[Oisf-users] Suricata with PF_RING and IXGBE

[Gary Faulkner]

I have a similar problem using the DNA IXGBE drivers with RSS (not 
dnacluster). I've found I need to reload the PF_RING IXGBE/DNA driver 
when that happens and manually clean up the pid file. I'm still on an 
older 2.0.x build, so this is when performing a full stop/start of 
Suricata, not a live rule reload.

~Gary

On 2/29/16 10:24 AM, Victor Julien wrote:
> On 29-02-16 15:52, Yasha Zislin wrote:
>> I have a weird problem. I have a bunch of sensors running in CentOS 6
>> with latest pf_ring and Suricata 2.1beta4.
>> Most of the sensors have HP fiber nics (10 gigs) for monitoring
>> interfaces but two of them have Intel 82599 (ixgbe).
>> One of these Intel sensors is active and the other is standby. Standby
>> barely has any traffic on monitored interface (about 400 packets a
>> minute which are all broadcast).
>> When I start suricata service on the standby, it is impossible to reload
>> rules or to stop it. On stop it eventually dies off with this message:
>> <Error> - [ERRCODE: SC_ERR_FATAL(171)] - Engine unable to disable detect
>> thread - "RxPFReth21".  Killing engine
>>
>> I've flipped the active and standby to check if the server/hardware is
>> the problem. The issue moved to the other server when it became standby.
>>
>> I've installed the latest Intel Driver. I've set everything on it as per
>> article:
>> http://pevma.blogspot.com/2013/12/suricata-and-grand-slam-of-open-source.html
>>
>> I've tried killing irqbalance and setting affinity. No luck.
>> I did however noticed that if i reduce number of threads to 1,
>> everything is working. But when it is more than one, the issue starts.
>>
>> Did anybody else have this issue with Intel cards and PF_RING???
> This looks a lot like this issue here:
> https://redmine.openinfosecfoundation.org/issues/1716
>
> The problem could be that some threads never get traffic.
>