pfSense Crash "Fatal trap 12: page fault while in kernel mode"
-
How often are you seeing this? Can you replicate it on demand?
We don't yet have a way to replicate it locally which makes debugging difficult.
-
Are you actually using IPv6? Otherwise you can try disabling IPv6 link-local addresses as I outlined above.
-
@stephenw10 I have had it happen once now. I have a hunch that it happened when a new user joined our Tailnet from a local LAN network behind pfsense and tried accessing some route advertised by the Tailscale package on pfsense. I will try replicating it, but I think it's rather random as it only happened once, and it has been up and running for some months before.
-
@stephenw10 Yes, we do use IPv6, so disabling it is not really an option for us.
-
You're not using IPv6 inside the tailnet though? Or explicitly as a tunnel endpoint?
-
@stephenw10 No, but it assigns IPv6 to a client by default and I'm not really sure you can disable that in tailscale.
-
You should be able to disable that in tailscale but it shouldn't make any difference since it's tailscale itself that's binding to it.
-
@stephenw10 Yeah, I don't believe that is possible for the Tailscale network. Is this an issue with pfSense or with the Tailscale package?
-
It appears to be a bug in FreeBSD/pfSense. It's just that the tailsale daemon hits it more often than anything else because it always binds to every IP address.
Just to confirm you saw this randomly in runtime? Not during boot?
-
@stephenw10 Yes, this was during runtime.
Also, I'm not sure if that could be connected, but quite a lot of users joined the Tailscale network that day when the crash happened. We also advertise several routes from the pfsense in the Tailscale package to allow some users access to internal services but there is nothing else really special in the configuration.
-
I don't think new users should trigger this since the daemon doesn't bind to it's own internal addresses. More likely this was some address change on another interface locally.
The only other thing we have seen recently was ntpd not starting due to an IPv6 local address being ,marked as duplicate. But as far as I know that can only happen at boot.
-
Would there be anything I can provide to help you find the bug that causes these crashes? Or are there some fixes already being implemented that should mitigate this issue? I'm just trying to find out what my options are right now.
-
Are you able to trigger this reliably at all?
The biggest issue we have fixing it is that we haven't been able to replicate it locally and users who are seeing it do so only sporadically. So getting data is difficult.
