Observed with pfSense 2.4.5p1 and Suricata 5.0.3 (and presumably older versions of both)
Once you enable Suricata config sync, any configuration changes take *ages* to save because Syncs basically start failing to complete – eventually falling through to timeouts.
You might start to see synchronise errors like this on the master (which will get flagged up as notifications):
/rc.filter_synchronize: A communications error occurred while attempting to call XMLRPC method host_firmware_version:
and/or
/suricata/suricata_logs_mgmt.php: A communications error occurred while attempting to call XMLRPC method exec_php:
and/or
/rc.filter_synchronize: New alert found: A communications error occurred while attempting to call XMLRPC method restore_config_section:
You might also notice that CARP is – to put it mildly – freaking out:
Carp backup event
Carp backup event
Carp backup event
And that OVPN / other packages likewise are having problems, stopping/starting/restarting because it thinks the WAN IP has changed as the CARP state flaps back and forth, with the system logging stuff like:
/rc.newwanip: rc.newwanip: Info: starting on ovpns1.
/rc.newwanip: rc.newwanip: on (IP address: ) (interface: []) (real interface: ovpns1).
/rc.newwanip: rc.newwanip called with empty interface.
/rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - -> - Restarting packages.
The issue is likely that you have promiscuous mode enabled on your Suricata interfaces (because it is the *default* to enable it).
The kernel disabling and enabling promiscuous mode off and on as Suricata reloads during sync causes carnage with the sync TCP connection, CARP, and in turn, everything else.
Promiscuous mode should not be required if you are using Suricata in-line at layer 3 (i.e. on the firewall which is hosting your default gateway which is probably why CARP is running to begin with).
Simply disable promiscuous mode (at the very *least* on any interfaces you’re running CARP on which is probably all of them in an HA setup) and you’ll find things behave much better, and config syncs complete nice and fast again.