Panics with IPsec tunnels

Wed, 02 May 2007 08:10:20 -0700

I have a private network sat behind a SPARC Solaris 10 router running IP Filter (version 4.1.20, with pfil 2.1.13 - replacing those shipped with Solaris). IP Filter is providing firewall and NAT to a single public-facing IP address.
The issue is that I'm trying to create a VPN connection between a machine in the private network, to an endpoint at another company. The VPN solution is Cisco-based... Cisco VPN client 4.6.x on the client - not sure what is at the other end. IP Filter is using the ipsec NAT proxy function. 


What I'm seeing is that the initial connection attempt to the VPN 
endpoint fails during IKE negotiation... subsequent attempts appear to 
work correctly. Worse still, however, is that once the VPN tunnel has 
been formed... everything works for a while until the IP Filter system 
panics.



I've attached a snippet from /var/adm/messages [1] showing the actual 
panic message. I've also included the stack trace from the resulting 
crash dump file [2]. Curiously, this issue existed with IP Filter 4.1.16 
and pfil 2.1.11, which I was running until recently. I upgraded to 
4.1.20 in the hope that it would correct this issue. Needless to say, 
the stock IP Filter that shipped in Solaris 10 panic'd every time an 
IPsec connection attempt was made.



Darren, or anyone who has a better clue than me - could you point me in 
the right direction if it's something I'm doing wrong?


[1]

May  1 16:43:15 hostname ^Mpanic[cpu0]/thread=2a100047cc0:

May  1 16:43:15 hostname unix: [ID 799565 kern.notice] BAD TRAP: type=31 
rp=2a100046e00 addr=6ac54ab0 mmu_fsr=0

May  1 16:43:15 hostname unix: [ID 100000 kern.notice]
May  1 16:43:15 hostname unix: [ID 839527 kern.notice] sched:
May  1 16:43:15 hostname unix: [ID 520581 kern.notice] trap type = 0x31
May  1 16:43:15 hostname unix: [ID 381800 kern.notice] addr=0x6ac54ab0

May  1 16:43:15 hostname unix: [ID 101969 kern.notice] pid=0, 
pc=0x1040d24, sp=0x2a1000466a1, tstate=0x4480001600, context=0x0
May  1 16:43:15 hostname unix: [ID 743441 kern.notice] g1-g7: 0, c, c, 
30005f1fec0, d, 0, 2a100047cc0

May  1 16:43:15 hostname unix: [ID 100000 kern.notice]

May  1 16:43:15 hostname genunix: [ID 723222 kern.notice] 
000002a100046b20 unix:die+9c (31, 2a100046e00, 6ac54ab0, 0, 2a100046be0, 
d3f21000)
May  1 16:43:15 hostname genunix: [ID 179002 kern.notice]   %l0-3: 
00000000c0800000 0000000000000031 0000000001000000 0000000000002000
May  1 16:43:15 hostname   %l4-7: 0000000000100000 00000000018362c0 
0000000000000000 0000000001075400
May  1 16:43:16 hostname genunix: [ID 723222 kern.notice] 
000002a100046c00 unix:trap+9d4 (2a100046e00, 10000, 1fff, 5, 6ac54000, 1)
May  1 16:43:16 hostname genunix: [ID 179002 kern.notice]   %l0-3: 
0000000000000000 00000000018362c0 0000000000000031 0000000000000000
May  1 16:43:16 hostname   %l4-7: ffffffffffffe000 0000000000000001 
0000000000000001 0000000000000005
May  1 16:43:16 hostname genunix: [ID 723222 kern.notice] 
000002a100046d50 unix:ktl0+48 (6ac54ab0, 2a100047cc0, 0, 2a100047378, 
300013b6f70, 1)
May  1 16:43:16 hostname genunix: [ID 179002 kern.notice]   %l0-3: 
0000000000000001 0000000000001400 0000004480001600 0000000001019874
May  1 16:43:16 hostname   %l4-7: 000000000000010d 00000000702c9e68 
0000000000000006 000002a100046e00
May  1 16:43:16 hostname genunix: [ID 723222 kern.notice] 
000002a100046ea0 ipf:fr_movequeue+94 (30005490ce0, 703708c8, 6ac54ab0, 
a4f8, 2, 0)
May  1 16:43:16 hostname genunix: [ID 179002 kern.notice]   %l0-3: 
00000000703708c8 00000000703708f0 0000000000013b6d 0000030005490ce0
May  1 16:43:16 hostname   %l4-7: 0000030005490ce0 000002a100047378 
000000000000001c 0000000000000800
May  1 16:43:16 hostname genunix: [ID 723222 kern.notice] 
000002a100046f70 ipf:nat_update+d4 (2a100047378, 30005490c40, 
30003e2a698, 703708c8, 30005490ce0, 6ac54ab0)
May  1 16:43:16 hostname genunix: [ID 179002 kern.notice]   %l0-3: 
0000000000000032 0000030005490c40 0000000000000001 0000030000075ef0
May  1 16:43:16 hostname   %l4-7: 0000030000075f40 0000000070368098 
0000000000010000 00000000000001f8
May  1 16:43:17 hostname genunix: [ID 723222 kern.notice] 
000002a100047050 ipf:fr_natin+1fc (2a100047378, 30005490c40, 0, 320, 0, 
30003e2a698)
May  1 16:43:17 hostname genunix: [ID 179002 kern.notice]   %l0-3: 
0000000000000000 0000030005490d88 00000000c0a80182 0000000000000000
May  1 16:43:17 hostname   %l4-7: 0000030005490d88 000002a100047378 
0000030001e49ed8 00000000000005bb
May  1 16:43:17 hostname genunix: [ID 723222 kern.notice] 
000002a100047150 ipf:fr_checknatin+53c (2a100047378, 0, 2a100047378, 
ffffe9c1, 30005490c40, 0)
May  1 16:43:17 hostname genunix: [ID 179002 kern.notice]   %l0-3: 
0000000000000001 0000030005490c40 000000004a6d1cb6 0000000000000004
May  1 16:43:17 hostname   %l4-7: 0000030005e592b0 0000000000000000 
00000000000ab51b 0000000000000000
May  1 16:43:17 hostname genunix: [ID 723222 kern.notice] 
000002a100047280 ipf:fr_check+34c (30005e592b0, 300028f13c0, 4, 0, 
2a100047378, 2a1000477f0)
May  1 16:43:17 hostname genunix: [ID 179002 kern.notice]   %l0-3: 
0000000000000000 000002a10004736c 0000000000000036 0000000000000004
May  1 16:43:17 hostname   %l4-7: 0000000000000000 00000000018578b0 
0000000000000001 000002a100047638
May  1 16:43:17 hostname genunix: [ID 723222 kern.notice] 
000002a1000474a0 pfil:pfil_precheck+c60 (0, 2a1000477f0, 1, 30001e49ed8, 
115c800, 2)
May  1 16:43:17 hostname genunix: [ID 179002 kern.notice]   %l0-3: 
0000000000000014 000000007bb6f2c0 0000000000000000 00000300028f13c0
May  1 16:43:17 hostname   %l4-7: 0000000000000068 0000000001000000 
000003000609c780 00000000000001f8
May  1 16:43:18 hostname genunix: [ID 723222 kern.notice] 
000002a1000476f0 pfil:pfilmodrput+360 (300013b6ce0, 3000609c780, 1, 
180c000, 0, 30001e49ed8)
May  1 16:43:18 hostname genunix: [ID 179002 kern.notice]   %l0-3: 
000003000107ac68 0000030001e49ed8 0000000000000000 00000300013b6ce0
May  1 16:43:18 hostname   %l4-7: 0000000000000000 0000000000000001 
0000000000000000 0000000000000001
May  1 16:43:18 hostname genunix: [ID 723222 kern.notice] 
000002a100047800 unix:putnext+218 (300013b6ed0, 300013b6ce0, 
3000609c780, 100, 300013b6f70, 0)
May  1 16:43:18 hostname genunix: [ID 179002 kern.notice]   %l0-3: 
0000000000000000 0000000000000000 0000000000000000 00000000000058b0
May  1 16:43:18 hostname   %l4-7: 000000000000010d 00000000702c9e68 
000000007bb665a8 fffffd5efffbe000
May  1 16:43:18 hostname genunix: [ID 723222 kern.notice] 
000002a1000478b0 eri:eri_sendup+d0 (30002026000, 300058c43c0, 7bb5bc10, 
300028ff000, 30001c7f000, 3000609c780)
May  1 16:43:18 hostname genunix: [ID 179002 kern.notice]   %l0-3: 
0000000000000000 0000030005e4dc82 0000000000013b6d 0000030005e4dc88
May  1 16:43:18 hostname   %l4-7: 0000000000020910 000000000002090c 
0000000000000800 0000000000000800
May  1 16:43:18 hostname genunix: [ID 723222 kern.notice] 
000002a100047960 eri:eri_intr+43c (30002026000, 10280, 80000000, 10238, 
1c000, 20)
May  1 16:43:19 hostname genunix: [ID 179002 kern.notice]   %l0-3: 
0000030001fd8800 00000000000003ff 0000030001fd8cb0 0000000000000001
May  1 16:43:19 hostname   %l4-7: 0000000000000010 0000000070368098 
0000000000010000 00000300020362c0
May  1 16:43:19 hostname genunix: [ID 723222 kern.notice] 
000002a100047a20 pcipsy:pci_intr_wrapper+b4 (300000c4bd8, 300000c6f08, 
0, 0, 0, 30001f42c18)
May  1 16:43:19 hostname genunix: [ID 179002 kern.notice]   %l0-3: 
00000000018d0030 00000300000af580 00000000018d0078 0000000000000001
May  1 16:43:19 hostname   %l4-7: 00000300003934b8 0000030002026000 
0000000000000000 000000007bb5a3e8

May  1 16:43:19 hostname unix: [ID 100000 kern.notice]


[2]

# adb -w ./unix.2 ./vmcore.2
physmem fa28
$C
000002a1000466a1 mutex_enter+4(30005490ce0, 703708c8, 6ac54ab0, a4f8, 2, 0)

000002a100046771 nat_update+0xd4(2a100047378, 30005490c40, 30003e2a698, 
703708c8, 30005490ce0, 6ac54ab0

)

000002a100046851 fr_natin+0x1fc(2a100047378, 30005490c40, 0, 320, 0, 
30003e2a698)
000002a100046951 fr_checknatin+0x53c(2a100047378, 0, 2a100047378, 
ffffe9c1, 30005490c40, 0)
000002a100046a81 fr_check+0x34c(30005e592b0, 300028f13c0, 4, 0, 
2a100047378, 2a1000477f0)
000002a100046ca1 pfil_precheck+0xc60(0, 2a1000477f0, 1, 30001e49ed8, 
115c800, 2)
000002a100046ef1 pfilmodrput+0x360(300013b6ce0, 3000609c780, 1, 180c000, 
0, 30001e49ed8)
000002a100047001 putnext+0x218(300013b6ed0, 300013b6ce0, 3000609c780, 
100, 300013b6f70, 0)
000002a1000470b1 eri_sendup+0xd0(30002026000, 300058c43c0, 7bb5bc10, 
300028ff000, 30001c7f000,

3000609c780)

000002a100047161 eri_intr+0x43c(30002026000, 10280, 80000000, 10238, 
1c000, 20)
000002a100047221 pci_intr_wrapper+0xb4(300000c4bd8, 300000c6f08, 0, 0, 
0, 30001f42c18)
000002a1000472d1 intr_thread+0x170(183d5e8, 10534f8, 1813400, 180c2b8, 
69aca, 3000138df80)

000002a10001f221 idle+0x38(181224c, 1, 180c000, 18362c0, 1, 1812000)
000002a10001f2d1 thread_start+4(0, 0, 0, 0, 0, 0)

--
Dave Ockwell-Jenner
Solar Nexus Solutions
http://www.solar-nexus.com/























					Reply via email to