On Sat, May 19, 2018 at 02:08:55PM +0200, Peter J. Philipp wrote:
> > panic: kernel diagnostic assertion "_kernel_lock_held()" failed in file "/us
It is /usr/src/sys/kern/uipc_socket2.c, line 314
302 void
303 soassertlocked(struct socket *so)
304 {
305 switch (so->so_proto->pr_domain->dom_family) {
306 case PF_INET:
307 case PF_INET6:
308 NET_ASSERT_LOCKED();
309 break;
310 case PF_UNIX:
311 case PF_ROUTE:
312 case PF_KEY:
313 default:
* 314 KERNEL_ASSERT_LOCKED();
315 break;
316 }
317 }
> It just panic'ed again 5 min ago.
It is not a matter of time, but of transfered bytes. It is triggered
in /usr/src/sys/netinet/ip_esp.c, line 436
433 /* Notify on soft expiration */
434 if ((tdb->tdb_flags & TDBF_SOFT_BYTES) &&
435 (tdb->tdb_cur_bytes >= tdb->tdb_soft_bytes)) {
* 436 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT);
437 tdb->tdb_flags &= ~TDBF_SOFT_BYTES; /* Turn off
checking */
438 }
After a certain amount of traffic, the key is expired. The kernel
wants to send a message to iked, but it has not acquired the porpper
lock.
Default in iked is
#define IKED_LIFETIME_BYTES 536870912 /* 512 Mb */
I think you can change it in iked.conf
lifetime time [bytes bytes]
bluhm
