Re: vpn1411 problem related to software error? (was Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem])
Breen Ouellette wrote: I am still going to install 3.9 on a PC and try an ssh connection which doesn't involve WinXP / PuTTY. I finally got around to it and I still get the error when connecting from a PC installed with OpenBSD 3.9 to my net4801 / vpn1411 running OpenBSD 3.9. So, just in case someone came across this thread and thought that PuTTY was the cause of the problem, it definitely is not, you can thank Hifn for this one. Breeno
Re: vpn1411 problem related to software error? (was Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem])
Hello, Hmm I get the corrupted mac error again on current, while connecting to the net4801 with windows + putty. Connecting with openbsd ssh client does not produce the error, I only get it with latest windows and putty client Is anyone else able to test: a) with a windows client + putty b) to a connect via ssh to a soekris 4801 running current + mini pci soekris vpn 1401 c) do you get the corrupted mac on input errors? thx a lot didier - Original Message - From: Breen Ouellette Date: Wednesday, May 31, 2006 23:17 Subject: vpn1411 problem related to software error? (was Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem]) To: misc@openbsd.org Didier Wiroth wrote: I run the test for almost 20 minutes, there was no problem anymore! Regards Didier Thank you for your report. Here's where I stick my head out farther than I probably should and hope it doesn't get taken off. I checked the hifn code to see if it had changed since 3.9 Release. It hasn't. I took a look at the list of includes and noticed that several files have changed since 3.9 Release. Not being skilled enough to know if this is the right train of thought, I have to ask: is it possible that something was changed before 3.9 Release which broke hifn, and was later (lately) adjusted back to a state which works with hifn? If so, if the cause is not identified now is there a possibility that hifn could be broken again in the future? The reason I ask is that hifn has a somewhat muddy history of breakage which has often been blamed on hardware. Is the hardware junk or is the problem hard to nail down? Or is this a combination of both - is the previous evidence of junk hardware + hifn problems resulting in a knee jerk reaction of blaming the hardware by default? Also relevant for mere users like myself (ie not qualified to fix this problem), should we just downgrade to an earlier release or upgrade to current, or is this the sort of thing that would get patched if a problem was indeed identified? Thanks. Breeno
Re: vpn1411 problem related to software error? (was Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem])
Didier Wiroth wrote: Hello, Hmm I get the corrupted mac error again on current, while connecting to the net4801 with windows + putty. Connecting with openbsd ssh client does not produce the error, I only get it with latest windows and putty client Is anyone else able to test: a) with a windows client + putty b) to a connect via ssh to a soekris 4801 running current + mini pci soekris vpn 1401 c) do you get the corrupted mac on input errors? I knew it was going to happen. :) I will set up a PC with OpenBSD 3.9 Release and follow up with the latest snapshot and try making some connections that don't involve PuTTY. I'll get my results back by tomorrow. Breeno
Re: vpn1411 problem related to software error? (was Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem])
Hmm ... sorry ... here was my problem. Today I used a custom kernel config file (created with dmassage). The corrupted MAC on input appeared after using the custom kernel. Dmassage used only the following crypto entry: # crypto support hifn* at pci? # Hi/fn 7751 crypto card After re-adding all the Hi/fn cards, the corrupted MAC on input disappeared: (by default, these entries are in GENERIC) # crypto support hifn* at pci? # Hi/fn 7751 crypto card lofn* at pci? # Hi/fn 6500 crypto card nofn* at pci? # Hi/fn 7814/7851/7854 crypto card - Original Message - From: Didier Wiroth Date: Thursday, June 1, 2006 21:20 Subject: Re: vpn1411 problem related to software error? (was Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem]) To: Breen Ouellette Cc: misc@openbsd.org Hello, Hmm I get the corrupted mac error again on current, while connecting to the net4801 with windows + putty. Connecting with openbsd ssh client does not produce the error, I only get it with latest windows and putty client Is anyone else able to test: a) with a windows client + putty b) to a connect via ssh to a soekris 4801 running current + mini pci soekris vpn 1401 c) do you get the corrupted mac on input errors? thx a lot didier - Original Message - From: Breen Ouellette Date: Wednesday, May 31, 2006 23:17 Subject: vpn1411 problem related to software error? (was Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem]) To: misc@openbsd.org Didier Wiroth wrote: I run the test for almost 20 minutes, there was no problem anymore! Regards Didier Thank you for your report. Here's where I stick my head out farther than I probably should and hope it doesn't get taken off. I checked the hifn code to see if it had changed since 3.9 Release. It hasn't. I took a look at the list of includes and noticed that several files have changed since 3.9 Release. Not being skilled enough to know if this is the right train of thought, I have to ask: is it possible that something was changed before 3.9 Release which broke hifn, and was later (lately) adjusted back to a state which works with hifn? If so, if the cause is not identified now is there a possibility that hifn could be broken again in the future? The reason I ask is that hifn has a somewhat muddy history of breakage which has often been blamed on hardware. Is the hardware junk or is the problem hard to nail down? Or is this a combination of both - is the previous evidence of junk hardware + hifn problems resulting in a knee jerk reaction of blaming the hardware by default? Also relevant for mere users like myself (ie not qualified to fix this problem), should we just downgrade to an earlier release or upgrade to current, or is this the sort of thing that would get patched if a problem was indeed identified? Thanks. Breeno
Re: vpn1411 problem related to software error? (was Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem])
On Thu, Jun 01, 2006 at 02:32:22PM -0600, Breen Ouellette wrote: Didier Wiroth wrote: Hello, Hmm I get the corrupted mac error again on current, while connecting to the net4801 with windows + putty. Connecting with openbsd ssh client does not produce the error, I only get it with latest windows and putty client Is anyone else able to test: a) with a windows client + putty b) to a connect via ssh to a soekris 4801 running current + mini pci soekris vpn 1401 c) do you get the corrupted mac on input errors? I knew it was going to happen. :) I will set up a PC with OpenBSD 3.9 Release and follow up with the latest snapshot and try making some connections that don't involve PuTTY. I'll get my results back by tomorrow. i am not seeing any hifn interrupts ( systat vmstat ) while sshed from a windows host (xp/98) using putty (2006-06-02:r6271 or 2005-11-03:r6444) and the 'AES (SSH-2 only)' encryption policy. spuriously, i *am* getting hifn interrupts when i ssh from the win98 host using a 2002-06-05 development snapshot of putty. 3des, however, the hifn is clearly taking interrupts regardless of putty revision can't duplicate corrupted MAC in any of the above, however -- jared [ openbsd 3.9-current GENERIC ( may 1 ) // i386 ]
Re: vpn1411 problem related to software error? (was Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem])
Didier Wiroth wrote: Sorry ;-) I've reposted a new message a few minutes later ... May I ask you a question, do you use a custom kernel on your soekris box? - Original Message - From: Breen Ouellette Date: Thursday, June 1, 2006 22:43 Subject: Re: vpn1411 problem related to software error? (was Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem]) To: misc@openbsd.org No, I do not use a custom kernel, and I haven't tried a custom kernel for at least five years (I caved in to the undeniable truth that Theo knows far better than I do on matters pertaining to OpenBSD). I've got a 2.5 Seagate hard drive (got sick of CF read limitations), I do a full install every release, and I try to stick to the base install as closely as possible (the only package I add is apg). Now I am just plain confused! I am still going to install 3.9 on a PC and try an ssh connection which doesn't involve WinXP / PuTTY. Breeno PS - Just in case someone figures I have a heat problem due to the hard disk: I run open top. CPU is 55 degC and HD is 34 degC. I am even modifying my case this week to add a chipset heatsink on the CPU and an 80mm Vantec Stealth to cool the case. I'll run my tests again when these mods are complete.
vpn1411 problem related to software error? (was Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem])
Didier Wiroth wrote: I run the test for almost 20 minutes, there was no problem anymore! Regards Didier Thank you for your report. Here's where I stick my head out farther than I probably should and hope it doesn't get taken off. I checked the hifn code to see if it had changed since 3.9 Release. It hasn't. I took a look at the list of includes and noticed that several files have changed since 3.9 Release. Not being skilled enough to know if this is the right train of thought, I have to ask: is it possible that something was changed before 3.9 Release which broke hifn, and was later (lately) adjusted back to a state which works with hifn? If so, if the cause is not identified now is there a possibility that hifn could be broken again in the future? The reason I ask is that hifn has a somewhat muddy history of breakage which has often been blamed on hardware. Is the hardware junk or is the problem hard to nail down? Or is this a combination of both - is the previous evidence of junk hardware + hifn problems resulting in a knee jerk reaction of blaming the hardware by default? Also relevant for mere users like myself (ie not qualified to fix this problem), should we just downgrade to an earlier release or upgrade to current, or is this the sort of thing that would get patched if a problem was indeed identified? Thanks. Breeno
Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem]
On Tue, May 30, 2006 at 07:49:39AM -0600, Breen Ouellette wrote: Thanks for your post. I hope you take it one step further and run that script (and then report your result to this list)! :) i just run worms(6) or rain(6) in a screen(1) window and then set it to monitor for 30s silence ('^a _'). reminds me, i think i did see it on 3des as well as aes now that you mention that. but it is not happening as of may1st current. http://marc.theaimsgroup.com/?l=openbsd-miscm=114349587814641w=2 don't remember the interval of it happening prior to that. -- jared [ openbsd 3.9-current GENERIC ( may 1 ) // i386 ]
Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem]
jared r r spiegel wrote: On Mon, May 29, 2006 at 10:01:21PM -0600, Breen Ouellette wrote: A few months ago, Didier Wiroth posted to this list that his net4801 with a vpn1411 was giving him 'Corrupted MAC on input' errors. He was looking for a solution to this problem. i think i chimed in on that one. since i put may.1st snapshots on my 4801, it has not happened at all. this was the same situation for me as before; i started to see the 'corrupted MAC on input' after one snapshot, and then a few snapshots later, it went away entirely. this last time, it showed up after a december-ish snapshot (iirc, whatever i had in my last post about it ...), and since may.1 snapshot, it is entirely non-present Just so you are aware, this problem is not necessarily limited to OpenBSD. A NetBSD user stated on the Soekris tech list that he had seen the error a couple of times, but he no longer has a net4801/vpn1411 combination to test the script against. As well, a FreeBSD user reported the same trouble in a different thread. The problem is that this error is sporadic enough that no one appears to have confirmed the cause so that the responsible party(ies) may be notified. Since many types of hardware error can be responsible for similar behaviour it has been too easy to blame it on a ghost in the system. However, I started out with just a net4801, which I used for more than a year before getting the vpn1411. During that year my box ran flawlessly, so when the errors cropped up after installing the vpn1411 I was in the relatively unique position of knowing that the net4801 was fine, while most people seem to buy the set, experience errors, get told it is a hardware problem (bad RAM, bad NIC, bad network device), and take it at face value. It still could be a hardware problem, but it is not the only possibility and I would like clear evidence before I blame the card. The fact that I have only seen this reported on BSD systems could be an indication that there is a problem with the Hifn driver _IF_ they all share a common code base. Having a quick look at the source code on the web indicates to me that several sources have been used to create the Hifn driver. Perhaps a developer can enlighten us about whether or not there is a shared code base (or cooperation) between projects. I have seen my script run for several minutes before glitching out, so if you have the time to run it for a solid 10 minutes using SSH2/AES it will go a long way to confirming that you haven't just been lucky to avoid the error since you began using the May 1st snapshot. I've personally used several SSH2/AES sessions for regular use for more than 30 minutes in the last week without experiencing an error (yet at other times it has failed within a minute of regular use). It seems rather unlikely (although not impossible) that the OpenBSD developers would regress the code to a breakable state and then fix it again, so my money would be on your being lucky the last few weeks and that most people sluff this off as a problem with hardware. In fact, the WebCVS shows that the last change to the Hifn driver was 4 months ago, which would indicate that for the May 1st snapshot to fix this problem the error would have to exist outside of the driver itself, lending more credibility to the hypothesis that you still have a problem but you just haven't experienced it. Thanks for your post. I hope you take it one step further and run that script (and then report your result to this list)! :) Breeno
Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem]
I have a net4801 with a vpn1411 and I occasionally got the error (but not for a good while now). I also have a vpn1411 in a generic i386 mb and I *never* seen the error on that machine.
Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem]
Peter Strvmberg wrote: I have a net4801 with a vpn1411 and I occasionally got the error (but not for a good while now). I also have a vpn1411 in a generic i386 mb and I *never* seen the error on that machine. Peter, Could you provide a model number for your generic i386 mainboard? Is it a vpn1411 you are using on the non-Soekris board, or the vpn1401 (PCI or mini-PCI)? Have you used your net4801 without the vpn1411? If so, did you get any of these errors without the vpn1411? What version of OpenBSD are you using on these machines? Would you be so kind as to run the script (over ssh) which I posted in the original message? Preferably on both the machines you have with a vpn1411 for a minimum of ten minutes. It would be very helpful. Thanks for the info, I hope we hear more! Breeno
Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem]
Breen Ouellette wrote: Peter Strvmberg wrote: I have a net4801 with a vpn1411 and I occasionally got the error (but not for a good while now). [snip] I seem to no-longer be able to find what I once found in google search results, so take this with a grain of salt, but if my memory serves me correctly, there exists a series of net4801 boards with a problematic capacitor somewhere in the PCI bus circuitry which could be causing the problem. Or maybe this is just a myth. I use two net4801 boards with vpn1411 cards and I DO get these errors ocasionally with all patch- (post-release) kernels since OpenBSD 3.6 $0.02 Regards, Stoyan Genov
Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem]
Breen Ouellette wrote: Could you provide a model number for your generic i386 mainboard? Is it a vpn1411 you are using on the non-Soekris board, or the vpn1401 (PCI or mini-PCI)? Have you used your net4801 without the vpn1411? If so, did you get any of these errors without the vpn1411? What version of OpenBSD are you using on these machines? Eh, sorry, it was a 1401 in my soekris :-) The soekris has a ral(4) minipci and a vpn1401 pci The i386 is a Intel L440GX+ with a vpn1401 and a sk(4) (Linksys EG1064) Both are running -currentish, updated about once or twice a month
Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem]
Hello, I had the same problem and symtoms as you. net4801 + 1411 vpn + corrupted mac on input. I've upgraded to a current build a few minutes ago, I did not get any errors anymore. (If you decide to upgrade too and you use pppoe, don't forget to read www.openbsd.org/faq/current.html because spppcontrol became obsolete.) regards didier [demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a name of didier.wiroth.31190DEFANGED-vcf]
Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem]
Didier Wiroth wrote: Hello, I had the same problem and symtoms as you. net4801 + 1411 vpn + corrupted mac on input. I've upgraded to a current build a few minutes ago, I did not get any errors anymore. So, just to verify, as of -current you can no longer cause the error by running the script (for a minimum of ten minutes) in the top post? Thanks. Breeno
Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem]
Peter Strvmberg wrote: Eh, sorry, it was a 1401 in my soekris :-) The soekris has a ral(4) minipci and a vpn1401 pci The i386 is a Intel L440GX+ with a vpn1401 and a sk(4) (Linksys EG1064) Both are running -currentish, updated about once or twice a month That is actually interesting. If you have the problems using the PCI version of the card on a net4801, then that removes the mini-PCI slot as a source of the error (which nudges the problem a bit in the direction of the drivers as a source of the error). Would you be willing to run that script to verify that it causes the error on your equipment? Thanks for the update. Breeno
Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem]
Stoyan Genov wrote: I seem to no-longer be able to find what I once found in google search results, so take this with a grain of salt, but if my memory serves me correctly, there exists a series of net4801 boards with a problematic capacitor somewhere in the PCI bus circuitry which could be causing the problem. Or maybe this is just a myth. I think you may be thinking of the capacitor problem with the net4501. Different beast. I use two net4801 boards with vpn1411 cards and I DO get these errors ocasionally with all patch- (post-release) kernels since OpenBSD 3.6 Would you be willing to run the script from the top post to confirm that you get the error? Please run the script for a minimum of ten minutes. Thanks. Breeno
[Fwd: 'Corrupted MAC on input' points to vpn1411 problem]
Hello. I recently posted this message on the Soekris tech list, but given the sparse amount of traffic there I am hoping that misc@ will prove to be a better source of the test data required to keep this problem moving toward a positive conclusion, rather than stalling as has happened as recently as a few months ago. Thanks. Breeno Received: from 24.72.118.207 (SquirrelMail authenticated user [EMAIL PROTECTED]) by webmail.breeno.net with HTTP; Sun, 28 May 2006 06:50:43 -0700 (PDT) Message-ID: [EMAIL PROTECTED] Date: Sun, 28 May 2006 06:50:43 -0700 (PDT) Subject: 'Corrupted MAC on input' points to vpn1411 problem From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] User-Agent: SquirrelMail/1.4.6 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hello everyone! A few months ago, Didier Wiroth posted to this list that his net4801 with a vpn1411 was giving him 'Corrupted MAC on input' errors. He was looking for a solution to this problem. Mike Tancsa replied that he has seen the same error a couple of times on FreeBSD 6.1-PRERELEASE. Damien Miller posted a number of possible problems which could cause this error. Unfortunately, my current line of testing indicates that, at least in my situation, none of these possibilities is the culprit. I am fairly certain at this point that the problem is related to the vpn1411. I am not sure if it is the hardware itself or the driver for OpenBSD. There is a small outside chance that this is related to PuTTY, which I am using to connect to the net4801, but given that others are also experiencing this issue it seems to be an outside possibility. My testing: When I first noticed this problem I was performing an operation which displayed a large amount of text. Subsequent errors also happened when dealing with large amounts of text being output to the PuTTY window. I decided to make a script to reliably trigger the error: START sshtest.sh #!/bin/sh while true do cat /var/log/messages done END sshtest.sh This script provided me with infinitely large amounts of text output. Within seconds of running it the first time I received the error in question. I then cross checked the various protocol versions and encryption ciphers available: SSH2/AES: Corrupted MAC on input SSH2/Blowfish: OK for 10 minutes, used CTRL-C to escape loop SSH2/3DES: Corrupted MAC on input SSH1/Blowfish: OK for 10 minutes, used CTRL-C to escape loop SSH1/3DES: Incorrect CRC received on packet As the above data shows, errors only occur with the ciphers that are accelerated by the vpn1411. Blowfish is not accelerated and never choked during testing. I removed the vpn1411 and ran all the tests again. All combinations passed 10 minutes of testing. To verify the culprit of this error requires further data. I need the following testers: net4801/vpn1411/OpenBSD 3.9 - verify the same errors using my testing methodology. Test against another Unix box rather than PuTTY if possible. net4801/vpn1411/FreeBSD, NetBSD, or Linux - verify the same errors using my testing methodology. Test against another Unix box rather than PuTTY if possible. If other platforms get the same errors then it is likely a problem with the vpn1411 itself. If only OpenBSD produces the errors then there could be a problem with OpenBSD's implementation of the Hifn driver. If the error doesn't occur between Unix boxen, then PuTTY is the likely culprit. Please post your test data to this list. Thank you, namaste, and good luck. Breeno
Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem]
On Mon, May 29, 2006 at 10:01:21PM -0600, Breen Ouellette wrote: A few months ago, Didier Wiroth posted to this list that his net4801 with a vpn1411 was giving him 'Corrupted MAC on input' errors. He was looking for a solution to this problem. i think i chimed in on that one. since i put may.1st snapshots on my 4801, it has not happened at all. this was the same situation for me as before; i started to see the 'corrupted MAC on input' after one snapshot, and then a few snapshots later, it went away entirely. this last time, it showed up after a december-ish snapshot (iirc, whatever i had in my last post about it ...), and since may.1 snapshot, it is entirely non-present -- jared [ openbsd 3.9-current GENERIC ( may 1 ) // i386 ]