OPNsense GUI/SSH unreachable weekly

[Cipher]

System details:
   •   OPNsense version: 25.1.10
   •   Hardware: Sophos GX125
   •   Install method:  SSD
   •   Typical uptime before failure: ~7 days
   •   Active services: NAT, DHCP, DNS Resolver, WireGuard
   •   Plugins: No heavy plugins like Zenarmor or Suricata installed

⸻

Symptoms:

Roughly once per week:
   •   The Web GUI becomes unreachable
   •   SSH access is also unavailable
   •   However, internet access still works, and WireGuard remains active
   •   I can still access remote servers via WireGuard tunnels
   •   Some managed switches (on LAN) become unreachable until a manual reboot

After reboot, everything works normally for another week.

⸻

What I've observed:
   •   No crash reports appear in System > Crash Reporter
   •   No partitions appear full (df -h shows healthy disk usage)
   •   Health graphs show memory usage gradually increasing
   •   No errors stand out in /var/log/* before crash (though I may be missing something)
   •   The system is still routing traffic, which suggests the kernel/network stack is alive

⸻

Suspicions:
   •   Memory or resource leak affecting web/ssh daemons?
   •   Lighttpd/nginx and sshd silently dying after prolonged uptime?
   •   Cron job or logrotate process causing silent failure?
   •   ARP/cache/broadcast issues causing LAN-side disconnects?

⸻

Questions:
   1.   Is this a known issue on 25.1.10 or the Sophos GX125 platform?
   2.   How can I better log or monitor what's failing before GUI/SSH becomes unreachable?
   3.   Any specific services I can safely restart from the console (if reachable) to avoid a full reboot?
   4.   Would a scheduled reboot (e.g. every 6 days) be a safe temporary workaround?

I'm happy to provide more logs or config info if helpful.

Thanks in advance for any insights or suggestions!

[Cipher]

the error

this the error we found out after the box is not respondig.

[franco]

HardenedBSD 12.1?

Time to update IMO.


Cheers,
Franco

[Julien]

Based on the panic message and FreeBSD version, here are likely causes:

Known Bug in IPv6 Fragmentation Handling

The frag6_slowtimo() function has caused panics in older FreeBSD versions.

It manages stale IPv6 fragments and is run periodically by the system clock.

Outdated FreeBSD Kernel

Your system is running FreeBSD 12.1-p21, which is from 2021 and no longer maintained.

Dozens of bug fixes and security updates have been released since.

Problematic NIC Drivers or Hardware Offloading

Certain Realtek or even Intel NICs have known issues with hardware offloading and older kernels.

The panic could be related to offload features such as TSO/LRO.

Misconfigured or Unused IPv6

If IPv6 is enabled but improperly routed or unused, it can trigger unexpected behavior.

Especially common in dual-stack setups or WANs with no native IPv6 routing.

Key Details from the Crash:
Trap number = 12 → This indicates a Page Fault (access to an invalid or unauthorized memory address).

Panic Cause: frag6_slowtimo()
This is part of the IPv6 fragmentation timeout handling in FreeBSD.

Function Chain:

frag6_slowtimo()

softclock_call_cc()

calltrap()

FreeBSD Version: 12.1-RELEASE-p21-HBSD

Date/Build: Dec 13, 2021 — very outdated

[Cipher]

HardenedBSD 12.1?

Time to update IMO.


Cheers,
Franco

i am on
Versions
OPNsense 25.1.12-amd64
FreeBSD 14.2-RELEASE-p4
OpenSSL 3.0.17

its strange it does shows freebsd 12.X

[franco]

It's not strange. The screenshot speaks for itself.


Cheers,
Franco

[Cipher]

It's not strange. The screenshot speaks for itself.


Cheers,
Franco

Is updating to the latest release sufficient, or should I run the following commands to update?
textopnsense-update -UR
opnsense-update -p
opnsense-update -kr
reboot

[franco]

Don't use porcelain commands, because these change over time. Either the console option 12 or the GUI firmware.


Cheers,
Franco

[Cipher]

Don't use porcelain commands, because these change over time. Either the console option 12 or the GUI firmware.


Cheers,
Franco

thank you so much, i'll update it and report back.