Ok, I went back and simplified the setup purposely for identifying the cause. Here are the details:
- 2 Solaris 8 sun4u systems, current patches & kernel - system1 has two NICs, but one is unplumbed - system2 has two NICs, one shares the network with system1, the other is on a different network - IPsec with AH+ESP tunnel between system1 and system2 - ip_forwarding enabled on system2 on one NIC and ip.tun0 - ipfilter kernel module UNLOADED This configuration stress tests fine. I can beat it up for hours of steady heavy traffic and it does not panic. Same exact scenario as above, except with ipfilter 3.4.30 kernel module LOADED with an empty ruleset results in a panic. panicsys(10423850,1040c278,104082a8,78002000,30000f5bf88,f) + 44 vpanic(104082a8,1040c278,31,0,2a1,0) + cc panic(104082a8,2,0,0,0,0) + 1c sys_tl1_panic(3000185d4b8,14,30001121e28,1,2a10016e388,2a10016e4f0) + 8 fr_precheck(2a10016e4f0,30000fc6810,2a10016e388,1,0,0) + ddc I have output from ISCDA handy if anyone wants to see it. Thanks very much in advance. ----- Original Message ----- From: "bsd unix" <[EMAIL PROTECTED]> Date: Fri, 28 Feb 2003 15:51:53 -0500 To: [EMAIL PROTECTED] Subject: Re: Solaris 8 + IPsec tunnel + ipf = panic > > I wrote: > > >panic: ptl1 trap reason 0x2 > > > > > >panicsys(104236b0,1040c278,104082a8,78002000,0,f) + 44 > > >vpanic(104082a8,1040c278,31,0,2a1,30000f41d70) + cc > > >panic(104082a8,2,0,0,0,2a382c0) + 1c > > >sys_tl1_panic(5f029f61b8,2a100041fc8,0,120,0,0) + 8 > > >fr_qout(1,78037868,20,102eb154,0,3000110db18) + 400 > > [EMAIL PROTECTED] wrote: > > Stack overflows in the scenario do not happen because lack of > > stack but because the algorithms goes into a loop, > > recursing on the stack. > > I had a feeling that was the problem :) > > > I've had that happen when something goes wrong, routing > > wise. I do *not* use two default routes myself; rather a handfu; > > of "preferred routes" plus one default route. > > > > What exact rules do you use? You need to explicitely forward > > to the first hop router on the other interface. > > That should match what I have (where the .1's are routers): > > pass out quick on hme2 to hme0:10.1.1.1 from 10.1.1.2 to any > pass out quick on hme0 to hme2:10.2.2.1 from 10.2.2.2 to any > [snip bunch of simple block rules] > > The tunnel runs over one of the default routes. I add a static > route on one endpoint to direct the vpn traffic through the tunnel. > > Thanks very much for the quick response!! If there's any more > information I can provide, please let me know. -- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup
