OPNsense upgrade failure with Zenarmor (23.1.7)

[rfc805]

I don't have too much information to really provide on this.  However, when performing the upgrade to 23.1.7 today, it reached upgrading Zenarmor/os-sensei to 1.13.  At this point it gave a message that it was saving state as it was running, and then "Waiting for PIDs: ..." - at this point the opnsense system went entirely unreachable and stopped forwarding traffic entirely.  After waiting for several minutes in this state, I had to use out of band console to go in and kill all eastpect processes, at which point the OPNsense system functioned again.

[almodovaris]

True, I had this several times: installing Zenarmor kills LAN connections. I had to use the console to install it properly (just in case, I have reinstalled it).

[TritonB7]

I am running into a similar issue. Out of curiosity, what type of interface/nic are you using?

[almodovaris]

Various:

- a computer with Intel Corporation 82576 Gigabit Network Connection( rev 01) and Intel Corporation Ethernet Connection I217-V (rev 05) and Qualcomm Atheros AR9462 Wireless Network Adapter (rev 01)
- a Proxmox with Intel Corporation 82576 Gigabit Network Connection (rev 01) available through PCI devices (no qemu plugin installed)
- APU2 with Intel(R) I210 Flashless (Copper)

So, it happened everytime I had to update Zenarmor to the present version.

[sy]

Hi All,

What is the output of /tmp/zenarmor_update.log? Do you use Suricata as well?

[rfc805]

I do use Suricata as well,  but obviously on different interfaces.

There is no such log file on my host, only a zenarmor_updates.json

[mb]

Quick question: were you upgrading from 23.1.6 or from an earlier OPNsense version?

This seems netmap-related and I wonder if you were upgrading from an earlier version of OPNsense where the netmap emulated fixes were not there...

[almodovaris]

No, I don't use Suricata.

[rfc805]

I was upgrading from 23.1.6

[fxsaddict]

I have à similar issue. Don't upgrade. This is Bullshit.
Everything down.
I don't use suricat.
I have a protection i7

[fxsaddict]

23-7-1

[mb]

@rfc805, @almodovaris, @TritonB7

Can you reach out to Zenarmor support? Use the "Bug Report" screen on the upper right hand corner of the screen - in case you're not familiar.

Make sure you send all OPN/Zenarmor config and logs.

This looks pretty much like another netmap thing. We want to investigate further.

Thanks.

[almodovaris]

Sorry, I have meanwhile uninstalled Zenarmor, deleted all its folders, and then reinstalled it (on all machines). So, I guess logs no longer contain that information. Just that you know, on Proxmox I use now emulated netmap driver.

[TritonB7]

@rfc805, @almodovaris, @TritonB7

Can you reach out to Zenarmor support? Use the "Bug Report" screen on the upper right hand corner of the screen - in case you're not familiar.

Make sure you send all OPN/Zenarmor config and logs.

This looks pretty much like another netmap thing. We want to investigate further.

Thanks.

I did submit a Bug Report earlier this month along with config and logs. I'm using an Intel x550-t2 and i350t4v2, same issue with both cards.

[fxsaddict]

update:
i receive an answer from helpdesk:
Thanks for reaching out and letting us know about the problem.
"
Is the FW reachable? Can you try to stop Zenarmor packet Engine by runnig the command "service eastpect stop" on the console as root? Then please change the deployment mode to emulated driver in Configuration - General - Deployment Mode - L3 Routed mode with netmap emulated driver on GUI.
"
I start a new post because i was unable to reinstall zenarmor