Messages

1

23.7 Legacy Series / Suricata stopped working after upgrade to 23.7(.2)

« on: August 28, 2023, 12:56:04 pm »

Hi,

after upgrading from 22.1.11 to 23.7 suricata fails to launch.

We see this error messages:
Error   suricata   [104583] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - opening devname netmap:ix1^3/T failed: Cannot allocate memory   
Error   suricata   [102114] <Error> -- [ERRCODE: SC_ERR_FATAL(171)] - opening devname netmap:ix1^3/T failed: Cannot allocate memory

Seems that the 10Gbit interfaces could not be handled correctly. Suricata is configured to run in inline mode (IPS).

After returning to 22.1.11 everything was fine again.

Regards,
Josef

2

23.1 Legacy Series / Suricata can`t start in IPS mode

« on: March 10, 2023, 09:54:40 pm »

Hi,

on my installation with opnsense 23.1.3 and suricata 6.0.9_1 i can not start suricata in IPS mode with more than two interfaces.

The following error was logged:
 ... [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:igbX/T failed: Cannot allocate memory

"sysctl -a | grep -i netmap" shows
netmap_obj_malloc         no more netmap_buf objects
netmap_new_bufs           no more buffers after 581 of 1024
netmap_mem2_rings_create  Cannot allocate buffers for RX_ring

Finally the active settings for netmap (should be the default ones):
dev.netmap.iflib_rx_miss_bufs: 3786
dev.netmap.iflib_rx_miss: 2000
dev.netmap.iflib_crcstrip: 1
dev.netmap.max_bridges: 8
dev.netmap.bridge_batch: 1024
dev.netmap.default_pipes: 0
dev.netmap.priv_buf_num: 4098
dev.netmap.priv_buf_size: 2048
dev.netmap.buf_curr_num: 10823
dev.netmap.buf_num: 163840
dev.netmap.buf_curr_size: 2048
dev.netmap.buf_size: 2048
dev.netmap.priv_ring_num: 4
dev.netmap.priv_ring_size: 20480
dev.netmap.ring_curr_num: 200
dev.netmap.ring_num: 200
dev.netmap.ring_curr_size: 73728
dev.netmap.ring_size: 73728
dev.netmap.priv_if_num: 2
dev.netmap.priv_if_size: 1024
dev.netmap.if_curr_num: 100
dev.netmap.if_num: 100
dev.netmap.if_curr_size: 1024
dev.netmap.if_size: 1024
dev.netmap.ptnet_vnet_hdr: 1
dev.netmap.generic_rings: 1
dev.netmap.generic_ringsize: 1024
dev.netmap.generic_mit: 100000
dev.netmap.generic_hwcsum: 0
dev.netmap.admode: 0
dev.netmap.fwd: 0
dev.netmap.txsync_retry: 2
dev.netmap.no_pendintr: 1
dev.netmap.no_timestamp: 0
dev.netmap.verbose: 0

The nics are Intel i350 and i210. Promiscuous mode is deactivated. Zenarmor is not installed.

Maybe this problem is relatable with this one: https://redmine.openinfosecfoundation.org/issues/5744

Many thanks in advance ;-)

Regards,
Josef

3

21.7 Legacy Series / Re: Update to 21.7.6 breaks Suricata (out of memory)

« on: December 15, 2021, 07:51:27 pm »

Hi,

same problem here, but i got a kernel panic, too. The corresponding dmesg messages can be found in the attached file. I faced the problem while trying to activate more than six network interfaces for intrusion detection.

After getting the error "<Error> -- [ERRCODE: SC_ERR_FATAL(171)] - opening devname netmap:igb2-2/R failed: Cannot allocate memory" the command "sysctl -a | grep -i netmap" showed "netmap ouch, double free on buffer ..."

Increasing the value of dev.netmap.buf_num did not help.

Suricata legacy mode works well, but we are lack of the blocking option (IPS mode) now.

Perhaps this thread in the pfsense forum points out the underlying problem:
https://forum.pfsense.com/topic/165601/help-understanding-a-crash-kernel-panic

Hope i could provide further information.

Cheers,

Josef

4

19.1 Legacy Series / Re: IPSEC Tunnel not working anymore

« on: March 19, 2019, 09:48:30 am »

Hi all,

we had the same issue here. We have 22 site-2-site IPSec tunnels running, three of them are ike v2.
All remote peers are different kind of firewalls (Cisco ASA, Lancom, Checkpoint) but no OPNsense.

After upgrading to 19.1.4 some tunnels worked fine some didn't. It didn't make any difference if it was ike v1 or v2.

As far as we can say all not working tunnels contain single host configurations in the phase 2 entries. But I am not sure about that matter 'cause we weren't able to test all connections.

After applying the patch (= removal of VTI) everything was fine, thanks for that!


Cheers

Josef