Well, like all the other Solaris panic posts I found in the archives, this one went unanswered too.
A shame too, since it's so easy to reproduce. No one else uses ipf and IPsec together? ----- Original Message ----- From: "bsd unix" <[EMAIL PROTECTED]> Date: Tue, 04 Mar 2003 23:01:33 -0500 To: [EMAIL PROTECTED] Subject: Re: Solaris 8 + IPsec tunnel + ipf = panic > Ok, I went back and simplified the setup purposely for > identifying the cause. Here are the details: > > - 2 Solaris 8 sun4u systems, current patches & kernel > - system1 has two NICs, but one is unplumbed > - system2 has two NICs, one shares the network with system1, the > other is on a different network > - IPsec with AH+ESP tunnel between system1 and system2 > - ip_forwarding enabled on system2 on one NIC and ip.tun0 > - ipfilter kernel module UNLOADED > > This configuration stress tests fine. I can beat it up for hours > of steady heavy traffic and it does not panic. > > Same exact scenario as above, except with ipfilter 3.4.30 kernel > module LOADED with an empty ruleset results in a panic. > > panicsys(10423850,1040c278,104082a8,78002000,30000f5bf88,f) + 44 > vpanic(104082a8,1040c278,31,0,2a1,0) + cc > panic(104082a8,2,0,0,0,0) + 1c > sys_tl1_panic(3000185d4b8,14,30001121e28,1,2a10016e388,2a10016e4f0) + 8 > fr_precheck(2a10016e4f0,30000fc6810,2a10016e388,1,0,0) + ddc > > I have output from ISCDA handy if anyone wants to see it. > > Thanks very much in advance. > > > ----- Original Message ----- > From: "bsd unix" <[EMAIL PROTECTED]> > Date: Fri, 28 Feb 2003 15:51:53 -0500 > To: [EMAIL PROTECTED] > Subject: Re: Solaris 8 + IPsec tunnel + ipf = panic > > > > I wrote: > > > >panic: ptl1 trap reason 0x2 > > > > > > > >panicsys(104236b0,1040c278,104082a8,78002000,0,f) + 44 > > > >vpanic(104082a8,1040c278,31,0,2a1,30000f41d70) + cc > > > >panic(104082a8,2,0,0,0,2a382c0) + 1c > > > >sys_tl1_panic(5f029f61b8,2a100041fc8,0,120,0,0) + 8 > > > >fr_qout(1,78037868,20,102eb154,0,3000110db18) + 400 > > > > [EMAIL PROTECTED] wrote: > > > Stack overflows in the scenario do not happen because lack of > > > stack but because the algorithms goes into a loop, > > > recursing on the stack. > > > > I had a feeling that was the problem :) > > > > > I've had that happen when something goes wrong, routing > > > wise. I do *not* use two default routes myself; rather a handfu; > > > of "preferred routes" plus one default route. > > > > > > What exact rules do you use? You need to explicitely forward > > > to the first hop router on the other interface. > > > > That should match what I have (where the .1's are routers): > > > > pass out quick on hme2 to hme0:10.1.1.1 from 10.1.1.2 to any > > pass out quick on hme0 to hme2:10.2.2.1 from 10.2.2.2 to any > > [snip bunch of simple block rules] > > > > The tunnel runs over one of the default routes. I add a static > > route on one endpoint to direct the vpn traffic through the tunnel. > > > > Thanks very much for the quick response!! If there's any more > > information I can provide, please let me know. -- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup
