NetBSD Problem Report #35525

From louis@isis.zabrico.com  Wed Jan 31 05:43:58 2007
Return-Path: <louis@isis.zabrico.com>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id 21A9E63B99E
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 31 Jan 2007 05:43:58 +0000 (UTC)
Message-Id: <200701310433.l0V4XR7c001586@isis.zabrico.com>
Date: Wed, 31 Jan 2007 04:33:28 GMT
From: lguillaume@berklee.edu
Reply-To: lguillaume@berklee.edu
To: gnats-bugs@NetBSD.org
Subject: panics with ipnat and isakmp proxy
X-Send-Pr-Version: 3.95

>Number:         35525
>Category:       kern
>Synopsis:       panics with ipnat and isakmp proxy
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    ipf-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jan 31 05:45:00 +0000 2007
>Last-Modified:  Thu Jul 23 10:50:02 +0000 2009
>Originator:     Louis Guillaume
>Release:        3.1_STABLE
>Organization:

>Environment:
System: NetBSD isis.zabrico.com 3.1_STABLE NetBSD 3.1_STABLE (GENERIC) #2: Sun Jan 14 16:48:08 EST 2007 louis@maat.zabrico.com:/usr/obj/sys/arch/i386/compile/GENERIC i386
Architecture: i386
Machine: i386
>Description:
	# ipf -V
	ipf: IP Filter: v4.1.8 (396)
	Kernel: IP Filter: v4.1.8
	Running: yes
	Log Flags: 0 = none set
	Default: pass all, Logging: available
	Active list: 0
	Feature mask: 0x10a

	...panics while an internal user is connected to certain misconfigured
	Cisco VPNs. The misconfiguration causes Cisco VPN client to fail to
	properly connect through NAT-ed firewalls. Actually they connect but no
	routes are established, packets don't seem to flow.

	The ipnat.conf file contains this supposed workaround (don't remember
	where I found this workaround but I did and it seemed to work).

	map sip1 192.168.1.0/24 -> 0.0.0.0/32 proxy port isakmp ipsec/udp

	VPN connections work, but the client software acts strange, (you need to
	hit connect, it fails then hit connect again and it works.) 

	But after some time connected, the firewall panics like this...

	fr_movequeue(c0c4d054,c0888ca0,c0b4e044,0,c096fcd0) at
	netbsd:fr_movequeue+0x5a
	fr_natin(c096fcd0,c0c4d000,1,320,14) at netbsd:fr_natin+0xf5
	fr_checknatin(c096fcd0,c096fccc,c096fcd0,c0ae5900,4) at
	netbsd:fr_checknatin+0xd3
	fr_check(c609580e,14,c0b4e044,0,c096fde8) at netbsd:fr_check+0x4ea
	fr_check_wrapper(0,c096fde8,c0b4e044,1,1) at netbsd:fr_check_wrapper+0x72
	pfil_run_hooks(c08866a0,c096fe50,c0b4e044,1,0) at netbsd:pfil_run_hooks+0x6e
	ip_input(c0ae5900,0,0,246,0) at netbsd:ip_input+0x15d
	ipintr(c0960010,30,10,80010010,c096c000) at netbsd:ipintr+0x76
	DDB lost frame for netbsd:Xsoftnet+0x41, trying 0xc096fe70
	Xsoftnet() at netbsd:Xsoftnet+0x41
	--- interrupt ---

	And the panic is not reliable. It happens only sometimes.

>How-To-Repeat:
	Find a Cisco VPN that doesn't work as described above.
	Make sure you have the avove "map" entry in ipnat.conf
	Stay connected for a while. Transfer some data from
	client machine to a machine on the VPN. See the firewall
	crash.

>Fix:

Unknown
>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: kern-bug-people->ipf-bug-people
Responsible-Changed-By: darrenr@NetBSD.org
Responsible-Changed-When: Thu, 01 Jan 2009 04:18:41 +0000
Responsible-Changed-Why:


From: Darren Reed <darrenr@netbsd.org>
To: lguillaume@berklee.edu
Cc: gnats-bugs@NetBSD.org
Subject: Re: kern/35525
Date: Thu, 23 Jul 2009 03:44:02 -0700

 Regarding the panic in handling the ipsec packets, what are all of the
 kernel messages? What is the panic/fault message?

 The stack trace is helpful, but I need to see more.

 Thanks.

>Unformatted:

Home	PR Database Search