What's new

Router is either crashing or wifi is cutting out

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I'd also suggest you try this to try and clean things up.
Code:
opkg update
opkg remove --force-remove syslog-ng
Manually delete all this junk?


Code:
d# opkg update
Downloading https://bin.entware.net/aarch64-k3.10/Packages.gz
Updated list of available packages in /opt/var/opkg-lists/entware
jorg@RT-AX88U-F610:/tmp/mnt/sda5/entware/etc/init.d# opkg remove --force-remove syslog-ng
Removing package syslog-ng from root...
Not deleting modified conffile /opt/etc/syslog-ng.conf.
jorg@RT-AX88U-F610:/tmp/mnt/sda5/entware/etc/init.d# cat /opt/etc/syslog-ng.
syslog-ng.conf                      syslog-ng.conf-2022-02-25T15:01:31  syslog-ng.conf-opkg                 syslog-ng.d/
jorg@RT-AX88U-F610:/tmp/mnt/sda5/entware/etc/init.d# cat /opt/etc/syslog-ng.conf
#############################################################################
# syslog-ng.conf customized for scribe on Asuswrt-Merlin firmware
# compare to /opt/share/syslog-ng/examples/syslog-ng.conf-opkg for differences from Entware distribution
#
# syslog-ng documentation: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.35/administration-guide
#
# Release notes: https://github.com/syslog-ng/syslog-ng/releases

@version: 3.35
#@include "scl.conf" # uncomment this line to for additional functionality, see syslog-ng documentation
@include "/opt/etc/syslog-ng.d/" # Put any customization files in this directory

options {
    chain_hostnames(no); # Enable or disable the chained hostname format.
    create_dirs(yes);
    keep_hostname(yes); # Enable or disable hostname rewriting.
    log_fifo_size(256); # The number of messages that the output queue can store.
    log_msg_size(16384); # Maximum length of a message in bytes.
    stats_freq(21600); # The period between two STATS messages sent by syslog-ng, containing statistics about dropped logs in seconds; 0 disables. (21,600 seconds = 6 hours)
    flush_lines(0); # How many lines are flushed to a destination at a time.
    use_fqdn(no); # Add Fully Qualified Domain Name instead of short hostname.
};

# syslog-ng gets messages from the system, kernel, and syslog-ng (internal)
# DO NOT use system() source; causes issues on HND routers
# so_rcvbuf = maximum number of messages per second * 1024
source src {
    unix-dgram("/dev/log" so_rcvbuf(65536) flags(syslog-protocol));
    file("/proc/kmsg" program_override("kernel") flags(kernel));
    internal();
#    udp(ip(192.168.x.y) port(514)); # uncomment this line to pass all network messages through syslog-ng filters
};

# if you only want to pass network messages through some syslog-ng filters, uncomment the source line below
# then add "soource(net);" to the log statement in any filter you want to pass network messages through
#source net { udp(ip(192.168.x.y) port(514)); };

# set the filename for the default log file - anything not filtered out will end up here
destination messages { file("/opt/var/log/messages"); };

# to send log messages to the local network, uncomment the destination line below
# then add "destination(log_server);" to the log statement in any filter you want to pass network messages through
#destination log_server { udp("192.168.x.y" port(514)); };

log {
    source(src);
#    source(net); # uncomment this and "source net" function above to get udp log messages from local network
    destination(messages);
#    destination(log_server); # uncomment this and "destination log_server" function above to send udp log messages to local network
};
jorg@RT-AX88U-F610:/tmp/mnt/sda5/entware/etc/init.d#
 
Yes, delete all that stuff.
Code:
rm /opt/etc/syslog-ng.conf*
rm -fr /opt/etc/syslog-ng.d
 
Yes, delete all that stuff.
Code:
rm /opt/etc/syslog-ng.conf*
rm -fr /opt/etc/syslog-ng.d
Where is the regular built in syslog configured? I'm not gonna mess any of that up?
 
Hi,
I got quite the same situation as you have, I updated my AX88U from 388.1_0 to 388.2_2 a few days ago and after that it crashes 48 hours after a restart.
Behind my AX88U I have an RP-AX56 as AiMesh. After around 6 hours after a restart I lose the possibility to login into the router through explorer or app on mobile, I just got a Timeout.
To get the possibility to reconnect, I have to circle power the unit.
 
I am currently running the latest version of merlins firmware on my RT-AX68U and RT-AC86U operating in a wired mesh setup. I was getting a single disconnect once a day where I had to log into the main router and reconnect the mesh node. Fixing this issue required me to disable STP which isn't a big deal at all for most home networks. Please note that when I was running stock firmware on both routers, I did not see my mesh node disconnect, let alone disconnect once a day. Try disabling STP and see if that helps.
 
There are no config files for the built in syslog.
Would the steps we went through have broken the Skynet Stats in the GUI? It's not generating stats anymore and I tried the "Update Stats" button, but it didn't generate anything. I was able to generates some via the firewall menu via SSH.

1687200217117.png
 
Would the steps we went through have broken the Skynet Stats in the GUI? It's not generating stats anymore and I tried the "Update Stats" button, but it didn't generate anything. I was able to generates some via the firewall menu via SSH.
run these commands and see if it changes anything. Do you see any blocks in the system log?

Code:
firewall settings syslog default
firewall settings syslog1 default
 
run these commands and see if it changes anything. Do you see any blocks in the system log?

Code:
firewall settings syslog default
firewall settings syslog1 default
Ok, just ran those commands. Yes, I see lots of outbound blocks occurring and I'm trying to hunt to find out what processes are reaching out to them, and if they are truly malicious IPs which could indicate a potential compromise.
 
Ok, just ran those commands. Yes, I see lots of outbound blocks occurring and I'm trying to hunt to find out what processes are reaching out to them, and if they are truly malicious IPs which could indicate a potential compromise.
Try to run:
Code:
firewall debug genstats
to force stats creation and then check the GUI.
 
Please share the output of:
Code:
ls -laR /tmp/mnt/*/skynet/

Code:
# ls -laR /tmp/mnt/*/skynet/
/tmp/mnt/sda5/skynet/:
drwxrwxrwx    4 jorg     root          4096 Jun 18 18:26 .
drwxrwxrwx    6 jorg     root          4096 May 10 12:21 ..
-rw-rw-rw-    1 jorg     root         14033 Jun 19 15:37 events.log
drwxrwxrwx    2 jorg     root          4096 Jun 18 18:26 lists
-rw-rw-rw-    1 jorg     root           946 Jun 19 15:38 skynet.cfg
-rw-rw-rw-    1 jorg     root      28416166 Jun 19 15:00 skynet.ipset
-rw-rw-rw-    1 jorg     root      10141858 Jun 19 15:37 skynet.log
drwxrwxrwx    2 jorg     root          4096 Jun 19 15:38 webui

/tmp/mnt/sda5/skynet/lists:
drwxrwxrwx    2 jorg     root          4096 Jun 18 18:26 .
drwxrwxrwx    4 jorg     root          4096 Jun 18 18:26 ..
-rw-rw-rw-    1 jorg     root       3440424 Jun 18 18:26 1.txt
-rw-rw-rw-    1 jorg     root          8963 Jun 18 18:26 IPlist.list
-rw-rw-rw-    1 jorg     root          9495 Jun 18 18:26 alienvault_reputation.ipset
-rw-rw-rw-    1 jorg     root         52523 Jun 18 18:26 bds_atif.ipset
-rw-rw-rw-    1 jorg     root         17331 Jun 18 18:26 bi_any_2_30d.ipset
-rw-rw-rw-    1 jorg     root       1118160 Jun 18 18:26 blocklist_net_ua.ipset
-rw-rw-rw-    1 jorg     root        217763 Jun 18 18:26 ciarmy.ipset
-rw-rw-rw-    1 jorg     root         10459 Jun 18 18:26 coinbl_hosts_browser.ipset
-rw-rw-rw-    1 jorg     root         18928 Jun 18 18:26 cybercrime.ipset
-rw-rw-rw-    1 jorg     root          1083 Jun 18 18:26 dshield.netset
-rw-rw-rw-    1 jorg     root          1122 Jun 18 18:26 dshield_1d.netset
-rw-rw-rw-    1 jorg     root          1975 Jun 18 18:26 dyndns_ponmocup.ipset
-rw-rw-rw-    1 jorg     root         28201 Jun 18 18:26 emerging-Block-IPs.txt
-rw-rw-rw-    1 jorg     root         26785 Jun 18 18:26 et_block.netset
-rw-rw-rw-    1 jorg     root          6793 Jun 18 18:26 et_compromised.ipset
-rw-rw-rw-    1 jorg     root         16069 Jun 18 18:26 et_spamhaus.netset
-rw-rw-rw-    1 jorg     root        246933 Jun 18 18:26 export-ips_all.txt
-rw-rw-rw-    1 jorg     root         33175 Jun 18 18:26 firehol_level1.netset
-rw-rw-rw-    1 jorg     root        180652 Jun 18 18:26 firehol_level2.netset
-rw-rw-rw-    1 jorg     root        254466 Jun 18 18:26 firehol_level3.netset
-rw-rw-rw-    1 jorg     root         90427 Jun 18 18:26 greensnow.ipset
-rw-rw-rw-    1 jorg     root        105791 Jun 18 18:26 greensnow.txt
-rw-rw-rw-    1 jorg     root        194230 Jun 18 18:26 iblocklist_ciarmy_malicious.netset
-rw-rw-rw-    1 jorg     root        427502 Jun 18 18:26 iblocklist_pedophiles.netset
-rw-rw-rw-    1 jorg     root         14895 Jun 18 18:26 iblocklist_spamhaus_drop.netset
-rw-rw-rw-    1 jorg     root         32763 Jun 18 18:26 ip-blacklist
-rw-rw-rw-    1 jorg     root         10682 Jun 18 18:26 ipblocklist.txt
-rw-rw-rw-    1 jorg     root        246297 Jun 18 18:26 iprbl.txt
-rw-rw-rw-    1 jorg     root         43106 Jun 18 18:26 latest_blacklist.txt
-rw-rw-rw-    1 jorg     root          1035 Jun 18 18:26 malc0de.ipset
-rw-rw-rw-    1 jorg     root          9116 Jun 18 18:26 myip.ipset
-rw-rw-rw-    1 jorg     root          8627 Jun 18 18:26 normshield_high_attack.ipset
-rw-rw-rw-    1 jorg     root          3619 Jun 18 18:26 normshield_high_bruteforce.ipset
-rw-rw-rw-    1 jorg     root           309 Jun 18 18:26 raw.php
-rw-rw-rw-    1 jorg     root         16095 Jun 18 18:26 spamhaus_drop.netset
-rw-rw-rw-    1 jorg     root          4681 Jun 18 18:26 spamhaus_edrop.netset
-rw-rw-rw-    1 jorg     root          6359 Jun 18 18:26 strongips.txt
-rw-rw-rw-    1 jorg     root         52741 Jun 18 18:26 tor-exit-nodes.lst
-rw-rw-rw-    1 jorg     root       1163283 Jun 18 18:26 update
-rw-rw-rw-    1 jorg     root          3363 Jun 18 18:26 urlvir.ipset

/tmp/mnt/sda5/skynet/webui:
drwxrwxrwx    2 jorg     root          4096 Jun 19 15:38 .
drwxrwxrwx    4 jorg     root          4096 Jun 18 18:26 ..
-rw-rw-rw-    1 jorg     root        173077 May  9 21:51 chart.js
-rw-rw-rw-    1 jorg     root          9752 May  9 21:51 chartjs-plugin-zoom.js
-rw-rw-rw-    1 jorg     root         20765 May  9 21:51 hammerjs.js
-rw-rw-rw-    1 jorg     root         40277 May  9 21:51 skynet.asp
-rw-rw-rw-    1 jorg     root          8969 Jun 19 15:38 stats.js
jorg@RT-AX88U-F610:/tmp/home/root#
 
Is the “Display WebUI“ option showing enabled in the Skynet settings menu?

Or maybe easier to share:
Code:
cat /tmp/mnt/sda5/skynet/skynet.cfg
tail -10 /tmp/mnt/sda5/Skynet/skynet.log
grep skynetloc /jffs/scripts/firewall
 
Is the “Display WebUI“ option showing enabled in the Skynet settings menu?

Or maybe easier to share:
Code:
cat /tmp/mnt/sda5/skynet/skynet.cfg
tail -10 /tmp/mnt/sda5/Skynet/skynet.log
grep skynetloc /jffs/scripts/firewall
Looks like there's an issue with the second command:


Code:
# cat /tmp/mnt/sda5/skynet/skynet.cfg
################################################
## Generated By Skynet - Do Not Manually Edit ##
## Jun 19 16:00:05                            ##

## Installer ##
model="RT-AX88U"
localver="v7.4.4"
autoupdate="enabled"
banmalwareupdate="daily"
forcebanmalwareupdate=""
logmode="enabled"
filtertraffic="all"
swaplocation="/tmp/mnt/sda5/myswap.swp"

## Counters / Lists ##
blacklist1count="395293"
blacklist2count="17977"
customlisturl="https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/filter.list"
customlist2url=""
countrylist=""
excludelists=""

## Settings ##
unbanprivateip="enabled"
loginvalid="disabled"
banaiprotect="enabled"
securemode="enabled"
extendedstats="enabled"
fastswitch="disabled"
syslogloc="/tmp/syslog.log"
syslog1loc="/tmp/syslog.log-1"
iotblocked="disabled"
iotports=""
iotproto="udp"
lookupcountry="enabled"
cdnwhitelist="enabled"
displaywebui="enabled"

################################################

jorg@RT-AX88U-F610:/tmp/home/root# tail -10 /tmp/mnt/sda5/Skynet/skynet.log
tail: can't open '/tmp/mnt/sda5/Skynet/skynet.log': No such file or directory
tail: no files

Last command was too big to post. Attached as .txt file.
 

Attachments

  • router.txt
    11.1 KB · Views: 32
Looks like there's an issue with the second command:


Code:
# cat /tmp/mnt/sda5/skynet/skynet.cfg
################################################
## Generated By Skynet - Do Not Manually Edit ##
## Jun 19 16:00:05                            ##

## Installer ##
model="RT-AX88U"
localver="v7.4.4"
autoupdate="enabled"
banmalwareupdate="daily"
forcebanmalwareupdate=""
logmode="enabled"
filtertraffic="all"
swaplocation="/tmp/mnt/sda5/myswap.swp"

## Counters / Lists ##
blacklist1count="395293"
blacklist2count="17977"
customlisturl="https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/filter.list"
customlist2url=""
countrylist=""
excludelists=""

## Settings ##
unbanprivateip="enabled"
loginvalid="disabled"
banaiprotect="enabled"
securemode="enabled"
extendedstats="enabled"
fastswitch="disabled"
syslogloc="/tmp/syslog.log"
syslog1loc="/tmp/syslog.log-1"
iotblocked="disabled"
iotports=""
iotproto="udp"
lookupcountry="enabled"
cdnwhitelist="enabled"
displaywebui="enabled"

################################################

jorg@RT-AX88U-F610:/tmp/home/root# tail -10 /tmp/mnt/sda5/Skynet/skynet.log
tail: can't open '/tmp/mnt/sda5/Skynet/skynet.log': No such file or directory
tail: no files

Last command was too big to post. Attached as .txt file.
Sorry, 2 errors on my side:
Code:
tail -10 /tmp/mnt/sda5/skynet/skynet.log
grep skynetloc /jffs/scripts/firewall-start
 
Oh, could be more scribe leftovers. Please check:
Code:
ls -l /opt/bin/scribe
ls -l /opt/etc/syslog-ng.d/skynet

If either are found, remove them:
Code:
rm /opt/bin/scribe /opt/etc/syslog-ng.d/skynet
Also check the directory:
Code:
ls -laR /www/user/skynet
cat /www/user/skynet/stats.js
And also open your browser console with F12 and reload the Skynet GUI and look for errors.
 
Last edited:
Oh, could be more scribe leftovers. Please check:
Code:
ls -l /opt/bin/scribe
ls -l /opt/etc/syslog-ng.d/skynet

If either are found, remove them:
Code:
rm /opt/bin/scribe /opt/etc/syslog-ng.d/skynet
Also check the directory:
Code:
ls -laR /www/user/skynet
cat /www/user/skynet/stats.js
And also open your browser console with F12 and reload the Skynet GUI and look for errors.
Stats are working! I just removed "/opt/bin/scribe" - not sure if that is what fixed it as I hadn't refreshed the stats page today before I did that. Thank you!


Code:
# ls -l /opt/bin/scribe
lrwxrwxrwx    1 jorg     root            20 Feb 25  2022 /opt/bin/scribe -> /jffs/scripts/scribe
jorg@RT-AX88U-F610:/tmp/home/root# ls -l /opt/etc/syslog-ng.d/skynet
ls: /opt/etc/syslog-ng.d/skynet: No such file or directory
jorg@RT-AX88U-F610:/tmp/home/root# ls -l /jffs/scripts/ | grep -i scribe
jorg@RT-AX88U-F610:/tmp/home/root# rm /opt/bin/scribe
jorg@RT-AX88U-F610:/tmp/home/root# ls -laR /www/user/skynet
/www/user/skynet:
drwxrwxrwx    2 jorg     root           120 Jun 19 03:36 .
drwxr-xr-x    6 jorg     root           260 Jun 19 03:36 ..
lrwxrwxrwx    1 jorg     root            35 Jun 19 03:36 chart.js -> /tmp/mnt/sda5/skynet/webui/chart.js
lrwxrwxrwx    1 jorg     root            49 Jun 19 03:36 chartjs-plugin-zoom.js -> /tmp/mnt/sda5/skynet/webui/chartjs-plugin-zoom.js
lrwxrwxrwx    1 jorg     root            38 Jun 19 03:36 hammerjs.js -> /tmp/mnt/sda5/skynet/webui/hammerjs.js
lrwxrwxrwx    1 jorg     root            35 Jun 19 03:36 stats.js -> /tmp/mnt/sda5/skynet/webui/stats.js
jorg@RT-AX88U-F610:/tmp/home/root# cat /www/user/skynet/stats.js
function SetBLCount1() {
        document.getElementById("blcount1").innerHTML = "395293"
}

function SetBLCount2() {
        document.getElementById("blcount2").innerHTML = "17977"
}

function SetHits1() {
        document.getElementById("hits1").innerHTML = "3113"
}

function SetHits2() {
        document.getElementById("hits2").innerHTML = "355"
}

function SetStatsDate() {
        document.getElementById("statsdate").innerHTML = "Monitoring From Jun 19 17:00:01 To Jun 20 00:43:57"
}

function SetStatsSize() {
        document.getElementById("statssize").innerHTML = "Log Size - (956.0KB)"
}

var DataInPortHits;


1687267880520.png
 
Some of what's in your logs, I was also experiencing with my AX88U in every 388 family release, some more than others. Tried all sorts of things, it even happen with stock ASUSWRT.

Curious, when it happens (like me right in the middle of streaming a movie, once), if you were to run a Speedtest whether the results would be off what you would normally see. I don't mean weighed against what you're provisioned for. But if you normal is 900+Mbps up and down and when this happens its significantly less than that as measured at the router. Workstations and Wifi aren't immediately impacted...

I dropped back to 386.8 on the AX88u and 386.7_2 on the AX86u's and have been rock solid, same config on 388 unstable. Since it also happened on ASUSWRT, I suspect it's got 0 to do with Merlin...

See if any of this seems familiar: https://www.snbforums.com/threads/skynet-dnsmasq-flowcache-merlin-388-releases.85330/
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top