NetBSD Problem Report #35525

From  Wed Jan 31 05:43:58 2007
Return-Path: <>
Received: from ( [])
	by (Postfix) with ESMTP id 21A9E63B99E
	for <>; Wed, 31 Jan 2007 05:43:58 +0000 (UTC)
Message-Id: <>
Date: Wed, 31 Jan 2007 04:33:28 GMT
Subject: panics with ipnat and isakmp proxy
X-Send-Pr-Version: 3.95

>Number:         35525
>Category:       kern
>Synopsis:       panics with ipnat and isakmp proxy
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    ipf-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jan 31 05:45:00 +0000 2007
>Last-Modified:  Thu Jul 23 10:50:02 +0000 2009
>Originator:     Louis Guillaume
>Release:        3.1_STABLE

System: NetBSD 3.1_STABLE NetBSD 3.1_STABLE (GENERIC) #2: Sun Jan 14 16:48:08 EST 2007 i386
Architecture: i386
Machine: i386
	# ipf -V
	ipf: IP Filter: v4.1.8 (396)
	Kernel: IP Filter: v4.1.8
	Running: yes
	Log Flags: 0 = none set
	Default: pass all, Logging: available
	Active list: 0
	Feature mask: 0x10a

	...panics while an internal user is connected to certain misconfigured
	Cisco VPNs. The misconfiguration causes Cisco VPN client to fail to
	properly connect through NAT-ed firewalls. Actually they connect but no
	routes are established, packets don't seem to flow.

	The ipnat.conf file contains this supposed workaround (don't remember
	where I found this workaround but I did and it seemed to work).

	map sip1 -> proxy port isakmp ipsec/udp

	VPN connections work, but the client software acts strange, (you need to
	hit connect, it fails then hit connect again and it works.) 

	But after some time connected, the firewall panics like this...

	fr_movequeue(c0c4d054,c0888ca0,c0b4e044,0,c096fcd0) at
	fr_natin(c096fcd0,c0c4d000,1,320,14) at netbsd:fr_natin+0xf5
	fr_checknatin(c096fcd0,c096fccc,c096fcd0,c0ae5900,4) at
	fr_check(c609580e,14,c0b4e044,0,c096fde8) at netbsd:fr_check+0x4ea
	fr_check_wrapper(0,c096fde8,c0b4e044,1,1) at netbsd:fr_check_wrapper+0x72
	pfil_run_hooks(c08866a0,c096fe50,c0b4e044,1,0) at netbsd:pfil_run_hooks+0x6e
	ip_input(c0ae5900,0,0,246,0) at netbsd:ip_input+0x15d
	ipintr(c0960010,30,10,80010010,c096c000) at netbsd:ipintr+0x76
	DDB lost frame for netbsd:Xsoftnet+0x41, trying 0xc096fe70
	Xsoftnet() at netbsd:Xsoftnet+0x41
	--- interrupt ---

	And the panic is not reliable. It happens only sometimes.

	Find a Cisco VPN that doesn't work as described above.
	Make sure you have the avove "map" entry in ipnat.conf
	Stay connected for a while. Transfer some data from
	client machine to a machine on the VPN. See the firewall




Responsible-Changed-From-To: kern-bug-people->ipf-bug-people
Responsible-Changed-When: Thu, 01 Jan 2009 04:18:41 +0000

From: Darren Reed <>
Subject: Re: kern/35525
Date: Thu, 23 Jul 2009 03:44:02 -0700

 Regarding the panic in handling the ipsec packets, what are all of the
 kernel messages? What is the panic/fault message?

 The stack trace is helpful, but I need to see more.



NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD:,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.