Swap: 8192M Total, 3984M Used, 4208M Free, 48% Inuse
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
69656 root 13 20 0 11G 2319M nanslp 1 1:21 0.38% suricata
Perhaps, I'm at the point where I simply need more RAM.
I haven't paid attention to CPU/RAM utilisation previously as the box has 'just worked'.
Hopefully this will provide clues to others hitting this problem.
Thanks for testing. At first glance I don't see much except the NFS4 which may add more RAM consumption. That would heavily depend on the network traffic that your Suricata is seeing anyway, perhaps also related to the rulesets being used. In any case if it is 8.0.3 it's not a widespread phenomenon.
https://redmine.openinfosecfoundation.org/versions/227
Cheers,
Franco
I'm also seeing high memory utilization, over 83% and climbing as of right now. Usually 50%-ish.
After disabling IPS my memory utilization goes from 83% and climbing to 30%.
Disabled IDS yesterday and memory utilization dropped to 50% of the 8GB.
Left it on overnight, and this morning memory and swap were both over 85% consumed.
Restarted host discovery service for grins and memory dropped to 40% and is climbing back up, currently 50% memory and 30% swap. System rarely used swap before now.
Memory got over 85%, swap over 85%, so I restarted IDS (I had reverted it yesterday using the command in the thread above) to see what that might do, but it never restarted and shortly after the network went down.
The console showed thousands of netstat_bind_fail errors, and I had to reboot it. The messages were flying by, and I had to log in blind and press "Enter" a bunch of times to get the menu to flash on the screen as I didn't remember the menu number for reboot (it's 6), and then I had to guess whether it was "y" or "Y" or "Yes" to get it to reboot.
Back to 50% memory and 0% swap used, but climbing again.
I'll have to roll back if this keeps up. For now I am keeping the web GUI off to see if that helps and I'm monitoring memory utilization with "top -asH". I'm also not running IDS for now.
It started with 2048M free about 5 minutes ago, and it's down to 1922M in that time.
This morning, without IDS or Web GUI running overnight, the system was at 93+% memory used and 90+% swap used.
I have rolled back to before the upgrade as I need my router to just work.
Maybe 26.1 will be better, but I definitely won't bother with that for quite some time.
Next time before the rollback, please login via SSH, invoke "top" and type "o" "res" <ENTER>. This sorts the processes according to memory usage, largest on top. Then report the findings.
Will do, thank you!
In the past several hours, on the "old" version with IDS enabled, the memory utilization is still in the 30% range.