opnsense freezes

[s4rs]

For the last few years I have run Opnsense under KVM. For the past few months randomly Opnsense stops working. It loses the wan interface, and I can't log in fully. I can bring up an SSH session type in the user name and password but then it hangs. I have waited for up to 15 minutes but I never get to the console GUI. Trying the web admin is similar. The system is not completely unresponsive since I can reboot cleanly via virsh reboot.

Any idea how I might be able to shoot this issue? I am running 18.7.9.

[guest19757]

Hey there,

You might want to have look here https://forum.opnsense.org/index.php?topic=10867.15, and verify if any tips there help?

Regards

[s4rs]

Nothing at that link applies

[guest19757]

For people who might stumble by,  can you explain why it doesn't apply? For posterity

[s4rs]

I can't run suricata since I am running in a VM. I have plenty of memory, both disk and core.

[guest19757]

Well, disregard 'suricata', did you check out any of the links, and some of CPU models as potential solutions? I'm running Opnsense here on QEMU from Debian 9 (Proxmox). And thus far, I haven't ran into any issues with the settings I supplied on that thread.

P.S. I'm running suricata here just fine in a VM.

Regards

[s4rs]

Like I wrote before I have run Opnsense under KVM for 2 years and just recently I have been getting the hangs. If this is a CPU issue it has to be something new. I have run all 17 and 18 versions and its just recently have I been having issues. I am running an Intel C2758 Atom. It should be fine. I haven't been watching that closely but when I started on the vitrualized path IDS/IPS had to run on a physical nic. Things must have changed since.

[guest19757]

Like I wrote before I have run Opnsense under KVM for 2 years and just recently I have been getting the hangs. If this is a CPU issue it has to be something new.

This tells me you haven't tried. Nevertheless, you can hang around, perhaps there's a KVM/Freebsb issue that someone else ran into recently and perhaps can share their experience. Alternatively, you can search Freebsb bugzilla for KVM bugs.

I haven't been watching that closely but when I started on the vitrualized path IDS/IPS had to run on a physical nic. Things must have changed since.

Support is partially there, virtio drivers still needs more work and support is there for em (e1000 nic) drivers. Although, there is a bug, that has been patched in upstream Freebsb with IPS and Packet capture that should land in 19.1.

Regards
H

P.S. I think I gave you the wrong link earlier, it was suppose to be https://forum.opnsense.org/index.php?topic=10816.0.

EDIT: This might be of interest https://github.com/opnsense/core/issues/2961

[s4rs]

Not sure what you mean by "Haven't Tried"? I would think if I had a processor issue things would be more consistent IE Opnsense wouldn't work at all. This processor is at the high end of the atom family.

I am running virtio drivers and haven't gone back to Suricata. May look at it once the drivers are settled. I'll take a closer look at console messages and maybe setup a log server just to see if there is anything interesting. One thing I find interesting, the freeze always happens early in the morning.

[guest19757]

Not sure what you mean by "Haven't Tried"?

You are right, I apologize, I gave you the wrong link and it wasn't till now that I notice that. host-passthrough? Still check Freebsb bugzilla? If you haven't find anything, look at https://www.berrange.com/posts/2018/06/29/cpu-model-configuration-for-qemu-kvm-on-x86-hosts. Try some CPU combinations to find what works. Yes, it does require work on end. If it's in production, set up a test lap? Seems like opnsense cherry picks patches to me. Though I don't now the difference, I've been looking at *-p* at the end of the kernel.

[s4rs]

I am now looking at Fedora since other vm's running on the system are starting to show the same behavior. I'll move the Opnsense to my SmartOS box..