Project

General

Profile

Bug #7923

502 Bad Gateway and unresponsive OS with 2.4

Added by Kill Bill 9 days ago. Updated about 5 hours ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
pfBlockerNG
Target version:
-
Start date:
10/11/2017
Due date:
% Done:

0%

Affected Version:
2.4.x
Affected Architecture:
All

Description

Multiple users complaining that following the infamous 502 Bad Gateway, they eventually are unable to do anything with the OS, not just GUI, but also SSH and even via serial console.

https://forum.pfsense.org/index.php?topic=137103.msg753678#msg753678
https://forum.pfsense.org/index.php?topic=137103.msg753782#msg753782
https://forum.pfsense.org/index.php?topic=86212.msg753480#msg753480

History

#1 Updated by Jim Pingle 9 days ago

  • Category set to IPsec
  • Assignee set to Stephen Jones

At the moment, the only change in 2.4.1 that isn't in 2.4.0 that might be relevant is #7856

And since we already know that IPsec status is part of the existing 502 issues, it tracks that it is likely related.

#2 Updated by Chad Brandenburg 8 days ago

Jim Pingle wrote:

At the moment, the only change in 2.4.1 that isn't in 2.4.0 that might be relevant is #7856

And since we already know that IPsec status is part of the existing 502 issues, it tracks that it is likely related.

Its also present in 2.4.0 it showed up around the 10/3 update. it was on 2.4.1 before then.

#3 Updated by Jim Pingle 8 days ago

The affected code was on 2.4.0 for a couple days but is no longer there now. Current 2.4.0-RC snapshots and the actual -RELEASE should be unaffected.

#4 Updated by Chad Brandenburg 8 days ago

Jim Pingle wrote:

The affected code was on 2.4.0 for a couple days but is no longer there now. Current 2.4.0-RC snapshots and the actual -RELEASE should be unaffected.

Issue is still present in 2.4.0.r.20171009.1758. Tested last night. Not using IPSEC, or IPSEC widget. The common issue seems to be having PFBlockerNG installed as well.

#5 Updated by Jim Pingle 8 days ago

  • Category changed from IPsec to pfBlockerNG
  • Assignee deleted (Stephen Jones)
  • Priority changed from Very High to Normal
  • Affected Version changed from 2.4.1 to 2.4.x

If it's happening on 2.4.0 and started around that time, it's likely related to the FreeBSD 11.1 change and not the IPsec status issue I originally mentioned given the original details of the report.

Please post any error messages you have in the logs when this happens, and list any features you have enabled in pfBlocker. If pfBlocker is the common thread, then there must be some component of it that is triggering it (e.g. DNSBL). Also, if it only affects pfBlocker then it doesn't affect the majority of users so it's not quite so critical. A potential workaround could be placed in the package, for example, rather than requiring alterations to the base system.

#6 Updated by Jim Pingle 6 days ago

  • Project changed from pfSense to pfSense Packages
  • Category changed from pfBlockerNG to pfBlockerNG

This is definitely due to a locking issue with file access in the index.php file for pfBlocker DNSBL. Not sure why it changed behavior on FreeBSD 11.1, but that's where it's getting hung up. Eventually enough requests get stuck waiting on a lock the request queue fills up and then nothing can run PHP code.

More details on the forum thread: https://forum.pfsense.org/index.php?topic=137103.msg754234#msg754234

#7 Updated by Jim Pingle 4 days ago

  • Subject changed from 502 Bad Gateway and unresponsive OS with 2.4.1 to 502 Bad Gateway and unresponsive OS with 2.4
  • Description updated (diff)

#8 Updated by Jim Pingle about 5 hours ago

  • Status changed from New to Resolved
  • Target version deleted (2.4.1)

A new version of pfBlockerNG has been released containing a fix for this problem.

Also available in: Atom PDF