[Resolved]: Considering reinstallation of ZenArmor after major crash

Started by doug_phoenix, July 24, 2023, 04:15:47 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 24, 2023, 04:15:47 PM Last Edit: August 08, 2023, 12:25:48 AM by doug_phoenix
I updated OPNsense late last week, and my system went down hard. Details pointed to an issue with netmap and ZenArmor.  See:
https://forum.opnsense.org/index.php?topic=34992.0

I'm running OPNsense on a Protectli VP2410, which has four Intel GB NIC's. Ports 0 and 1 are assigned to WAN and LAN, and 2-3 are set to LACP with a few VLANS.

I've been running Zenarmor for several months with no issue until this. So I assume that something "went wrong" with the update. Curiously, the errors I saw indicated "Emulated netmap" even though I had configured "Native netmap" drivers when I configured ZenArmor in the UI.

There were also "possible flapping" errors with my two LAGG ports.

I wish to reinstall ZenArmor, but I could use some guidance. Considering that I have two LAGG/LACP ports, how should I configure the netmap drivers for ZenArmor? Have all the issues with emulated netmap been addressed? I understand It was a big issue several months ago.

Any guidance would be appreciated.
July 24, 2023, 06:37:55 PM #1
Hi,

There is no known issue with the LAGG interface on Emulated Netmap Driver. You can protect the LAGG interfaces on Zenarmor with Emulated Netmap Driver.
July 24, 2023, 09:22:16 PM #2
Good to know, thank you.

I assume, then, that there was a a file corruption during my latest download. I'll give emulated netmap a try when I reinstall ZoneArmor.

July 25, 2023, 05:47:23 PM #3
Just reinstalled OS-sensei etc. ZenArmor recognized my previous installation. I saw a message indicating that to view reports I needed to start Elasticsearch.

The splash window "Starting Eleasticsearch" hung. I selected the status window and saw that Elesticsearch was running, but Packet Engine was paused. (I had paused this previously while troubleshooting.)

Selecting "Restart" I'm experiencing similar problems to before. The console shows multiple netmap errors/messages like before (see my post linked in the first msg of this thread).

Packet Engine still shows "Bypassed."

I've also seen pop-up messages on the status window:

Code Select
/usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/PolicyController.php:134: Call to a member function fetchArray() on bool


I'm discouraged. ZenArmor was working great - until the update - and now it seems I can't recover.

Should I just give up and look for alternatives?
July 26, 2023, 03:08:05 PM #4
How do I remove all traces of ZenArmor from my installation? Removing Plug-ins from System - Firmware - Plug-ins did not remove everything (ElasticSearch database, configuration, ...).
July 26, 2023, 08:18:00 PM #5
Hi,

If you use Zenarmor own uninstall feature in Configuration - Uninstall, it will remove everything.
July 26, 2023, 09:37:06 PM #6
Oh, that was easy. Thank you!
July 27, 2023, 12:14:12 AM #7
@doug, sorry that it did not work out for you this time.

Trying to understand what went wrong WRT elasticsearch database, my best guess is our ES installation might be clashing with another Elasticsearch deployment. To our experience, this usually happens if you're also using Michael's community repository. If you also have that repo enabled as well, pkg might be installing the one which is also served by the community repository, instead of Zenarmor-managed ES database.

Is that the case for you?
July 27, 2023, 01:16:46 AM #8
hi @mb

Good to hear from you. I am not using any community repositories (yet).

BTW, when I did the complete uninstall per @sy, I had the option to request support from SunnyValley. They responded quickly, and asked for various log files. I can find these on using the console, but I don't know how to access my firewall's command line from a network pc. So at the moment I can't send any files.  Is there any easy way to get to the command line from a network pc?

Thanks,
Doug
July 27, 2023, 10:11:06 AM #9
The firewall console is directly attached with a keyboard, and monitor physically plugged in.
To do it from away you need to enable ssh on the UI and "ssh root@ip-address-of-OPN" that is the ip on the network segment where the pc is. So if your network is 192.168.1.0/24 then OPN normally would be on 192.168.1.1 and your pc could be on 192.168.1.10 for instance. From this pc you "ssh root@192.168.1.1".
Later you should create an admin account that logs in this way but needs to doas or sudo to elevate permissions so you don't by default use the root account.
Once there you can scp files out.
July 27, 2023, 05:05:05 PM #10
Thank you, @mb!,

I used PuTTY (pscp) to move the files to my Windows PC. It's been so long I had forgotten it was there.

Will update after I have feedback from SunnyValley.
August 07, 2023, 11:50:22 PM #11
hi @mb and @cookiemonster,

After troubleshooting with both ZenArmor and Protectli, I decided to wipe my SSD and reinstall OPNsense.

Fortunately, I had a configuration backup.  :)

I've also installed ZenArmor. This time, I was not presented with the option to install a local Elasticsearch database, so I went with MongoDB using two-day retention. I also selected native netmap drivers since those seem to work and (I assume) should be faster than using emulation.

It's been up for a day with no errors on the console. I'm using the latest version of ZA, and I'm still getting accustomed to the UI. The UI is slow to load (around one minute) but otherwise seems ok.

Thank you for your help with this - I appreciate it!
Print
Go Up Pages1
User actions