[Solved] unbound unresponsive



  • I recently started doing VLANs on my Nokia IP390 running the latest pfSense 2.3.3. I am running 7 VLANs on one port and it seems to be working great, except one major issue.

    53471 unbound    52    0 21372K 10692K crydev  0:17  0.00% /usr/local/sbin/unbound -c /var/unbound/unb

    After about 5-10 minutes, unbound becomes unresponsive and the only way to fix it is to reboot the router, which then happens again. What would cause this? I try googling "crydev" and it comes up with nothing. I can't restart the process and it will not let me kill it.


  • Rebel Alliance Developer Netgate

    What is the date on the 2.3.3 snapshot you're running? There were issues with snapshots over the weekend, make sure to update to a current snapshot and test again.



  • I am running 2.3.3.a.20160926.1930 at the moment. I'll bump it to the latest and check what happens.

    Here is my VLAN layout:

    em7 1
    em7 10 Core VLAN
    em7 20 Server VLAN
    em7 30 VoIP VLAN
    em7 40 Main VLAN
    em7 50 Kids VLAN
    em7 60 Media VLAN
    em7 70 Public VLAN


  • Rebel Alliance Developer Netgate

    What hardware are you running? n/m I see now it's an older Nokia box.

    The "crydev" state appears to indicate that the process in question is attempting to use cryptographic accelerator hardware. Only place I can think of that would be relevant in unbound is with DNSSEC.

    If there is some quirk with your hardware and a built-in accelerator, you might try disabling DNSSEC in unbound to see if it stabilizes.



  • That worked. It has been up for 40 minutes and it hasn't went into the "crydev" state.

    Is there a way to disable the built-in accelerator so I can still use DNSSEC? Maybe turn the ubsec driver into a module? Or a feature to disable Crypto Acceleration in DNSSEC?

    ubsec0 mem 0x88100000-0x8810ffff irq 11 at device 1.0 on pci8
    ubsec0: Broadcom 5825



  • Maybe placing in /boot/loader.conf.local

    hint.ubsec.0.disabled=1
    

    I had that idea after reading:
    https://forums.freebsd.org/threads/14402/#post-84174
    Where it is discussed how to disable a driver.



  • Just a status update.

    If you're using a Nokia IP390, like I am.. I would highly suggest disabling the ubsec driver by putting this line into your /boot/loader.conf.local file:

    hint.ubsec.0.disabled=1
    

    After I did that, it has been quite stable and has not locked up for over a month.