Community discussions

MUM Europe 2020
 
pacmanfan
just joined
Topic Author
Posts: 13
Joined: Mon Jun 30, 2008 7:05 am

v6.28 unstable after importing certificate

Sat May 16, 2015 8:27 am

I am using the following guides to set up OVPN server, using a certificate from CACert:
http://wiki.mikrotik.com/wiki/OpenVPN_C ... ep_by_Step
http://wiki.mikrotik.com/wiki/OpenVPN#C ... CAcert.org

Immediately after importing the certificate-response.pem file (the cert from CACert), free memory begins dropping steadily for about 15 seconds, before it suddenly nosedives to around 4mb, CPU usage hits 100%, and the router drops all connections for a little bit. Once I can get back into winbox, the free memory countdown has already begun again. This cycle repeats about every 30 seconds, indefinitely. When I delete the imported cert, the memory usage stabilizes, but the CPU stays at 100% until I reboot the router.

This is repeatable in my environment, I cannot get it to import the certificate without immediately becoming unstable.

This is on an RB2011iL-RM.
 
User avatar
pukkita
Trainer
Trainer
Posts: 3001
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: v6.28 unstable after importing certificate

Sat May 16, 2015 3:29 pm

could you post /system routerboard print?
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
pacmanfan
just joined
Topic Author
Posts: 13
Joined: Mon Jun 30, 2008 7:05 am

Re: v6.28 unstable after importing certificate

Mon May 18, 2015 4:42 am

[user@MikroTik] > /system routerboard print
routerboard: yes
model: 2011iL
serial-number: 5BED040DFCBE
current-firmware: 3.19
upgrade-firmware: 3.22
 
User avatar
pukkita
Trainer
Trainer
Posts: 3001
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: v6.28 unstable after importing certificate

Mon May 18, 2015 12:32 pm

Can you import again that cert but this time with an eye on /tools profile looking for the most CPU consuming process once you click on OK for the import?
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
pacmanfan
just joined
Topic Author
Posts: 13
Joined: Mon Jun 30, 2008 7:05 am

Re: v6.28 unstable after importing certificate

Thu May 21, 2015 2:57 pm

Well, the behavior changed a bit... Now when I import the cert, the memory loss is happening very slowly, with free memory dropping from 45mb to 32-35mb in 15-18 minutes, at which point a runaway memory/cpu use crunch occurs, triggering a reboot--every 15-18 minutes.

The cpu profile category that shows high usage during the runaway is "unclassified".
 
User avatar
pukkita
Trainer
Trainer
Posts: 3001
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: v6.28 unstable after importing certificate

Thu May 21, 2015 3:44 pm

Have you tested if it happens also with older ROS versions? (downgrade)
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
pacmanfan
just joined
Topic Author
Posts: 13
Joined: Mon Jun 30, 2008 7:05 am

Re: v6.28 unstable after importing certificate

Fri May 22, 2015 10:14 am

No... This RB2011 shipped with a relatively recent v6 version, and I don't think I can downgrade it to v5. Would it be worth downgrading within the v6 branch?
 
User avatar
pukkita
Trainer
Trainer
Posts: 3001
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: v6.28 unstable after importing certificate

Fri May 22, 2015 11:18 am

Yes, I meant 6.27 no need for 5x...
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5970
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.28 unstable after importing certificate

Fri May 22, 2015 1:05 pm

Does certificates use CRL?
 
miffe
just joined
Posts: 2
Joined: Fri May 29, 2015 12:28 am

Re: v6.28 unstable after importing certificate

Fri May 29, 2015 12:31 am

I upgraded from 6.27 straight to 6.29 and now have the same problem. It runs out of memory in under 30 seconds.
Deleteing all certificates fixes the problem.

I use GoDaddy certs and they use CRL.
 
miffe
just joined
Posts: 2
Joined: Fri May 29, 2015 12:28 am

Re: v6.28 unstable after importing certificate

Fri May 29, 2015 12:40 am

The CRL url for my certificate is: http://crl.godaddy.com/gdig2s1-87.crl
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5970
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.28 unstable after importing certificate

Fri May 29, 2015 12:33 pm

It is 6.5MB large file, internally by SSL library it will use ~65MB of RAM. Make sure your router has enough free memory, for routers with less memory use certificates without CRL.
 
endurofever
just joined
Posts: 3
Joined: Tue May 19, 2015 11:15 pm

Re: v6.28 unstable after importing certificate

Sat May 30, 2015 4:40 am

Can we disable the CRL functionality so that we can still import these CA's?

I ran into this one with CA Cert today and it had me stumped for hours.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5970
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: v6.28 unstable after importing certificate

Mon Jun 01, 2015 10:44 am

Please contact support.

Who is online

Users browsing this forum: ahmedit, nagasai and 101 guests