NetBSD Problem Report #35525
From louis@isis.zabrico.com Wed Jan 31 05:43:58 2007
Return-Path: <louis@isis.zabrico.com>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by narn.NetBSD.org (Postfix) with ESMTP id 21A9E63B99E
for <gnats-bugs@gnats.NetBSD.org>; Wed, 31 Jan 2007 05:43:58 +0000 (UTC)
Message-Id: <200701310433.l0V4XR7c001586@isis.zabrico.com>
Date: Wed, 31 Jan 2007 04:33:28 GMT
From: lguillaume@berklee.edu
Reply-To: lguillaume@berklee.edu
To: gnats-bugs@NetBSD.org
Subject: panics with ipnat and isakmp proxy
X-Send-Pr-Version: 3.95
>Number: 35525
>Category: kern
>Synopsis: panics with ipnat and isakmp proxy
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: ipf-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Jan 31 05:45:00 +0000 2007
>Last-Modified: Thu Jul 23 10:50:02 +0000 2009
>Originator: Louis Guillaume
>Release: 3.1_STABLE
>Organization:
>Environment:
System: NetBSD isis.zabrico.com 3.1_STABLE NetBSD 3.1_STABLE (GENERIC) #2: Sun Jan 14 16:48:08 EST 2007 louis@maat.zabrico.com:/usr/obj/sys/arch/i386/compile/GENERIC i386
Architecture: i386
Machine: i386
>Description:
# ipf -V
ipf: IP Filter: v4.1.8 (396)
Kernel: IP Filter: v4.1.8
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x10a
...panics while an internal user is connected to certain misconfigured
Cisco VPNs. The misconfiguration causes Cisco VPN client to fail to
properly connect through NAT-ed firewalls. Actually they connect but no
routes are established, packets don't seem to flow.
The ipnat.conf file contains this supposed workaround (don't remember
where I found this workaround but I did and it seemed to work).
map sip1 192.168.1.0/24 -> 0.0.0.0/32 proxy port isakmp ipsec/udp
VPN connections work, but the client software acts strange, (you need to
hit connect, it fails then hit connect again and it works.)
But after some time connected, the firewall panics like this...
fr_movequeue(c0c4d054,c0888ca0,c0b4e044,0,c096fcd0) at
netbsd:fr_movequeue+0x5a
fr_natin(c096fcd0,c0c4d000,1,320,14) at netbsd:fr_natin+0xf5
fr_checknatin(c096fcd0,c096fccc,c096fcd0,c0ae5900,4) at
netbsd:fr_checknatin+0xd3
fr_check(c609580e,14,c0b4e044,0,c096fde8) at netbsd:fr_check+0x4ea
fr_check_wrapper(0,c096fde8,c0b4e044,1,1) at netbsd:fr_check_wrapper+0x72
pfil_run_hooks(c08866a0,c096fe50,c0b4e044,1,0) at netbsd:pfil_run_hooks+0x6e
ip_input(c0ae5900,0,0,246,0) at netbsd:ip_input+0x15d
ipintr(c0960010,30,10,80010010,c096c000) at netbsd:ipintr+0x76
DDB lost frame for netbsd:Xsoftnet+0x41, trying 0xc096fe70
Xsoftnet() at netbsd:Xsoftnet+0x41
--- interrupt ---
And the panic is not reliable. It happens only sometimes.
>How-To-Repeat:
Find a Cisco VPN that doesn't work as described above.
Make sure you have the avove "map" entry in ipnat.conf
Stay connected for a while. Transfer some data from
client machine to a machine on the VPN. See the firewall
crash.
>Fix:
Unknown
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: kern-bug-people->ipf-bug-people
Responsible-Changed-By: darrenr@NetBSD.org
Responsible-Changed-When: Thu, 01 Jan 2009 04:18:41 +0000
Responsible-Changed-Why:
From: Darren Reed <darrenr@netbsd.org>
To: lguillaume@berklee.edu
Cc: gnats-bugs@NetBSD.org
Subject: Re: kern/35525
Date: Thu, 23 Jul 2009 03:44:02 -0700
Regarding the panic in handling the ipsec packets, what are all of the
kernel messages? What is the panic/fault message?
The stack trace is helpful, but I need to see more.
Thanks.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.