[Solved] unbound unresponsive

Simba7 · Nov 17, 2016, 3:48 AM

I recently started doing VLANs on my Nokia IP390 running the latest pfSense 2.3.3. I am running 7 VLANs on one port and it seems to be working great, except one major issue.

53471 unbound 52 0 21372K 10692K crydev 0:17 0.00% /usr/local/sbin/unbound -c /var/unbound/unb

After about 5-10 minutes, unbound becomes unresponsive and the only way to fix it is to reboot the router, which then happens again. What would cause this? I try googling "crydev" and it comes up with nothing. I can't restart the process and it will not let me kill it.

jimp · Sep 27, 2016, 1:58 PM

What is the date on the 2.3.3 snapshot you're running? There were issues with snapshots over the weekend, make sure to update to a current snapshot and test again.

Simba7 · Sep 28, 2016, 5:52 AM

I am running 2.3.3.a.20160926.1930 at the moment. I'll bump it to the latest and check what happens.

Here is my VLAN layout:

em7 1
em7 10 Core VLAN
em7 20 Server VLAN
em7 30 VoIP VLAN
em7 40 Main VLAN
em7 50 Kids VLAN
em7 60 Media VLAN
em7 70 Public VLAN

jimp · Sep 28, 2016, 12:52 PM

~~What hardware are you running?~~ n/m I see now it's an older Nokia box.

The "crydev" state appears to indicate that the process in question is attempting to use cryptographic accelerator hardware. Only place I can think of that would be relevant in unbound is with DNSSEC.

If there is some quirk with your hardware and a built-in accelerator, you might try disabling DNSSEC in unbound to see if it stabilizes.

Simba7 · Oct 2, 2016, 4:31 PM

That worked. It has been up for 40 minutes and it hasn't went into the "crydev" state.

Is there a way to disable the built-in accelerator so I can still use DNSSEC? Maybe turn the ubsec driver into a module? Or a feature to disable Crypto Acceleration in DNSSEC?

ubsec0 mem 0x88100000-0x8810ffff irq 11 at device 1.0 on pci8
ubsec0: Broadcom 5825

JorgeOliveira · Oct 2, 2016, 8:43 PM

Maybe placing in /boot/loader.conf.local

hint.ubsec.0.disabled=1

I had that idea after reading:
https://forums.freebsd.org/threads/14402/#post-84174
Where it is discussed how to disable a driver.

Simba7 · Nov 17, 2016, 3:50 AM

Just a status update.

If you're using a Nokia IP390, like I am.. I would highly suggest disabling the ubsec driver by putting this line into your /boot/loader.conf.local file:

hint.ubsec.0.disabled=1

After I did that, it has been quite stable and has not locked up for over a month.