Reply
Emerging Member
Posts: 55
Registered: ‎11-17-2017
Kudos: 4

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

@UBNT-afominsI am scheduled today to run one more test of the 2.0 firmware before we officially call this one off limits. I would like to do this before I commit to providing the configuration. If we get the same results I can pass you the configuration but it would have to be PM'ed to you. We prefer not to provide a configuration publically, even if it's sanitized. (since we still don't know what the cause is, I don't want to sanitize too much of the config). Is that ok?

Emerging Member
Posts: 88
Registered: ‎12-21-2018
Kudos: 49

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!


@UBNT-afomins wrote:

@@DeviceLocksmit
> set task-scheduler task eap-tls executable path /config/scripts/restart-eap-tls
> it was present before upgrade to 2.0 and is no longer in config after upgrade.
Can you please check if "restart-eap-tls" script is present after upgrade and if it has executale permission:

ls -la /config/scripts/restart-eap-tls

 

 

@DeviceLocksmith
> It appears that current kernel in 2.0 in at least Cavium builds is vulnerable to DoS FragmentSmack vulnerability.
> There is a kernel test that tests for both the CVE-2018-5390 vulnerability and a bug in original vulnerability fix.
> I've compiled the test for Cavium and it currently fails
That's strange because this is supposed to be fixed since v2.0.0-beta.1:

1) We fixed CVE-2018-5390 by merging this commit

2) We mitigated CVE-2018-5391 by lowering frag_high_thresh/frag_low_thresh as described here

We shall take a look that test and will investigate why test fails with v2.0.0

 


 

I did remove executable flag from /config/scripts/restart-eap-tls before the upgrade.

The test for CVE-2018-5391 changes the settings in ip_defrag.sh to verify that kernel itself is still vulnerable: 

Spoiler
	ip netns exec "${NETNS}" sysctl -w net.ipv4.ipfrag_high_thresh=9000000 >/dev/null 2>&1
	ip netns exec "${NETNS}" sysctl -w net.ipv4.ipfrag_low_thresh=7000000 >/dev/null 2>&1
	ip netns exec "${NETNS}" sysctl -w net.ipv4.ipfrag_time=1 >/dev/null 2>&1

	ip netns exec "${NETNS}" sysctl -w net.ipv6.ip6frag_high_thresh=9000000 >/dev/null 2>&1
	ip netns exec "${NETNS}" sysctl -w net.ipv6.ip6frag_low_thresh=7000000 >/dev/null 2>&1
	ip netns exec "${NETNS}" sysctl -w net.ipv6.ip6frag_time=1 >/dev/null 2>&1

It looks like you have a mitigation in place that is removed by a test that tests if the fix is in kernel itself.


@UBNT-afomins wrote:

 

@notfixingit
> Has anyone run into a SIP issue? Phones where only getting 1 way audio after upgrading to 2.0, rolled back to 1.10.8 and problem is gone.
This might be caused new netfilter that does not detect related flows unless "nf_conntrack_helper" is enabled.
Try runnig following command from shell:

sudo sh -c "echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper"

Did it help?

 


 I've tested realtime change for SIP with echo command above. It did not work for me. However changing it in a startup script did work. Not sure why realtime change did not work - possibly it has something to do with settings at kernel module load time.

New Member
Posts: 2
Registered: ‎01-11-2018

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

Ohhh i thought VRF would come in this reelease too, but apprently not :-(

Veteran Member
Posts: 5,861
Registered: ‎07-03-2008
Kudos: 1852
Solutions: 138

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

Hopefully VRF is under consideration for v2.1?

 

AFAIK most of the important prerequisites for doing VRF 'right' are included in kernel v4.14.  e50 family should have those already, but I don't know whether Cavium backported any of those into their v4.9 kernel or not.

New Member
Posts: 2
Registered: ‎01-11-2018

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

Yeah, it would be nice to if there were any package you could download and perhaps just do it from the cli. 

 

New Member
Posts: 1
Registered: ‎01-11-2019

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

[ Edited ]

Well, Edgerouter X SPF with hwnat enabled only v2.0 just went into reboot hell, uptime kept shrinking until it was just a reboot loop. Hard Reset doesn't work, will have to do a console recovery at this point.

 

Didn't notice it was doing reboots since the downtime was small.

New Member
Posts: 20
Registered: ‎04-28-2018
Kudos: 2

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

I've had a fairly unhappy time with this release on an ERX

 

- After upgrade it wouldn't restart so I needed to reset it.

- While applying a the config from the Web, a few times it came up with an error 'Save failed', when this occur a number previously configured settings were deleted (DHCP servers, NAT rules), in the end I resorted to doing the whole lot with the CLI.

 

It's working now but am still in two minds weather or not to downgrade.

 

 

Regular Member
Posts: 567
Registered: ‎02-11-2015
Kudos: 48
Solutions: 9

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

Just thought I would report - been running an ER-12 on 2.0 since it was released with zero problems.  No down time at all and the device seems to be much more robust than it was on 1.x!

New Member
Posts: 33
Registered: ‎08-03-2017
Kudos: 7
Solutions: 3

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

@mbrack
> Since beta3, and also with this release, I suddenly suffer from this kernelmessage when my manually binded, route-based, VTI-tunnel is brought down:
> kernel:unregister_netdevice: waiting for vti0 to become free. Usage count = xxx
I also see same error messages on ER-X/ER-X-SFP when dynamic interface (pppoe, vtun, vti) disappears. I saw this happening only if hwnat is enabled.

  1. What is your ER model?
  2. If offloading enabled?

@UBNT-afomins

Sorry forgot to mention that;  I do run ER-X-SFP with hwnat enabled indeed.  When I disabled and rebooted I didn't have this kernelmessage; when applying offloading I had it the moment I brought the tunnel down.

 

Other question; is IPSEC offloading on Mediatek-platform also scheduled for v2.0.1?

 

 

Emerging Member
Posts: 82
Registered: ‎07-18-2016
Kudos: 33
Solutions: 3

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

after 2 days uptime my ER-X crashed, unresponsive on WAN or LAN. pulled the plug to reboot and it came backup. i had been running beta1 without issue for months.

New Member
Posts: 27
Registered: ‎10-16-2018
Kudos: 12

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!


@ooferomen wrote:

after 2 days uptime my ER-X crashed, unresponsive on WAN or LAN. pulled the plug to reboot and it came backup. i had been running beta1 without issue for months.


It’s been well discussed that this release has not done good things, including bricking, to a number of ERX and ERX-SFP devices. Roll back to 1.10.8 and continue with that firmware. 

Emerging Member
Posts: 43
Registered: ‎11-19-2018
Kudos: 1

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

Can confirm beta 3 bricked my first er-x (just got it a few months ago) got my second and staying on 1.10.8 even if I dont get to enable hwnat (for my fiber) until 2.0.1 is out. Looks like mixed results. Mine not so good.
New Member
Posts: 9
Registered: ‎08-31-2017

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

@UBNT-afomins

sudo journalctl -u lighttpd.service

-- No entries --


sudo cat /var/log/lighttpd/error.log

cat: can't open '/var/log/lighttpd/error.log': No such file or directory

Looking for the error.log was something I tried before, but I was surprised that there wasn't a log file there. The /var/log/lighttpd folder is totally empty when I run sudo ls /var/log/lighttpd.

New Member
Posts: 2
Registered: ‎05-13-2017

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

Lots of stuff already mentioned, but just to add my own upgrade experience going from 1.10.8 to 2.0.0 for an ER X-SFP.

The situation is a reasonably standard border gateway:

  • eth0: DMZ
  • eth1–4 attached to switch0 (VLAN-aware) internal networks.
  • eth5 is SFP/fibre. Internet is pppoe0 over VLAN over eth5. One thing that is non-standard here is that eth5 has a manually-specified MTU of 1508 instead of 1500 to yield a 1500 MTU on the overlayed pppoe0 interface.
  • NAT with hairpin for DMZ.
  • Zone-based firewalling.
  • DNS/DHCP are handled elsewhere.
  • hwnat is enabled.

After rebooting to 2.0.0 things seem at first glance to be okay but a lot of stuff seems to be broken:

  • Some websites aren't accessible, while others are:
    • Accessible: these forums (yay).
    • Inaccessible: Reddit. StackExchange. Apple.
      Traffic capture on the router (pppoe0) shows the TCP connection being established but no response to the SSL CLIENT HELLO packet that browsers send once the TCP connection is established.
  • Disabling hwnat seemed to help.
  • Rebooting via CLI doesn't seem to work… web/ssh don't come up. Hard power cycle needed, after which they come up after a long delay.

If anyone would like a diagnostic/support dump I'm happy to provide it. Although the release notes mentioned issues with hwnat the circumstances mentioned (load balancing) don't apply.

For now it's back to 1.10.8 for me…

Emerging Member
Posts: 53
Registered: ‎10-10-2017
Kudos: 19

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

The issue is documented on the first post of this thread:

 

NOTE: There are some known hwnat related issues on ER-X/ER-X-SFP that will be fixed in upcoming v2.0.1 firmware. 

  • [LoadBalancing] - LoadBalancing randomly fails if hwnat offloading is enabled on ER-X and ER-X-SFP models. LoadBalancing watchdog randomly reports false-positive interface-failure events and switches to backup link when it should not. Workaround is to disable hwnat offloading.
  • [PPPoE] - PPPoE client interface randomly fails to reconnect with PPPoE server when hwnat offloading is enabled on ER-X and ER-X-SFP router models. This issue was noticed only with LoadBalancing or ECMP setups. Workaround is to disable hwnat offloading.
  • [Offloading] - IPSec offloading does not work on ER-X and ER-X-SFP

 

Regular Member
Posts: 486
Registered: ‎06-02-2015
Kudos: 80
Solutions: 23

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

[ Edited ]

Not sure if this has been reported, but accessing webgui over vti tunnel just gave me this error message on one of my ER-Xs.
Refreshing Chrome fixed the issue.

Layout.JPG
New Member
Posts: 14
Registered: ‎01-17-2017
Kudos: 2

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

I tried to install the v2.0.0 firmware on my EdgeRouter-X. It worked OK, but when I connected to the GUI, the dashboard showed 0 traffic on all the interfaces except the WAN on eth0. I saw someone else reported this in this forum. This is not a significant problem, but I see others are having more serious trouble, so I downgraded to my saved v1.10.8.

 

I guess it is best to follow the rule to not install the vX.0.0 version of an OS if at all possible. I don't need the new features with my simple configuration.

 

New Member
Posts: 23
Registered: ‎12-07-2017

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

[ Edited ]

Installed v2.0.0 on my EdgeRouter X. Everything works but I'm seeing similar issue as the previous poster.

My WAN eth0 shows  Tx and Rx but eth4 port that is connected to a switch shows Tx and Rx bps, the switch0 shows Tc and Rx traffic.

Member
Posts: 224
Registered: ‎04-22-2018
Kudos: 26
Solutions: 2

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!

Hopefully we see 2.0.1 soon....
This 2.0.0 is a mess.

AP AC LITE
UAP nanoHD (x2)
Edgerouter 4
New Member
Posts: 27
Registered: ‎10-16-2018
Kudos: 12

Re: EdgeMAX EdgeRouter software version v2.0.0 has been released!


@EJFielding wrote:

I tried to install the v2.0.0 firmware on my EdgeRouter-X. It worked OK, but when I connected to the GUI, the dashboard showed 0 traffic on all the interfaces except the WAN on eth0. I saw someone else reported this in this forum. This is not a significant problem, but I see others are having more serious trouble, so I downgraded to my saved v1.10.8.

 

I guess it is best to follow the rule to not install the vX.0.0 version of an OS if at all possible. I don't need the new features with my simple configuration.

 


This issue was reported in the beta phases. It was never resolved therefore I’d wait for 2.0.1
 

Reply