[Soekris] VPN14x1/OpenBSD 3.6 IPsec lockups

mbraak@quinfox.com mbraak at quinfox.com
Tue Apr 5 11:15:21 UTC 2005


Alan,

The problem of the locked up ipsec connections is still there.
Hans-Joerg Hoexer of the OpenBSD team is working on it, i'm testing some
patches for him but there isn't a working patch yet.

I'll keep you updated!

Marcel




|---------+-------------------------------------->
|         |           Alan Wilkie                |
|         |           <alan at objcomp.com.au>      |
|         |           Sent by:                   |
|         |           soekris-tech-bounces at lists.|
|         |           soekris.com                |
|         |                                      |
|         |                                      |
|         |           24-03-2005 01:53           |
|         |                                      |
|---------+-------------------------------------->
  >--------------------------------------------------------------------------------------------------------------|
  |                                                                                                              |
  |       To:       soekris-tech at lists.soekris.com, misc at openbsd.org                                             |
  |       cc:                                                                                                    |
  |       Subject:  [Soekris] VPN14x1/OpenBSD 3.6 IPsec lockups                                                  |
  >--------------------------------------------------------------------------------------------------------------|




Several people have mentioned the problem I'm seeing before, but I
haven't yet seen a solution.  Apologies if I'm covering old ground...

I've got two NET4501s with VPN1401s and one NET4526 with a VPN1411 set
up as wireless bridges and running IPsec tunnels.  When I was using
software crypto everything worked fine, but bandwidth was limited by CPU
speed.  Once I installed the VPN14x1s things improved a bit, but
introduced other problems.

First, I think I had the PCI reset problem that others had mentioned, so
I installed capacitors on the reset lines and I don't see card reset
messages in dmesg any more.  Second I disabled user mode crypto
(kern.usercrypto=0) since people have reported lock ups with that and I
only want to accelerate IPsec.

Now the network is OK most of the time, but under load one of the IPsec
tunnels will often lock up.  Packets still come through the network
interfaces, but nothing makes it through the crypto layer and there's
nothing in dmesg to indicate a problem.  The problem has occured on each
machine independently, so I'm pretty sure it's not hardware.

Does anybody have any ideas as to what might be the cause?  Are there
any known problems with the hifn driver and the 7955?  Has anybody had
this problem and solved it?

Alan Wilkie

_______________________________________________
Soekris-tech mailing list
Soekris-tech at lists.soekris.com
http://lists.soekris.com/mailman/listinfo/soekris-tech




...................................................................................................
QUINFOX AUTOMATISERING B.V.

Het Sterrenbeeld 21B
5215 MK  's-Hertogenbosch
Postbus 1040
5200 BA  's-Hertogenbosch
T (073) 681 81 00
F (073) 691 10 62

Takenhofplein 2
6538 SZ  Nijmegen
Postbus 6662
6503 GD  Nijmegen
T (024) 750 55 55
F (024) 750 55 75

WWW.QUINFOX.COM
...................................................................................................
Disclaimer:
De informatie in dit e-mail bericht is vertrouwelijk en uitsluitend bestemd
voor de geadresseerde(n). Gebruik van deze informatie door anderen dan de
geadresseerde(n) is verboden. Openbaarmaking, vermenigvuldiging,
verspreiding en/of verstrekking van deze informatie aan derden is niet
toegestaan. Er kunnen geen rechten worden ontleend aan dit e-mail bericht.
De standpunten of opinies van de auteur geven niet noodzakelijkerwijs die
van Quinfox of een van haar werkmaatschappijen weer. Quinfox staat niet in
voor de juiste en volledige overbrenging van de inhoud van het verzonden
e-mail bericht, noch voor tijdige ontvangst daarvan. Indien u niet de
beoogde ontvanger bent van dit e-mailbericht wordt u verzocht de verzender
hiervan op de hoogte te brengen.





More information about the Soekris-tech mailing list