[Oisf-users] Suricata with PF_RING and IXGBE

[Yasha Zislin]

I have a weird problem. I have a bunch of sensors running in CentOS 6 with latest pf_ring and Suricata 2.1beta4.Most of the sensors have HP fiber nics (10 gigs) for monitoring interfaces but two of them have Intel 82599 (ixgbe).One of these Intel sensors is active and the other is standby. Standby barely has any traffic on monitored interface (about 400 packets a minute which are all broadcast).When I start suricata service on the standby, it is impossible to reload rules or to stop it. On stop it eventually dies off with this message:<Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect thread - "RxPFReth21".  Killing engine
I've flipped the active and standby to check if the server/hardware is the problem. The issue moved to the other server when it became standby.
I've installed the latest Intel Driver. I've set everything on it as per article:http://pevma.blogspot.com/2013/12/suricata-and-grand-slam-of-open-source.html
I've tried killing irqbalance and setting affinity. No luck.I did however noticed that if i reduce number of threads to 1, everything is working. But when it is more than one, the issue starts.
Did anybody else have this issue with Intel cards and PF_RING??? 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160229/8fc55bfc/attachment.html>