Have an OpenBSD firewall working in an office doing very straight
forward NAT and some persistent VPN tunnels.
Couple weeks ago, this firewall just stopped responding to any traffic.
It was sporadic, as after several minutes it'd start going again. At
that point it was a patched Sparc64 3.5.
While trying to troubleshoot this, I started setting up a spare x86 PC
with 3.7. I didn't get anywhere with the troubleshooting, and I'm now
running OpenBSD 3.7, with the same config files, and I'm having this
exact same problem.
- Terminal is responsive while the pauses happen
- I've turned on debugging in PF, and I'm not seeing anything I don't
see on my other firewalls.
- The firewall can ping itself, but can't ping machines on either the
LAN or WAN
- With PF disabled pings on the local network still don't get replies
from the firewall
- tcpdump doesn't show any traffic during the pause, although it does
"spew" traffic once things get moving again
- State table isn't filling up
- top -S looks normal
- Default blocking with logging is on, but nothing unusual is getting
logged.
- Exact same pf.conf and isakmpd.conf had been used for over a year
prior to this happening.
I can post isakmpd config info if anyone think it's relevant, dmesg and
pf.conf are below.
Any help with this would be appreciated.
Chris
3.7/x86 dmesg:
OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 448 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem = 200908800 (196200K)
avail mem = 176566272 (172428K)
using 2478 buffers containing 10149888 bytes (9912K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(0e) BIOS, date 02/08/99, BIOS32 rev. 0 @ 0xec700
pcibios0 at bios0: rev 2.1 @ 0xec700/0x3900
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf7280/128 (6 entries)
pcibios0: PCI Interrupt Router at 000:20:0 ("Intel 82371AB PIIX4 ISA"
rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0xa800 0xe0000/0x8000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "Nvidia Riva TNT2" rev 0x15
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
xl0 at pci0 dev 14 function 0 "3Com 3c905B 100Base-TX" rev 0x30: irq 11,
address 00:01:02:c6:6f:ae
exphy0 at xl0 phy 24: 3Com internal media interface
xl1 at pci0 dev 15 function 0 "3Com 3c905B 100Base-TX" rev 0x24: irq 11,
address 00:10:4b:9d:22:26
exphy1 at xl1 phy 24: 3Com internal media interface
pcib0 at pci0 dev 20 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 20 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <WDC AC310000R>
wd0: 16-sector PIO, LBA, 9541MB, 19541088 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <COMPAQ, CRD-8322B, 1.06> SCSI0 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 20 function 2 "Intel 82371AB USB" rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"Intel 82371AB Power Mgmt" rev 0x02 at pci0 dev 20 function 3 not configured
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using
wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask ff65 netmask ff65 ttymask ffe7
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
pf.conf:
## Settings
###########
set limit states 40000
set optimization aggressive
set debug misc
nat on xl0 from 192.168.121.0/24 to any -> xl0
rdr pass on xl0 proto tcp from any to any port 25 -> 192.168.121.10
rdr pass on xl0 proto udp from any to any port 53 -> 192.168.121.10
block in log on xl0 all
pass in on xl0 proto esp from any to 209.82.103.246
pass in on xl0 proto { udp tcp } from any port isakmp to 209.82.103.246
port isakmp
pass in on xl0 proto tcp from any to 209.82.103.246 port 53 flags S/SA
keep state
pass in on xl0 proto tcp from any to 209.82.103.246 port 25 flags S/SA
keep state
pass in on xl0 proto udp from any to 209.82.103.246 port 53
pass in on xl0 proto icmp all icmp-type echoreq keep state
pass out on xl0 all
#pass in on xl0 all
