On Sat, May 19, 2018 at 02:08:55PM +0200, Peter J. Philipp wrote: > > panic: kernel diagnostic assertion "_kernel_lock_held()" failed in file "/us
It is /usr/src/sys/kern/uipc_socket2.c, line 314 302 void 303 soassertlocked(struct socket *so) 304 { 305 switch (so->so_proto->pr_domain->dom_family) { 306 case PF_INET: 307 case PF_INET6: 308 NET_ASSERT_LOCKED(); 309 break; 310 case PF_UNIX: 311 case PF_ROUTE: 312 case PF_KEY: 313 default: * 314 KERNEL_ASSERT_LOCKED(); 315 break; 316 } 317 } > It just panic'ed again 5 min ago. It is not a matter of time, but of transfered bytes. It is triggered in /usr/src/sys/netinet/ip_esp.c, line 436 433 /* Notify on soft expiration */ 434 if ((tdb->tdb_flags & TDBF_SOFT_BYTES) && 435 (tdb->tdb_cur_bytes >= tdb->tdb_soft_bytes)) { * 436 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 437 tdb->tdb_flags &= ~TDBF_SOFT_BYTES; /* Turn off checking */ 438 } After a certain amount of traffic, the key is expired. The kernel wants to send a message to iked, but it has not acquired the porpper lock. Default in iked is #define IKED_LIFETIME_BYTES 536870912 /* 512 Mb */ I think you can change it in iked.conf lifetime time [bytes bytes] bluhm