Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Zenarmor (Sensei)
»
High CPU load after Wireguard Service reload (was after "Suricata rule update")
« previous
next »
Print
Pages: [
1
]
Author
Topic: High CPU load after Wireguard Service reload (was after "Suricata rule update") (Read 2724 times)
JasMan
Full Member
Posts: 175
Karma: 9
High CPU load after Wireguard Service reload (was after "Suricata rule update")
«
on:
April 09, 2022, 03:43:36 pm »
Hi,
I noticed a recuring issue with the two processes "eastpect: Eastpect Instance 1 (eastpect){Eastpect Main Event}" and "eastpect: Eastpect Instance 2 (eastpect){Eastpect Main Event}". After some time both processes are producing 100% CPU load on two of four processors on my OPNsense appliance. I can only solve this by restarting Zensei or the whole appliance.
I've already found out, that this occures when Suricata has downloaded and installed the ET ruleset (
https://rules.emergingthreats.net/open/suricata-6.0/emerging.rules.tar.gz
), which is updated daily.
But the issue occures not every day. Sometimes it works for four or five days, and sometimes it happens on two or three consecutive days.
Has anybody noticed the same issue?
I've already opened a ticket at Sensei, but they don't know this issue.
Jas
EDIT: Changed the subject due to new findings
«
Last Edit: May 27, 2022, 12:59:07 pm by JasMan
»
Logged
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
JasMan
Full Member
Posts: 175
Karma: 9
Re: High CPU load after Suricata rule update
«
Reply #1 on:
April 17, 2022, 08:43:01 pm »
I've to correct my first findings.
It's not Suricata only which causing the issue. The Wireguard interfaces causing the high load too, when the WG service stops or reloads.
Each WG IF causes a high load of an eastpect instance. If I remove all WG IFs from the Zenarmor configuration, the high load doesn't appear anymore.
I can't find a connection between the IPS rule update and the restart of the WG service. It seems that Suricata doesn't restart the WG service when the rules are updated.
Any guesses?
«
Last Edit: April 18, 2022, 02:18:00 pm by JasMan
»
Logged
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
JasMan
Full Member
Posts: 175
Karma: 9
Re: High CPU load after Wireguard Service reload (was after "Suricata rule update")
«
Reply #2 on:
May 27, 2022, 01:03:14 pm »
I've found the reason for the WG service reloads: I'd configured a Monit task which restarted the service after some ping timeouts.
Not sure if anybody was able to reproduce the issue. But I'm asking myself where I've to report this issue? Is it an OPNsense, Wireguard or Zenarmor issue?
Logged
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
sy
Hero Member
Posts: 595
Karma: 44
Re: High CPU load after Wireguard Service reload (was after "Suricata rule update")
«
Reply #3 on:
May 27, 2022, 05:06:01 pm »
Hi Jasman,
It could be a netmap issue. Did you try Zenarmor in bypass mode (Status - Services - Zenarmor Packet Engine - Enter Bypass Mode)? This shows that it is a netmap issue or not.
Logged
JasMan
Full Member
Posts: 175
Karma: 9
Re: High CPU load after Wireguard Service reload (was after "Suricata rule update")
«
Reply #4 on:
May 27, 2022, 11:36:04 pm »
Hey sy,
The bypass mode didn't changed the behaviour.
I could imagine that Zenarmor is having a problem when the WG interfaces disappear during the service restart.
Logged
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Zenarmor (Sensei)
»
High CPU load after Wireguard Service reload (was after "Suricata rule update")
