Occasional firewall hang - Pf 1.2.3, Soekris net 5xxx box

  • Just though I would report that we have a dual Soekris pf setup working with CARP and failing over nicely. It's a good thing the failover IS working as the master unit is hanging almost once a week.

    Does anyone have any experience of think happening before?

    Some more info:

    1. We have 8 CARP VIPs on the master, all of which failover nicely to the backup when the master hangs
    2. Both units have been fitted with the Hifn crypto card.
    3. A large proportion of CPU is taken up by interrupt. Box is only doing max 6mb traffic (unencrypted) and max 1.5 mb VPN traffic. CPU is load related but reaches 40% when serving these max traffic levels at lunch time. I read somewhere on the forums that Soekris devices do run a high number of interrupts - however I have another identical unit which has been running far more traffic (40mb +) but running a system called zeroshell and the current uptime of that device is over 400 days!
    4. The hangs do not appear to be load related it has happened three time so far since we put the new firewalls in a month ago. Initially it was every 4 days. I changed the crypto on the VPN from 3DES to 128 AES and after doing this the box stayed up for 9 days but this might have been a fluke. I'm currently waiting for it to happen again, after which I think I will switch to running the Geode crypto which works nice with 128 AES and see what that does.

    I guess it could be hardware.

    Anyone else have any other ideas that might help me track down this issue or perhaps find a contributing factor so we can try to predict failures and then monitor the device in far more detail before it hangs.



  • Rebel Alliance Developer Netgate

    Easy way to test if it's hardware: swap the config files for master and backup, see if the "master" still hangs.

Log in to reply