From owner-freebsd-net@FreeBSD.ORG Sun Jun 21 00:02:16 2009 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 10BE01065670 for ; Sun, 21 Jun 2009 00:02:16 +0000 (UTC) (envelope-from cmb@pfsense.org) Received: from mail.pfsense.org (mail.pfsense.org [69.64.6.29]) by mx1.freebsd.org (Postfix) with ESMTP id DDB498FC1C for ; Sun, 21 Jun 2009 00:02:15 +0000 (UTC) (envelope-from cmb@pfsense.org) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.pfsense.org (Postfix) with ESMTP id 2940325203 for ; Sat, 20 Jun 2009 19:02:15 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.pfsense.org Received: from mail.pfsense.org ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id puvllBH6BIVY for ; Sat, 20 Jun 2009 19:02:13 -0500 (EST) Received: from [10.0.64.15] (96-28-38-25.dhcp.insightbb.com [96.28.38.25]) by mail.pfsense.org (Postfix) with ESMTP id 7E1B22515F for ; Sat, 20 Jun 2009 19:02:13 -0500 (EST) Message-ID: <4A3D7885.9010809@pfsense.org> Date: Sat, 20 Jun 2009 20:02:13 -0400 From: Chris Buechler User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: freebsd-net@FreeBSD.org References: <20090619130040.GA53996@zeninc.net> In-Reply-To: <20090619130040.GA53996@zeninc.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: IPsec crash, patch for review X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Jun 2009 00:02:16 -0000 Hi, VANHULLEBUS Yvan wrote: > Hi all. > > We (NETASQ) had some IPsec related kernel crashes, and hunted them, > here are some informations and a possible patch: > > > First, problem only occurs when asynchronous crypto is done > (hardware encryption such as hifn cards, or software patch to do > encryption on a separate kthread when having multiple CPUs). > We tried this patch on 7.2 (with patch-natt-7.2-2009-05-12.diff from your ~) due to a seemingly similar problem, but IPsec stops working with the patch applied. Using test setup: Host A -- fwA -- fwB -- Host B where fwA has the patch and fwB is the same 7.2 minus this patch, and there is an IPsec connection between fwA and fwB. It brings up the connection no problem, and if I leave a constant ping going, every time I restart racoon on fwA I get exactly one response through. From tcpdump on enc0 on both ends and the actual NICs, I see that traffic from Host B to Host A gets all the way through the tunnel to Host A, it responds, the response is seen on fwA's LAN port, but it doesn't hit enc0. Traffic from Host A to Host B is seen on the LAN port of fwA, but not on enc0 and not on enc0 of the remote side. Replace the kernel on fwA with one minus the patch and it works fine (except it will spontaneously reboot under high load). That's with patch-xform_freespfix-3. Should that work with 7.2 in combination with the NAT-T patch? It applies cleanly. thanks, Chris