IPsec kernel panic when enabling MSS clamping



  • I can crash the web interface by setting 'Enable MSS clamping on VPN traffic'. Does not matter if I enter a value or keep it blank.

    Same issue when using net.inet.ipsec.directdispatch = 0.

    Same issue after a a reset of all settings.

    Even after a reboot the web interface does not respond. I have to connect a display and keyboard to the pfSense box and reset all settings to be able to work with the web interface again.



  • This is related to a bug in FreeBSD which has been corrected in newer versions.
    I recorded it here https://redmine.pfsense.org/issues/4699 for follow-up.



  • Is there an easy way for me to resolve this problem right now so that I can work with IPsec?



  • It will be when the patch referenced is put on the snapshots of snapshots.pfsense.org.
    Monitor the issue on redmine to have you notify when that is done.



  • @ermal:

    It will be when the patch referenced is put on the snapshots of snapshots.pfsense.org.
    Monitor the issue on redmine to have you notify when that is done.

    Ok thanks!



  • Coming back to this and re-checking i was not able to see this.

    Can you specify if this is a kernel panic or just the webgui?



  • Yes, it completely crashes the webgui. How can I resolve this or help resolving this issue? Strange no one ever seemed to have encountered this same problem?



  • I think you are victim of a bad upgrade here!
    Can you show the system logs when this happens?



  • @ermal:

    I think you are victim of a bad upgrade here!
    Can you show the system logs when this happens?

    I'm running a clean install - but - I did reset my settings a couple of times. I've exported my config and there is no mention of mss clamping. I'll reproduce asap and share the outcome here.



  • I can reproduce it by clean installing pfSense, enabling IPsec and activate mss clamping. No more webgui, no more ssh as soon as I submit. I tried searching the logs via an attached display and keyboard but could not find anything suspicious.