[Oisf-users] Suricata with PF_RING and IXGBE
Victor Julien
lists at inliniac.net
Mon Feb 29 16:24:43 UTC 2016
On 29-02-16 15:52, Yasha Zislin wrote:
> I have a weird problem. I have a bunch of sensors running in CentOS 6
> with latest pf_ring and Suricata 2.1beta4.
> Most of the sensors have HP fiber nics (10 gigs) for monitoring
> interfaces but two of them have Intel 82599 (ixgbe).
> One of these Intel sensors is active and the other is standby. Standby
> barely has any traffic on monitored interface (about 400 packets a
> minute which are all broadcast).
> When I start suricata service on the standby, it is impossible to reload
> rules or to stop it. On stop it eventually dies off with this message:
> <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect
> thread - "RxPFReth21". Killing engine
>
> I've flipped the active and standby to check if the server/hardware is
> the problem. The issue moved to the other server when it became standby.
>
> I've installed the latest Intel Driver. I've set everything on it as per
> article:
> http://pevma.blogspot.com/2013/12/suricata-and-grand-slam-of-open-source.html
>
> I've tried killing irqbalance and setting affinity. No luck.
> I did however noticed that if i reduce number of threads to 1,
> everything is working. But when it is more than one, the issue starts.
>
> Did anybody else have this issue with Intel cards and PF_RING???
This looks a lot like this issue here:
https://redmine.openinfosecfoundation.org/issues/1716
The problem could be that some threads never get traffic.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list