Re: [pfSense] Suricata sync crashes WebConfigurator, and other issues

Fri, 15 Jan 2016 22:00:07 -0800 

        I don't like leaving things not fully stable so I bit the bullet and 
clicked "Remove Enable/Disable changes in the current Category" so it would at 
least sync.  To my surprise it did not help, even after doing it on router2 as 
well.  Then I noticed the CARP sync was also starting to fail.

        After thinking about it a bit I restarted router2 and syncing 
immediately worked again.  That implies something was wrong with the XMLRPC 
sync that wasn't fixed by restarting webConfigurator and/or PHP-FPM.  Notably 
there was a config sync fix included in pfSense 2.2.6...

        I noticed another interesting tidbit.  The first Suricata sync after 
the restart I used a hostname (to router2's LAN IP).  The sync took 4 seconds.  
I then changed to an IP address.  It succeeded but took just shy of 3 minutes.  
Back to the hostname...1 second.  Back to the IP...timeouts and "Code 2: 
Invalid return payload."  At that point I had to restart router2 again.

        I can't imagine using a hostname makes any practical difference.  I had 
started with an IP for the Suricata sync because the High Availability Sync 
page says to use an IP.

        I did notice that the pfSense config sync triggers a route reload and 
down/up of the OpenVPN interface (which isn't connected), and the OpenVPN 
down/up logs, in order:

/rc.newwanip: rc.newwanip: Info: starting on ovpns1.
/rc.newwanip: rc.newwanip: on (IP address: 192.168.199.1) (interface: []) (real 
interface: ovpns1).
check_reload_status: Reloading filter
php-fpm[49144]: /rc.newwanip: pfSense package system has detected an IP change 
or dynamic WAN reconnection - -> 192.168.199.1 - Restarting packages.
check_reload_status: Starting packages
/rc.start_packages: Restarting/Starting all packages.

...maybe "restarting packages" is interfering with the Suricata sync?

        Or possibly the default Suricata sync timeout of 150 seconds needs to 
be a *lot* higher?

--

Steve Yates
ITS, Inc.


_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Reply via email to