====== PFSense - Suricata - Troubleshooting - Service Starts and then Fails ======

The Suricata service starts and then stops.

Restarting the service does not help in any way and on the pfSense system logs you are shown the following errors:

<code>
12345  [101491] <Error>-[ERRCODE:SC_ERR_POOL_INIT(66)]-pool grow failed
12345  [101491] <Error>-[ERRCODE:SC_ERR_POOL_INIT(66)]-alloc error
</code>

----

===== Check Logs =====

Navigate to **Service –> Suricata –> Logs View**.

  * Interface to View:  **Select the interface**.
  * Log file to view:  **suricata.log**.

The error was:

<code>
<Error> — [ERRCODE: SC_ERR_INITIALIZATION(45)] – pid file ‘/var/run/suricata_ix047769.pid’ exists but appears stale. Make sure Suricata is not running and then remove /var/run/suricata_ix047769.pid. Aborting!
</code>

----

===== Resolution =====

==== Delete existing Suricata pid ====

Navigate to **Diagnostics –> Command Prompt**.

<code bash>
rm -f /var/run/suricata_ix047769.pid
</code>

<WRAP info>
**NOTE:**  If you start Suricata now it will start again but then fail as the real issue is the **Stream Memory Cap** limit which you need to increase.

See https://forum.pfsense.org/index.php?topic=136805.0.

</WRAP>

Navigate to **Services –> Suricata –> Interfaces**.

  * Click on the edit icon for the interface in question.
  * Select the **WAN Flow/Stream** tab.


In **Stream Engine Settings**:

  * Stream Memory Cap:  **268435456**.
  * Click **Save**.

<WRAP info>
**NOTE:**  This increases memory to 256MB.

Probably need to at least double the Stream Mem Cap setting.  If this fails, double again.
</WRAP>


Navigate to **Services –> Suricata –> Interfaces**.

  * Start the service.