Firewall locks up/stops passing traffic

Started by loganx1121, August 24, 2020, 03:50:07 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 24, 2020, 03:50:07 PM
I recently had to rebuild (reinstall) my Opnsense firewall and used config backups to get myself back where I was. I have 2 LAN interfaces that both go to a Cisco switch. The one interface periodically just goes down (no idea why), so the cisco switch will see the traffic on the interface stop and then add a default route to the secondary interface. This has worked fine in the past and via testing still works.

A little while ago though, and maybe 2 more times since I've reinstalled, I've noticed the firewall just dies. It's still powered on, but I cannot ssh to either LAN interface, or access the web gui on either interface, and all traffic out to the internet stops. I've tried going through the logs but I don't really see anything (I might not be looking correctly or in the right place).

When the firewall is running, everything works fine. Tunnels, sensei, no issues with anything really, it just seems to lock up every 2 or 3 days. Not sure if I should reinstall again or if someone can help me track down the issue.

Thanks.
August 27, 2020, 12:22:10 PM #1
I hooked up a monitor and waited for this to happen again.  This was what the screen showed when I woke up this morning with a bricked firewall.  Rebooting it seems to fix it for a day or 2 before it bricks again.
August 27, 2020, 12:46:35 PM #2
That looks related to netmap, follow this thread:

https://forum.opnsense.org/index.php?topic=17363.135
2x 23.7 VMs & CARP, 4x 2.1GHz, 8GB
Cisco L3 switch, ESXi, VDS, vmxnet3
DoT, Chrony, HAProxy + NAXSI, Suricata
VPN: IPSec, OpenVPN, Wireguard
MultiWAN: Fiber 500/500Mbit dual stack + 4G failover

--
Available for private support.
Did my answer help you? Feel free to click [applaud] to the left
August 27, 2020, 01:06:49 PM #3
Thanks for the info.  A little confused though.  Is it related to suricate or sensei or both?  I see both being mentioned.

I just ran pkg add -f https://updates.sunnyvalley.io/opnsense/updates/netmap-kernel/os-sensei-1.6.beta1.txz

As I saw the above mentioned.  Not sure if that is the actual fix or not?
August 27, 2020, 01:16:54 PM #4
Quote from: loganx1121 on August 27, 2020, 01:06:49 PM
Thanks for the info.  A little confused though.  Is it related to suricate or sensei or both?  I see both being mentioned.

It's related to netmap & kernel.

Both sensei and suricata uses netmap.
2x 23.7 VMs & CARP, 4x 2.1GHz, 8GB
Cisco L3 switch, ESXi, VDS, vmxnet3
DoT, Chrony, HAProxy + NAXSI, Suricata
VPN: IPSec, OpenVPN, Wireguard
MultiWAN: Fiber 500/500Mbit dual stack + 4G failover

--
Available for private support.
Did my answer help you? Feel free to click [applaud] to the left
August 27, 2020, 01:31:51 PM #5
Ok thanks.  Seems like there's a few test kernels going around but no hard fix yet.  Would downgrading the firmware for now be the best option for stability then?
Print
Go Up Pages1
User actions