Bug #12141
closed
Lack of DNS or Internet connectivity causes GUI to be slow
100%
Description
If a device is being configured offline, if the device is unable to query DNS, the webConfigurator causes a noticeable delay between every page load. As soon as WAN is connected and have uplink connectivity the webConfigurator responds normally. There seems to be an issue where pfSense is checking DNS on every page reload for some reason.
Related issues
Updated by Andrew McCann almost 3 years ago
Kris Phillips wrote:
If a device is being configured offline, if the device is unable to query DNS, the webConfigurator causes a noticeable delay between every page load. As soon as WAN is connected and have uplink connectivity the webConfigurator responds normally. There seems to be an issue where pfSense is checking DNS on every page reload for some reason.
Kris, hope you dont mind me adding comments, but I think this is related to an issue another person and I are having, https://forum.netgate.com/topic/165102/gui-faling-to-respond-developer-comment-requested, when my ISP went down, the web interface was unusable after approx 2-4 mins, physically disconnecting the wan link and a forced reboot prevented the freeze from occurring, but if you let it freeze with WAN enabled, you could not make it responsive by disconnecting the WAN. Happy to provide any further info/logs if required.
Updated by Marcos M almost 3 years ago
- Status changed from New to Feedback
I'm not able to reproduce this on 2.5.2.
There are instances in which no internet/DNS connectivity will result in delayed page loads, but I would not expect that to happen for every page load. For example, see #12093. In some situations when there is no connectivity, the login page will also be delayed due to the browser trying to verify the certificate - the workaround in this case in my experience being to access the login page by IP instead of fqdn.
With this in mind, if the issue can still be reproduced, check the following:- The network tools of the browser may show an issue with a specific resource.
- Set Unbound log level to 3 and check if there are any specific domain resolution failures that correlate to the page loads.
Updated by Jim Pingle over 2 years ago
If it's every page load then most likely it's related to authentication settings, like it's trying to check privileges against an LDAP or RADIUS server by hostname. If that is the case, then there is not much to be done there since it's attempting to properly validate that a user should be able to access the page, then falling back to local privilege checks.
In most cases I'd only expect this to happen on pages like the Dashboard or ARP table or something else that heavily uses DNS.
Updated by Andrew McCann over 2 years ago
Hi Jim
Apologies, I haven't had a chance to test yet, but just a FYI, by pfsense box is a home machine, nothing special, no Domain/LDAP/RADIUS, I will try and runs some tests this afternoon using Unbound log level 3. I will also try and ssh into the box while its locked to see if I can see anything....
Updated by Kris Phillips over 2 years ago
Jim Pingle wrote in #note-3:
If it's every page load then most likely it's related to authentication settings, like it's trying to check privileges against an LDAP or RADIUS server by hostname. If that is the case, then there is not much to be done there since it's attempting to properly validate that a user should be able to access the page, then falling back to local privilege checks.
In most cases I'd only expect this to happen on pages like the Dashboard or ARP table or something else that heavily uses DNS.
Jim,
Is there a particular reason the Dashboard needs to be doing DNS lookups? The only component of it that I can think of that would need to do DNS would be the update check widget. I will have to test a device with no network connectivity with the dashboard update check disabled.
Updated by Kris Phillips over 2 years ago
Oddly setting the WAN interface of a firewall to None for IPv4 and IPv6 causes no slowness in the webConfigurator. It seems only when physical link is lost that the issue is present.
Updated by Kris Phillips over 2 years ago
Still seeing this randomly with customer firewalls. If the WAN interface is disabled or physically disconnected, the issue goes away. If it is enabled, thinks it has WAN access (gateway thinks its up) but has no route to the internet (such as a customer with double NAT) the firewall hangs for a very long time before loading to the dashboard. Disabling the update check does not appear to resolve this.
Updated by Marcos M over 2 years ago
I tried reproducing this on a lab. The gateway is online but pfSense is not able to reach any internet resources (including any DNS). The issue only exists on pages with DNS queries (e.g. update check page which times out with 504).
Updated by Kris Phillips over 2 years ago
Marcos Mendoza wrote in #note-8:
I tried reproducing this on a lab. The gateway is online but pfSense is not able to reach any internet resources (including any DNS). The issue only exists on pages with DNS queries (e.g. update check page which times out with 504).
I wouldn't expect a 504 to be expected behavior here. The update page should produce an "Unable to check for updates" error message, but not bomb completely.
Updated by Marcos M over 2 years ago
I agree. There are certain places in the GUI that are affected - the ACB page also being an example (see https://redmine.pfsense.org/issues/12093).
This redmine describes the issue being present on all page loads which would be a different issue.
Updated by Viktor Gurov over 2 years ago
Updated by Jim Pingle over 2 years ago
- Status changed from Feedback to Pull Request Review
- Assignee set to Viktor Gurov
- Target version set to 2.6.0
- Plus Target Version set to 22.01
Updated by Viktor Gurov over 2 years ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Applied in changeset bbb3bbebbf8059e72d60dbb1721d997568ae2090.
Updated by Marcos M over 2 years ago
Perhaps we should hardcode / fall back to different DNS providers; e.g. use 1.1.1.1 and 8.8.8.8 (and IPv6 counterparts) instead of just Google's DNS.
Updated by Jim Pingle over 2 years ago
- Subject changed from Lack of DNS/Internet Connectivity Causes webConfigurator to be Painfully Slow to Lack of DNS or Internet connectivity causes GUI to be slow
Updating subject for release notes.
Updated by Marcos M about 2 years ago
- Status changed from Feedback to New
- Release Notes changed from Default to Force Exclusion
Tested on 2.6.0-RELEASE by blocking upstream any connection to the internet. Trying to load the dashboard took 40 to 60 seconds without DNS. Changed the General Setup settings to use remote DNS and ignore local DNS, same result.
Updated by Marcos M about 2 years ago
- Target version changed from 2.6.0 to CE-Next
- Plus Target Version changed from 22.01 to Plus-Next
- Release Notes changed from Force Exclusion to Default
Updated by Viktor Gurov about 2 years ago
Marcos Mendoza wrote in #note-17:
Tested on
2.6.0-RELEASEby blocking upstream any connection to the internet. Trying to load the dashboard took 40 to 60 seconds without DNS. Changed the General Setup settings to use remote DNS and ignore local DNS, same result.
Found an issue:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/590
Updated by Jim Pingle about 2 years ago
- Status changed from New to Pull Request Review
- Target version changed from CE-Next to 2.7.0
- Plus Target Version changed from Plus-Next to 22.05
Updated by Viktor Gurov about 2 years ago
- Status changed from Pull Request Review to Feedback
Updated by Viktor Gurov almost 2 years ago
- Related to Regression #13162: Upgrade does not work when using only IPv6 DNS servers added
Updated by Reid Linnemann almost 2 years ago
- Status changed from Feedback to Resolved