2.2.2 IPSec on Nanobsd

Stef

Hi,

I'm still having issues with the nanobsd image when running IPSec.

It keeps randomly rebooting anywhere between 10 min and 20 hours…

the output in the sys log after reboot is as following.

Apr 19 15:38:20 kernel: KDB: enter: panic
Apr 19 15:38:20 kernel: cpuid = 0
Apr 19 15:38:20 kernel: panic: double fault
Apr 19 15:38:20 kernel: cpuid = 0; apic id = 00
Apr 19 15:38:20 kernel: ebp = 0xecf46050
Apr 19 15:38:20 kernel: esp = 0xecf45fe8
Apr 19 15:38:20 kernel: eip = 0xc0cce11f
Apr 19 15:38:20 kernel: Fatal double fault:
Apr 19 15:38:20 kernel:
Apr 19 15:38:20 syslogd: kernel boot file is /boot/kernel/kernel

the strange thing is that the other side of the IPSec tunnel is a pfsense 2.2.2 running on a virtual machine which doesn't have that issue. It is running without any issues.

I've already reinstalled from scratch the whole box.

Is the anyway I can provide extra info for the developers for them to fix this issue ?

Anybody else having this issue ?

Thanks

eri--

There is a tunable net.inet.ipsec.directdispatch set it to 0 and see if you get the same issues.

jahonix

What does this tunable do or when is it advised to be changed?

I setup an IPsec tunnel today from a Nano install on an APU to an external router (non-pfsense). When firing up the tunnel for the first time the APU rebooted with a kernel panic (I sent the report to you through the GUI). Since then everything seems fine - but it has only run for 8 hours and I can't tell about the long run yet.

cmb

If you're using IPsec on 32 bit, it appears to work around a crash when you're accessing the system's own IP(s) across the VPN (like hitting the web interface on the LAN IP). I haven't seen any scenarios where that's helpful on 64 bit.

jahonix

Think I can run 64bit Nano on APUs now, right? Time for a clean install then as I currently use i386 with it.

cmb

Yes, definitely best to run 64 bit on APUs. We've never run them with 32 bit internally, so there might be any number of 32 bit specific issues with them.

Stef

Hi

It's been 2 days now and I didn't have any crash anymore.

So I guess this fixes the issue.

Since the box is a soekris, as far as I can tell 64 bit is not supported so thats not an option.

Thanks

Criggie

I have seen the same symptoms on a pc engines ALIX (not an APU)

The remote end reboots in somewhere between 30 seconds and 1 hour when ipsec (strongswan) is enabled.  I disabled IPSEC and the box is up solid for three hours now.

Details:

• Far end PC Engines Alix with 256 MB ram running pfsense 2.2.2 i386
• Near end is a generic Atom board running pfsense 2.2.2 64-bit
• IPSEC phase one is built from IPv4 to IPv4 addresses, both static
• Phase 2 is a /24 network remotely to a /16 network locally.

I can't see anything useful in the logs after a reboot - they start with Kernel booting.  Even setting syslog to log over the tunnel was not able to produce any logs.

So I'll try this tuneable and see if it does anything, will report in 24 hours.

–-------------

UPDATE - 14 hours later the remote alix has not yet rebooted, but the tunnel is up and stable the whole time.  FIXED for me!  Thanks!