Relayd issues with "check icmp" after upgrade to 5.2

[Andrew Klettke]

Just upgraded to 5.2 on one of our backup firewalls, and we are having 
issues with hosts that are being checked with ICMP:

Nov  2 14:58:38 fw02 relayd[30621]: table radius: 1 added, 1 deleted, 0 
changed, 0 killed
Nov  2 14:58:38 fw02 relayd[5280]: recv_icmp: forged icmp packet?
Nov  2 14:58:48 fw02 relayd[5280]: recv_icmp: forged icmp packet?
Nov  2 14:58:48 fw02 relayd[5280]: host 192.168.1.11, check icmp (0ms), 
state down -> up, availability 15.79%
Nov  2 14:58:48 fw02 relayd[5280]: host 192.168.1.15, check icmp 
(209ms), state up -> down, availability 84.21%
Nov  2 14:58:58 fw02 relayd[30621]: table radius: 1 added, 1 deleted, 0 
changed, 0 killed
Nov  2 14:58:58 fw02 relayd[5280]: recv_icmp: forged icmp packet?
Nov  2 14:58:58 fw02 relayd[5280]: host 192.168.1.15, check icmp (1ms), 
state down -> up, availability 85.00%
Nov  2 14:58:58 fw02 relayd[5280]: host 192.168.1.11, check icmp 
(209ms), state up -> down, availability 15.00%
Nov  2 14:59:08 fw02 relayd[30621]: table radius: 1 added, 1 deleted, 0 
changed, 0 killed
Nov  2 14:59:08 fw02 relayd[5280]: recv_icmp: forged icmp packet?


Sometimes relayd accepts the ICMP packet is valid, and other times not; 
one host seems to be up while the other is down, and then they switch.

The setup here is simple as can be, interface re1 is in the 
192.168.1.0/24 subnet, and ARP entries for these servers can be seen in 
`arp -na`:



$ arp -na
? (192.168.1.11) at **:**:**:93:b8:c1 on re1
? (192.168.1.15) at **:**:**:f0:62:ae on re1


We're relaying UDP for RADIUS authentication, so can't switch to 
checking TCP for host health. Our other firewall in the pair, running 
5.1, is having no issues at all.

In relayd.conf:

redirect radius {
        listen on $ext_addr udp port 1812

        # tag every packet that goes thru the rdr rule with RELAYD
        tag RELAYD
        forward to <$host-at-192.168.1.11> check icmp
        forward to <$host-at-192.168.1.15> check icmp
}



Any ideas?


OpenBSD 5.2 (GENERIC.MP) #339: Wed Aug  1 10:13:24 MDT 2012
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Atom(TM) CPU 330 @ 1.60GHz ("GenuineIntel" 686-class) 
1.61 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,LAHF
real mem  = 2138238976 (2039MB)
avail mem = 2092429312 (1995MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 07/10/09, BIOS32 rev. 0 @ 0xf0010, 
SMBIOS rev. 2.5 @ 0xfd170 (27 entries)
bios0: vendor American Megatrends Inc. version "1.0a" date 07/10/2009
bios0: Supermicro X7SLA
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S3 S4 S5
acpi0: tables DSDT FACP APIC MCFG SLIC OEMB
acpi0: wakeup devices P0P2(S4) P0P1(S4) PS2K(S4) PS2M(S4) EUSB(S4) 
MC97(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) LAN0(S1) P0P9(S4) 
LAN1(S1) USB0(S4) USB1(S4) USB2(S4) USB3(S4) SLPB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 133MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Atom(TM) CPU 330 @ 1.60GHz ("GenuineIntel" 686-class) 
1.61 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,LAHF
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Atom(TM) CPU 330 @ 1.60GHz ("GenuineIntel" 686-class) 
1.61 GHz
cpu2: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,LAHF
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Atom(TM) CPU 330 @ 1.60GHz ("GenuineIntel" 686-class) 
1.61 GHz
cpu3: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,LAHF
ioapic0 at mainbus0: apid 4 pa 0xfec00000, version 20, 24 pins
ioapic0: misconfigured as apic 1, remapped to apid 4
acpimcfg0 at acpi0 addr 0xf0000000, bus 0-63
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (P0P2)
acpiprt2 at acpi0: bus 8 (P0P1)
acpiprt3 at acpi0: bus 5 (P0P4)
acpiprt4 at acpi0: bus -1 (P0P5)
acpiprt5 at acpi0: bus -1 (P0P6)
acpiprt6 at acpi0: bus -1 (P0P7)
acpiprt7 at acpi0: bus 6 (P0P8)
acpiprt8 at acpi0: bus 7 (P0P9)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpicpu2 at acpi0
acpicpu3 at acpi0
acpibtn0 at acpi0: SLPB
acpibtn1 at acpi0: PWRB
bios0: ROM list: 0xc0000/0xaa00!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82945G Host" rev 0x02
ppb0 at pci0 dev 1 function 0 "Intel 82945G PCIE" rev 0x02: apic 4 int 16
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 "IDT 89HPES12N3A" rev 0x04
pci2 at ppb1 bus 2
ppb2 at pci2 dev 0 function 0 "IDT 89HPES12N3A" rev 0x04
pci3 at ppb2 bus 3
em0 at pci3 dev 0 function 0 "Intel PRO/1000 QP (82571EB)" rev 0x06: 
apic 4 int 16, address 00:15:17:a6:2e:70
em1 at pci3 dev 0 function 1 "Intel PRO/1000 QP (82571EB)" rev 0x06: 
apic 4 int 17, address 00:15:17:a6:2e:71
ppb3 at pci2 dev 1 function 0 "IDT 89HPES12N3A" rev 0x04
pci4 at ppb3 bus 4
em2 at pci4 dev 0 function 0 "Intel PRO/1000 QP (82571EB)" rev 0x06: 
apic 4 int 17, address 00:15:17:a6:2e:72
em3 at pci4 dev 0 function 1 "Intel PRO/1000 QP (82571EB)" rev 0x06: 
apic 4 int 18, address 00:15:17:a6:2e:73
vga1 at pci0 dev 2 function 0 "Intel 82945G Video" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xe0000000, size 0x10000000
inteldrm0 at vga1: apic 4 int 16
drm0 at inteldrm0
ppb4 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01: apic 4 int 16
pci5 at ppb4 bus 5
ppb5 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01: apic 4 int 16
pci6 at ppb5 bus 6
re0 at pci6 dev 0 function 0 "Realtek 8168" rev 0x02: RTL8168C/8111C 
(0x3c00), apic 4 int 16, address 00:30:48:9f:33:52
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2
ppb6 at pci0 dev 28 function 5 "Intel 82801G PCIE" rev 0x01: apic 4 int 17
pci7 at ppb6 bus 7
re1 at pci7 dev 0 function 0 "Realtek 8168" rev 0x02: RTL8168C/8111C 
(0x3c00), apic 4 int 17, address 00:30:48:9f:33:53
rgephy1 at re1 phy 7: RTL8169S/8110S PHY, rev. 2
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: apic 4 int 23
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: apic 4 int 19
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: apic 4 int 18
uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: apic 4 int 16
ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: apic 4 int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb7 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1
pci8 at ppb7 bus 8
ichpcib0 at pci0 dev 31 function 0 "Intel 82801GB LPC" rev 0x01: PM disabled
pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev 0x01: DMA, 
channel 0 configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 31 function 2 "Intel 82801GB SATA" rev 0x01: DMA, 
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide1: using apic 4 int 19 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: <ST980210AS>
wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 6
ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev 0x01: apic 4 
int 19
iic0 at ichiic0
lm1 at iic0 addr 0x2d: W83627DHG
spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-6400CL5
spdmem1 at iic0 addr 0x52: 1GB DDR2 SDRAM non-parity PC2-6400CL5
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
wbsio0 at isa0 port 0x2e/2: W83627DHG-P rev 0x73
lm2 at wbsio0 port 0x290/8: W83627DHG
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
mtrr: Pentium Pro MTRR support
lm1: disabling sensors due to alias with lm2
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
scsibus1 at softraid0: 256 targets
root on wd0a swap on wd0b dump on wd0b

--
Thanks,

Andrew Klettke
Systems Admin
Optic Fusion