What's new

RT-AX88U creates a lot of dropbear processes after update

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

corgan2224

Occasional Visitor
Hello,

after updating my RT-AX88U to the latest Firmware: 3004.388.6_2 I got a lot of "Too many processes" warnings from my Zabbix.
As you can see in the screenshot, the data of the last 7 days. Normally the device runs around 180 processes, but this increase to 700 till the alarm.
I rebooted the device twice, but the problem stays the same.

1710016994405.png


I logged in via ssh which process cause this and found >500 dropbear processes running.

1710017379878.png


If I look up the systemlog for the same time, I can't see anything about this.


Mar 9 20:42:25 spdMerlin: Retrieving data for WebUI charts
Mar 9 21:00:16 bsd: bsd: Sending act Frame to 50:1f:c6:6e:09:b5 with transition target eth6 ssid 0c:9d:92:02:df:18
Mar 9 21:00:17 bsd: bsd: STA:50:1f:c6:6e:09:b5 no response
Mar 9 21:00:17 bsd: bsd: Sending act Frame to 50:1f:c6:6e:09:b5 with transition target eth6 ssid 0c:9d:92:02:df:18
Mar 9 21:00:18 bsd: bsd: STA:50:1f:c6:6e:09:b5 no response
Mar 9 21:12:00 spdMerlin: Starting speedtest using using auto-selected server for WAN interface
Mar 9 21:12:26 bsd: bsd: Sending act Frame to 50:1f:c6:6e:09:b5 with transition target eth6 ssid 0c:9d:92:02:df:18
Mar 9 21:12:27 bsd: bsd: STA:50:1f:c6:6e:09:b5 no response
Mar 9 21:12:27 bsd: bsd: Sending act Frame to 50:1f:c6:6e:09:b5 with transition target eth6 ssid 0c:9d:92:02:df:18
Mar 9 21:12:27 spdMerlin: Speedtest results - Download: 761.05 Mbps (data used: 819.2 MB, additional servers: 3) - Upload: 54.01 Mbps (data used: 67.4 MB)
Mar 9 21:12:27 spdMerlin: Connection quality - Idle Latency: 16.51 ms (jitter: 2.73ms, low: 12.98ms, high: 17.45ms) - Packet Loss: 0.5%
Mar 9 21:12:27 spdMerlin: Retrieving data for WebUI charts
Mar 9 21:12:28 bsd: bsd: STA:50:1f:c6:6e:09:b5 no response
Mar 9 21:42:00 spdMerlin: Starting speedtest using using auto-selected server for WAN interface
Mar 9 21:42:26 spdMerlin: Speedtest results - Download: 627.12 Mbps (data used: 686.3 MB, additional servers: 3) - Upload: 52.58 Mbps (data used: 60.1 MB)
Mar 9 21:42:26 spdMerlin: Connection quality - Idle Latency: 16.57 ms (jitter: 1.98ms, low: 15.50ms, high: 18.38ms) - Packet Loss: 0.5%
Mar 9 21:42:26 spdMerlin: Retrieving data for WebUI charts

Installed addon: spdMerlin and connmon, latest version.
Any Ideas?

tnxs Stefan
 
This is usually a client issue. Try disabling whatever it is that's collecting the Zabbix data and seeing if that's the cause. Otherwise look for other things on your LAN that can spam the router's SSH port.
 
This is usually a client issue. Try disabling whatever it is that's collecting the Zabbix data and seeing if that's the cause. Otherwise look for other things on your LAN that can spam the router's SSH port.

Zabbix Agent is running on the router, so normally this goes from the router -> zabbix server
But I deactivate it for now and will check tomorrow.


1710019865544.png
 
...
As you can see in the screenshot, the data of the last 7 days. Normally the device runs around 180 processes, but this increase to 700 till the alarm.
...
I logged in via ssh which process cause this and found >500 dropbear processes running.
...
If I look up the systemlog for the same time, I can't see anything about this.
When you have such a situation with many rogue processes, you should try to do a more targeted search on the syslog files (assuming the log rotation has not yet deleted the relevant entries).

For example, to get relevant info from the dropbear process entries still found in the syslog files type the following command in an SSH terminal window:
Bash:
grep -E "dropbear\[[0-9]+\]: Child" /tmp/syslog.log-1 /tmp/syslog.log
The above should output one line per process indicating the entry's timestamp and the associated connection IP address, which should point you to the specific device (or devices) initiating the dropbear SSH sessions.

Here's another way to get the same info but only for currently running dropbear processes:
Bash:
{
   echo ; for PIDnum in $(ps | grep "dropbear -p" | grep -v grep | awk '{print $1}')
   do grep -E "dropbear\[${PIDnum}\]: Child" /tmp/syslog.log-1 /tmp/syslog.log ; done ; echo
}

Here's a screenshot showing the output from my router:

syslog_Dropbear_Processes.jpg


HTH
 
Last edited:
That was the first thing I tried. But as I wrote in my first post, there is nothing in the syslog.

1710074409038.png


My syslog is set to info:
1710074499167.png


greetings
 
You have changed the syslog levels from the defaults so you won't see the dropbear "Child connection" messages. dropbear messages are at info and notice level.
 
Last edited:
@corgan2224
Forgive me if I missed it but which firmware did you upgrade from? When did you last factory reset and setup from scratch?
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top