Reproducible kernel panic with pfSense 2.2 and IPSEC
-
And what about the ALIX boards? As far as I know they are all 32bit.
-
And what about the ALIX boards? As far as I know they are all 32bit.
Not getting any IPsec panics on Alix. (Also, make sure you did not enable some stupid features, like the infamous "Insert a stronger id into IP header of packets passing through the filter.")
-
But your hardware is already 64-bit capable, at least as far as pfSense is concerned!
Yes Intel don't provide 64-bit video drivers but seems to be a non-issue here.@w0w:
My system is D2500CC mini-ITX motherboard from Intel, all embedded into it.
-
And what about the ALIX boards? As far as I know they are all 32bit.
Not getting any IPsec panics on Alix. (Also, make sure you did not enable some stupid features, like the infamous "Insert a stronger id into IP header of packets passing through the filter.")
I don't think that hiding your client OS unique ID behind firewall is so stupid as you think about it.
-
But your hardware is already 64-bit capable, at least as far as pfSense is concerned!
Yes Intel don't provide 64-bit video drivers but seems to be a non-issue here.@w0w:
My system is D2500CC mini-ITX motherboard from Intel, all embedded into it.
Yep. But what is the point to use 64-bit OS with 2GB of RAM? It does not fix the problem in 32-bit version also :) There is some bug, that must be fixed and this is good, maybe, that it is pointed now to 32-bit version only, but next time it could be related to 64-bit only, so migrating between platforms is useless for me, until I read something like "64-bit freebsd is more secure and stable, don't use 32-bit anymore".
-
Migrating between platforms resolves your problem, for the time being.
If your memory usage is at 6% then I figure there should not be a problem switching over to 64-bit. -
@w0w:
…so migrating between platforms is useless for me, until I read something like "64-bit freebsd is more secure and stable, don't use 32-bit anymore".
Ahh, I think you mean this:
"[_…64 bit is more widely used, what we test the most with, and what most of our development is done using.32 bit is a dying breed. FreeNAS and DragonflyBSD both just put out their last releases with 32 bit support. While we'll still continue to support 32 bit in 2.2.x releases and possibly beyond that, ending 32 bit support is certainly on the road map and will happen sooner than later.
There is no reason to use 32 bit over 64 today, if your hardware is 64 bit capable, you should only be running 64 bit._](https://forum.pfsense.org/index.php?topic=84679.msg464432#msg464432)"
Chris Buechler, November 27th, 2014
-
See also:
https://doc.pfsense.org/index.php/Does_pfSense_support_64_bit_systemshttps://doc.pfsense.org/index.php/Is_32-bit_or_64-bit_pfSense_Preferred
-
Ok… At least I'll give it a try. Later, next week maybe :)
-
Still, do we have any clues on the issue itself? It affects Alix boards and similar hardware to at least some degree (besides some other reports, I had to downgrade some production boxes myself due to random reboots which I am sure are related to all this). Unfortunately I couldn't find a specific trigger but there seem to be several crash dumps and reproducible configs available
-
https://redmine.pfsense.org/issues/4454 Looks like something moving forward, at least for me, thanks for Chris Buechler
-
Ok, installed amd64, no more kernel panic when "Insert strong ID…" option enabled. So yes, I can confirm that x86 platform is affected and amd64 not.
-
Can you try to set net.inet.ipsec.directdispatch to 0 and see if the panic goes away?
-
Update my pfsense in lab on 2.2.1 same behavior
then i tried toset net.inet.ipsec.directdispatch to 0
looks good so far. stable since about 30 minutes (before after about 30 seconds i get a kernel panic)
-
Can you describe your WAN interface?
-
in our lab i used 3 pfsenses
one so to say provider with an pppoe server (Version 2.2.1 Vmware)
then i have one pfsense which stands for my company firewall (Version 2.1.5 Vmware)
and i have another pfsense which stand for my home pfsense (Version 2.2.1 Alix2d3)
both pfsenses from company and home have a pppoe wan interface which is connected to my provider pfsense
on my home pfsense i also have a vlan tag added like i have to do it at my real home pfsense.
-
Ok there is an open issue for this scenario already.
Thank you for the information.
-
yes my scenario is like described befor in this thread.
but set net.inet.ipsec.directdispatch to 0 seems to "workaround" the issue
so there is may be hope for all 32 Bit Users ;) -
ermal, do you need my report too? :)
Actually I am the man who reported the issue. But I moved my box on to amd64 version…
I ask because I have troubles to restoring old x86 backup, so new installation take time... I can do it but only if it really needed. -
Nope the scenario is clear.
