Re: 5.3 relayd instability -- crashes with "hce exiting"

Mon, 03 Jun 2013 15:13:17 -0700 

Thanks very much Sebastian,

I'll try this and let you know how it goes once I'm cleared to do so.

Thanks,

Andrew Klettke
Systems Admin
Optic Fusion

On 06/03/2013 03:05 PM, Sebastian Benoit wrote:

Hi,

unfortunatly you do not show your configfile, so i have to guess (you can
send it to me in private if you do not want to send it to a mailing-list).

You have a relay or redirect with ssl in your config?

Please try the attached patch, it's against -current, but should apply
on 5.3.

Apply by doing:
        cd /usr/src/usr.sbin/relayd/
        patch < thisemail
        make obj
        make depend
        make
        make install

/Benno

Index: ssl.c
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/ssl.c,v
retrieving revision 1.18
diff -u -p -r1.18 ssl.c
--- ssl.c       30 May 2013 20:17:12 -0000      1.18
+++ ssl.c       31 May 2013 20:16:35 -0000
@@ -220,8 +220,10 @@ ssl_cleanup(struct ctl_tcp_event *cte)
                SSL_shutdown(cte->ssl);
                SSL_clear(cte->ssl);
        }
-       if (cte->buf != NULL)
+       if (cte->buf != NULL) {
                ibuf_free(cte->buf);
+               cte->buf = NULL;
+       }
  }
void 



Andrew Klettke(aklet...@opticfusion.net) on 2013.06.03 14:50:33 -0700:

Hey all,

Ever since upgrading to 5.3 a pair of firewalls whose main job is
running relayd, we're seeing significant instability compared to the 5.2
version. Right now we're seeing relayd crash around 8 times a day, with
the following not-so-informative error message 'hce exiting' (names of
relays and IPs edited out):


relay *******, session 39269 (43 active), 0, ***.***.19.132 ->
***.***.15.81:80, done
relay *******, session 38573 (43 active), 0, ***.***.93.209 -> :0, closed
relay_close: sessions inflight decremented, now 0
relay *******, session 38318 (40 active), 0, ***.***.93.209 ->
***.***.15.104:443, done
relay *******, session 39165 (44 active), 0, ***.***.19.132 ->
***.***.15.81:80, done
hce exiting, pid 19342
relay *******, session 38371 (43 active), 0, ***.***.93.209 ->
***.***.15.104:443, done
kill_tables: deleted 2 tables
flush_rulesets: flushed rules
relay_close: sessions inflight decremented, now 1
relay_close: sessions inflight decremented, now 0
relay_close: sessions inflight decremented, now 0
relay exiting, pid 2067
pfe exiting, pid 12850
relay exiting, pid 20156
relay exiting, pid 7514
relay_close: sessions inflight decremented, now 0
relay exiting, pid 576
relay exiting, pid 3186
parent terminating, pid 11155
relay exiting, pid 26777
relay exiting, pid 19108
relay exiting, pid 4265


When these firewalls were running 5.2, we saw relayd crash maybe 3-4
times a month with these same settings and load levels, now its
occurring around 10 times a day. I was hoping for any ideas or hints on
where to look next. These are production firewalls so I'm waiting on
word from the customer about if/when I can drop in compiled relayd and
relayctl binaries from the -CURRENT source tree.

dmesg:

OpenBSD 5.3 (GENERIC.MP) #58: Tue Mar 12 18:43:53 MDT 2013
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz ("GenuineIntel"
686-class) 2.94 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,LAHF,PERF
real mem  = 2145374208 (2045MB)
avail mem = 2099318784 (2002MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 11/03/09, BIOS32 rev. 0 @ 0xfdb70,
SMBIOS rev. 2.5 @ 0x7fedf000 (39 entries)
bios0: vendor Phoenix Technologies LTD version "1.3a" date 11/03/2009
bios0: Supermicro X7SBi
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP _MAR MCFG APIC BOOT SPCR ERST HEST BERT EINJ
SLIC SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT
acpi0: wakeup devices PXHA(S5) PEX_(S5) LAN_(S5) USB4(S5) USB5(S5)
USB7(S5) ESB2(S5) EXP1(S5) EXP5(S5) EXP6(S5) USB1(S5) USB2(S5) USB3(S5)
USB6(S5) ESB1(S5) PCIB(S5) KBC0(S1) MSE0(S1) COM1(S5) COM2(S5) PWRB(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xe0000000, bus 0-16
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 290MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz ("GenuineIntel"
686-class) 3.20 GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,LAHF,PERF
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 24 pins
ioapic1 at mainbus0: apid 3 pa 0xfecc0000, version 20, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 2 (PXHA)
acpiprt2 at acpi0: bus 3 (PEX_)
acpiprt3 at acpi0: bus 5 (EXP1)
acpiprt4 at acpi0: bus 13 (EXP5)
acpiprt5 at acpi0: bus 15 (EXP6)
acpiprt6 at acpi0: bus 17 (PCIB)
acpicpu0 at acpi0: C3, PSS
acpicpu1 at acpi0: C3, PSS
acpibtn0 at acpi0: PWRB
acpivideo0 at acpi0: IGD0
bios0: ROM list: 0xc0000/0x9000 0xc9000/0x1000 0xca000/0x1000
ipmi at mainbus0 not configured
cpu0: Enhanced SpeedStep 3198 MHz: speeds: 2933, 2667, 2400, 2133, 1867,
1600 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 3200/3210 Host" rev 0x01
ppb0 at pci0 dev 1 function 0 "Intel 3200/3210 PCIE" rev 0x01: apic 2 int 16
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 "Intel 6702PXH PCIE-PCIX" rev 0x09
pci2 at ppb1 bus 2
"Intel IOxAPIC" rev 0x09 at pci1 dev 0 function 1 not configured
ppb2 at pci0 dev 6 function 0 "Intel 3210 PCIE" rev 0x01: apic 2 int 16
pci3 at ppb2 bus 3
em0 at pci3 dev 0 function 0 "Intel PRO/1000 PT (82575EB)" rev 0x02:
msi, address 00:25:90:04:c7:00
em1 at pci3 dev 0 function 1 "Intel PRO/1000 PT (82575EB)" rev 0x02:
msi, address 00:25:90:04:c7:01
uhci0 at pci0 dev 26 function 0 "Intel 82801I USB" rev 0x02: apic 2 int 16
uhci1 at pci0 dev 26 function 1 "Intel 82801I USB" rev 0x02: apic 2 int 17
uhci2 at pci0 dev 26 function 2 "Intel 82801I USB" rev 0x02: apic 2 int 18
ehci0 at pci0 dev 26 function 7 "Intel 82801I USB" rev 0x02: apic 2 int 18
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb3 at pci0 dev 28 function 0 "Intel 82801I PCIE" rev 0x02: apic 2 int 16
pci4 at ppb3 bus 5
ppb4 at pci0 dev 28 function 4 "Intel 82801I PCIE" rev 0x02: apic 2 int 16
pci5 at ppb4 bus 13
em2 at pci5 dev 0 function 0 "Intel PRO/1000MT (82573E)" rev 0x03: msi,
address 00:30:48:fa:ec:c8
ppb5 at pci0 dev 28 function 5 "Intel 82801I PCIE" rev 0x02: apic 2 int 17
pci6 at ppb5 bus 15
em3 at pci6 dev 0 function 0 "Intel PRO/1000MT (82573L)" rev 0x00: msi,
address 00:30:48:fa:ec:c9
uhci3 at pci0 dev 29 function 0 "Intel 82801I USB" rev 0x02: apic 2 int 23
uhci4 at pci0 dev 29 function 1 "Intel 82801I USB" rev 0x02: apic 2 int 22
uhci5 at pci0 dev 29 function 2 "Intel 82801I USB" rev 0x02: apic 2 int 18
ehci1 at pci0 dev 29 function 7 "Intel 82801I USB" rev 0x02: apic 2 int 23
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb6 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x92
pci7 at ppb6 bus 17
vga1 at pci7 dev 3 function 0 "ATI ES1000" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
radeondrm0 at vga1: apic 2 int 22
drm0 at radeondrm0
pciide0 at pci7 dev 4 function 0 "ITExpress IT8213F" rev 0x00: DMA
(unsupported), channel 0 wired to native-PCI, channel 1 wired to native-PCI
pciide0: using apic 2 int 23 for native-PCI interrupt
pciide0: channel 0 ignored (not responding; disabled or no drives?)
pciide0: channel 1 ignored (not responding; disabled or no drives?)
ichpcib0 at pci0 dev 31 function 0 "Intel 82801IR LPC" rev 0x02: PM disabled
pciide1 at pci0 dev 31 function 2 "Intel 82801I SATA" rev 0x02: DMA,
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide1: using apic 2 int 17 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: <ST3160316CS>
wd0: 16-sector PIO, LBA48, 152627MB, 312581808 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 6
ichiic0 at pci0 dev 31 function 3 "Intel 82801I SMBus" rev 0x02: apic 2
int 17
iic0 at ichiic0
lm1 at iic0 addr 0x2d: W83627HF
wbng0 at iic0 addr 0x2f: w83793g
spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM ECC PC2-6400CL5
spdmem1 at iic0 addr 0x52: 1GB DDR2 SDRAM ECC PC2-6400CL5
pciide2 at pci0 dev 31 function 5 "Intel 82801I SATA" rev 0x02: DMA,
channel 0 wired to native-PCI, channel 1 wired to native-PCI
pciide2: using apic 2 int 18 for native-PCI interrupt
"Intel 82801I Thermal" rev 0x02 at pci0 dev 31 function 6 not configured
usb2 at uhci0: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci1: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci2: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb5 at uhci3: USB revision 1.0
uhub5 at usb5 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb6 at uhci4: USB revision 1.0
uhub6 at usb6 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb7 at uhci5: USB revision 1.0
uhub7 at usb7 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
wbsio0 at isa0 port 0x2e/2: W83627HF rev 0x41
lm2 at wbsio0 port 0x290/8: W83627HF
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
mtrr: Pentium Pro MTRR support
lm1: disabling sensors due to alias with lm2
uhidev0 at uhub1 port 2 configuration 1 interface 0 "Peppercon AG
Multidevice" rev 2.00/0.01 addr 2
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 variable keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub1 port 2 configuration 1 interface 1 "Peppercon AG
Multidevice" rev 2.00/0.01 addr 2
uhidev1: iclass 3/0
ums0 at uhidev1: 3 buttons, Z dir
wsmouse0 at ums0 mux 0
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
scsibus1 at softraid0: 256 targets
root on wd0a swap on wd0b dump on wd0b

--
Thanks,

Andrew Klettke
Systems Admin
Optic Fusion

Reply via email to