OPNSense dropping sessions

[Ondjultomte]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [ x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [ x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

OS is dropping sessions/states and traffic is then blocked and applications needs to be restarted to initiade the sessions again.

Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)

To Reproduce

Steps to reproduce the behavior: I can post full config if needed, basic setup a few tunables.

Firewall Optimization set to conservative to try and keep the states/sessions alive, but doesnt help.

Expected behavior

states not dropping so early

Describe alternatives you considered

A clear and concise description of any alternative solutions or workaround you considered.

Screenshots Firewall Optimization

If applicable, add screenshots to help explain your problem.

Relevant log files

If applicable, information from log files supporting your claim.

Additional context

Add any other context about the problem here.

Environment

Software version used and hardware type if relevant, e.g.:

https://bsd-hardware.info/?probe=b58cf5585d

OPNsense 23.7.12_5-amd64 FreeBSD 13.2-RELEASE-p7 OpenSSL 1.1.1w

[Tontonjo]

experiencing the same here: https://github.com/opnsense/core/issues/7262

[Ondjultomte]

To the dev/support how do we proceeed to debug this issue?

[Tontonjo]

To the dev/support how do we proceeed to debug this issue?

Please have a look on my case https://github.com/opnsense/core/issues/7262

[fichtner]

The forum is a much better place to discuss this. 99% this is user or setup problem and churning through it will bind a lot of time otherwise required for development.

Cheers, Franco

[Tontonjo]

The forum is a much better place to discuss this. 99% this is user or setup problem and churning through it will bind a lot of time otherwise required for development.

Cheers, Franco

I doubt this is a user problem as it appeared just after the update was done and I have a really simple setup. Please check my case.

[fichtner]

I doubt this is a user problem as it appeared just after the update was done and I have a really simple setup. Please check my case.

If you point me to a line of code that has an issue I'm happy to comply.

[Tontonjo]

I doubt this is a user problem as it appeared just after the update was done and I have a really simple setup. Please check my case.

If you point me to a line of code that has an issue I'm happy to comply.

Have a look here: https://github.com/opnsense/core/issues/7262#issuecomment-1958200242

[fichtner]

Intermittent DNS resolution during boot?

[Tontonjo]

Intermittent DNS resolution during boot?

Sorry? None I could be aware of.

[fichtner]

Ok without an error from the command that’s all I can offer for community support.

Cheers, Franco

[Tontonjo]

Ok without an error from the command that’s all I can offer for community support.

Cheers, Franco

You mean this error? https://github.com/opnsense/core/issues/7262#issuecomment-1958191493

[fichtner]

I may be repeating myself, but that's the error number, not the error message. Saying running it manually works would suggest a DNS issue or similar ;)

[Tontonjo]

Ok without an error from the command that’s all I can offer for community support.

Cheers, Franco

You

I may be repeating myself, but that's the error number, not the error message. Saying running it manually works would suggest a DNS issue or similar ;)

Thanks you! Will update another system and see if it repeats.

[LPJon]

@Tontonjo Do you have Suricata enabled? If so, try disabling it and see if your problem is resolved and let us know. There is a bug that was resolved a few days ago but hasn't been released (judging by the time stamps) for OPNsense yet. You can find the upstream bug report here and the commit for the fix here.

This is not DNS related. It's related to a problem with Suricata 7.0.3 trying to access /sys/devices/system/node/ to find NUMA nodes in FreeBSD when this path does not exist. You can't revert to an older version of OPNsense because suricata package names don't line up due to a mistake with the repositories. The best that can happen right now is disable suricata and hold tight until they release a new update. Hopefully that is soon because this is a big deal to people who depend on it. Suricata is a core package and it should ALWAYS be tested before a release. Truthfully, I can't believe this was missed by the OPNsense and the OISF teams.

[Tontonjo]

@Tontonjo Do you have Suricata enabled? If so, try disabling it and see if your problem is resolved and let us know. There is a bug that was resolved a few days ago but hasn't been released (judging by the time stamps) for OPNsense yet. You can find the upstream bug report here and the commit for the fix here.

This is not DNS related. It's related to a problem with Suricata 7.0.3 trying to access /sys/devices/system/node/ to find NUMA nodes in FreeBSD when this path does not exist. You can't revert to an older version of OPNsense because suricata package names don't line up due to a mistake with the repositories. The best that can happen right now is disable suricata and hold tight until they release a new update. Hopefully that is soon because this is a big deal to people who depend on it. Suricata is a core package and it should ALWAYS be tested before a release. Truthfully, I can't believe this was missed by the OPNsense and the OISF teams.

No i dont have suricata enabled at all. Saw your issue about nat and you may want to have a look here as it fixed the same thing for me: https://github.com/opnsense/core/issues/7262

[Ondjultomte]

I dont either have ips enabled, and that wouldnt cause these drops, since the logs clearly states that there is no state left! so the tcp session timer is the first thing to look at. but there is no number here, only "conservative" mode to be set and I have enabled that

[OPNsense-bot]

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.