PfSense 2.4.1 - ikev2 IPSEC tunnel under load crashes whole firewall VM
-
I have the same issue on a SG-2440 unit.
As soon the GB's are flowing through the IPSec tunnel the unit crashes within a few minutes.
Also on the SG-2440 disabling AES-NI (System/Advanced/Misc) seems to prevent the crashes.
This behavior is introduced since version 2.4.0, release 2.3.4-P1 was working fine. -
Hello pfSense team,
I did some research and found following bug https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219356
I followed behavior description, and it is the same bug - after changing encryption from AES-GCM to AES tunnel is stable as was in pfSense 2.3
Looks like some regression …
Regards,
GyroK
-
Who should be able to fix this bug?
Is it the pfsense team, or should this be fixed by the FreeBSD developers? -
@RMB:
Is it the pfsense team, or should this be fixed by the FreeBSD developers?
It has been fixed, in FreeBSD 11-STABLE, so this particular fix might get imported into pfSense. Don't know.
Doesn't seem to be much activity, so I'll dump this in the pfSense bug tracker, because, well, I think we can safely say it's a bug. -
Great, thanks!
-
Any news on this bug?
The problem is still there in version 2.4.2.
I have to disable AES-NI to prevent a kernel panic during load through an IPSec tunnel. -
Nope, but feel free to comment on the redmine bug repo:
https://redmine.pfsense.org/issues/8070Or find someone with a support contract that can complain. ::)
-
Having what I believe is this issue since moving to 2.4.x
Here is a picture of the console with the Kernel crash.
No log available.
Reverted back to version 2.3.x and the problem has not occurred as of yet.
-
One clarification on my application, using a supermicro motherboard with pfsense installed directly to hard drive. No VM Software involved.
-
Anyone know if this release has a fix for this issue?
2.4.3-DEVELOPMENT (amd64)
built on Tue Mar 13 10:14:21 CDT 2018
FreeBSD 11.1-RELEASE-p7I see this is a patched version of FreeBSD, and there was a reference to ipsec fixes in the release notes, but it wasn't clear if this fixed this same issue.
-
Anyone know if this release has a fix for this issue?
2.4.3-DEVELOPMENT (amd64)
built on Tue Mar 13 10:14:21 CDT 2018
FreeBSD 11.1-RELEASE-p7I see this is a patched version of FreeBSD, and there was a reference to ipsec fixes in the release notes, but it wasn't clear if this fixed this same issue.
Unfortunately, this bug is still valid with the following SW version:
2.4.3-RELEASE (amd64)
built on Mon Mar 26 18:02:04 CDT 2018
FreeBSD 11.1-RELEASE-p7GCM mode cannot be used on the machines with AES-NI.
Regards,
GyroK -
To claim it's unusable in general is untrue. The crash must be specific to a certain combination of hardware, traffic load, and/or pattern of traffic.
Loads of people are using AES-NI and AES-GCM without crashing, including just about every Netgate employee from our home firewalls.
Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
-
Can confirm this is occurring for me on two different systems.
Both are running on ESXi 6.5, one on DL380 G8, the other on DL380 G9.
NIC type is vmxnet3, open-vm-tools installed on both.
Phase 1: AES128-GCM / 128 / SHA1 / DH2
Phase 2: AES128-GCM / AES-XCBC / no PFSHard crash with a reboot within 5 minutes of initiating continuous iperf run, sometimes one side, sometimes both.
Switching to any non-AES-NI algorithms kills throughput, but doesn't hard crash.
My```
dmesg | grep -i aesFeatures2=0xffba2203 <sse3,pclmulqdq,ssse3,cx16,pcid,sse4.1,sse4.2,x2apic,popcnt,tscdlt,aesni,xsave,osxsave,avx,f16c,rdrand,hv>aesni0: <aes-cbc,aes-xts,aes-gcm,aes-icm>on motherboard</aes-cbc,aes-xts,aes-gcm,aes-icm></sse3,pclmulqdq,ssse3,cx16,pcid,sse4.1,sse4.2,x2apic,popcnt,tscdlt,aesni,xsave,osxsave,avx,f16c,rdrand,hv>
I'll do some more testing this weekend when there's not as much production traffic flowing but for right now I'm knocked back down to plain AES. It does indeed make pfSense unusable for installations requiring decent IPSec interconnect speeds. Considering this issue I'll likely move to VyOS for my concentrators. Has anyone attempted to use the patch from the previous FreeBSD thread posted? Edit: both running 2.4.3-Release -
@jimp we're experiencing the same problem. One client, using AES256-gcm, reliably crashes the SG-8860 w/pfsense 2.4.3 when using e.g. speedtest.net (during the upload phase), another can't bring it down at all. Switching back to plain AES with SHA512 seems to fix it for now. All clients are Macbook Pros.
Kind regards,
Lukas -
is AES256-GCM better than AES?
-
AES-GCM is an authenticated cipher so you can eliminate the hashing step. If max IPsec performance is what you seek, AES-GCM is the way to go.
-
I got 2 sites connected via IPSEC using AES. Both have 100Mb connection to internet. And IPSEC uses the whole 100Mb bandwidth on file transfers. So what is the limitation for AES, compared to AES-GCM?
-
AES-GCM will consume fewer CPU cycles to accomplish the same task.
-
So basically, if you got powerful enough CPU/PC it dosn't matter which algorithm to use?
-
AES-GCM will use fewer CPU cycles to accomplish the same task.
Fewer cycles means more cycles available for other tasks.
You can waste them if you so desire.
