20.7.4 - WAN interface blown away when suricata active...

chemlud · October 30, 2020, 11:17:07 AM

Hy!

Have a box with 4 interfaces (all em driver) running stable for more than a year. After updating to 20.7.4 the WAN interfaces comes up normally (get's IP via DHCP4), but after a few minutes the interfaces get's blown away, reboot helps only for 1-2 minutes:

Code Select

2020-10-30T11:02:15	opnsense[93169]	/usr/local/etc/rc.filter_configure: There were error(s) loading the rules: /tmp/rules.debug:186: no routing address with matching address family found. - The line in question reads [186]: pass out route-to ( em2 aaa.bbb.ccc.ddd ) from {em2} to {!(em2:network)} keep state allow-opts label "470b24148e83cbf020300f9a54691951" # let out anything from firewall host itself (force gw)
2020-10-30T11:02:15	opnsense[24319]	/usr/local/etc/rc.linkup: Clearing states for stale wan route on em2
2020-10-30T11:02:15	opnsense[24319]	/usr/local/etc/rc.linkup: DEVD Ethernet detached event for wan

"Prevent interface removal" is set for the WAN interface.

I disables suricata completely and now it's stable for some 10 min...

Any help? :-(

mimugmail · October 30, 2020, 01:12:56 PM

Was 20.7.3 the previous running version?

chemlud · October 30, 2020, 05:54:41 PM

Yes! Any way to get that kernel back? No time to mess around with the router these days...

Gauss23 · October 30, 2020, 07:10:30 PM

Leave Suricata disabled until you have time to mess around with the router, if this is a stable solution.

mimugmail · October 30, 2020, 07:37:15 PM

Quote from: chemlud on October 30, 2020, 05:54:41 PM
Yes! Any way to get that kernel back? No time to mess around with the router these days...

https://docs.opnsense.org/manual/opnsense_tools.html

chemlud · October 31, 2020, 12:02:03 PM

Hi mimugmail!

I read there

Quote
Example 2:

The previous revert of strongswan was not the solution you expected so you try to completely revert to the previous OPNsense version:

# opnsense-revert -r 18.1.4 opnsense

Be aware to also check if there were kernel updates like above to also downgrade the kernel if needed!

...but don't really understand what the last sentence means. ?!?

And furthermore:

Quote
Warning

Before reverting a kernel please consult the forums or open an issue via Github. You should only revert kernels on test machines or when qualified team members advise you to do so!

...so is this really risky to revert back to 20.7.3?

Many thanks in advance!

mimugmail · October 31, 2020, 01:09:35 PM

Just revert the kernel, shouldnt be a problem

franco · October 31, 2020, 02:20:33 PM

# opnsense-update -kr 20.7.3

Reboot and it should be better in this case. Lock kernel package from GUI to avoid accidental overwrite in the next update.

Cheers,
Franco

chemlud · October 31, 2020, 04:18:24 PM

I get here:

Code Select

# opnsense-update -kr 20.7.3                                     
Fetching kernel-20.7.3-amd64.txz: ...... done                                   
!!!!!!!!!!!! ATTENTION !!!!!!!!!!!!!!!                                          
! A critical upgrade is in progress. !                                          
! Please do not turn off the system. !                                          
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!                                          
Installing kernel-20.7.3-amd64.txz... done                                      
Please reboot.

After reboot I enabled suricata, but it took only about one minute to kill the WAN again. And then I saw that kernel is still 20.7.4?!? I disabled again suricata for the moment, any ideas what went wrong? opnsense-revert instead of opnsense-update, maybe?

chemlud · November 01, 2020, 12:34:24 PM

PS: The SSD has perfect SMART status, only 1130 h , not read-only.... What's the problem here?

mimugmail · November 01, 2020, 12:37:21 PM

Where do you see you have never kernel?

chemlud · November 01, 2020, 01:51:02 PM

Ooops! I thought that it's "base " under System -> Firmware -> Packages, but it's "kernel"! And "base" is 20.7.4, while kernel is 20.7.3.

So the kernel is apparently not the problem here! What else could cause the interface (and only the WAN interface) to disconnect with suricata enabled?

I enabled suricata for the different LAN interfaces, no problem. Only if WAN is included in suricata the WAN interface disconnects....

mimugmail · November 01, 2020, 01:53:05 PM

When you just use IDS it works?
Can you also revert Suri like within the docs?

chemlud · November 01, 2020, 04:52:48 PM

...in IDS mode with WAN it's stable for some 10 min now...

Should I revert suricata now? Or update the kernel and then revert suricata (to which version?)?

mimugmail · November 01, 2020, 04:57:26 PM

First revert Suricata

20.7.4 - WAN interface blown away when suricata active...

chemlud

October 30, 2020, 11:17:07 AM

mimugmail

October 30, 2020, 01:12:56 PM #1

chemlud

October 30, 2020, 05:54:41 PM #2

Gauss23

October 30, 2020, 07:10:30 PM #3

mimugmail

October 30, 2020, 07:37:15 PM #4

chemlud

October 31, 2020, 12:02:03 PM #5

mimugmail

October 31, 2020, 01:09:35 PM #6

franco

October 31, 2020, 02:20:33 PM #7

chemlud

October 31, 2020, 04:18:24 PM #8

chemlud

November 01, 2020, 12:34:24 PM #9

mimugmail

November 01, 2020, 12:37:21 PM #10

chemlud

November 01, 2020, 01:51:02 PM #11

mimugmail

November 01, 2020, 01:53:05 PM #12

chemlud

November 01, 2020, 04:52:48 PM #13

mimugmail

November 01, 2020, 04:57:26 PM #14