https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207087
mgro...@shrew.net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mgro...@shrew.net
--- Comment #3 from mgro...@shrew.net ---
Recently I noticed that after upgrading two separate pairs of firewalls to
10.2-RELEASE that my ISAKMP deamons stopped negotiating SAs with peers. I just
haven't gotten around to submitting a bug report yet. It only seems to happen
when large UDP packets get fragmented due to large payloads ( ie. certificate
info is transmitted during late in phase1 negotiation ). This may be unique to
the bge driver or related hardware as the isakmp daemon started working again
on both sets of firewalls once I disabled hardware checksum offload ( ifconfig
bgeX -rxcsum ). This work-around wasn't required until the upgrade to
10.2-RELEASE, but I can't say if it was at a specific patch level. I can say
that one set of firewalls were upgraded from 9.2-RELEASE-p?? and the other set
were upgraded from a patched 10.0-RELEASE, so I assume the commit that broke
UDP re-assembly was committed sometime between 10.0-RELEASE and
10.2-RELEASE-p11. Sorry I can't be more specific.
BTW, this isn't an attempt to hijack your problem report. I just thought that
the issue you describe ( openvpn w/ UDP ) may be related to mine so I thought
it would be worth mentioning. Have you tried disabling hw checksum offload on
your public facing network device? If that improves the situation, it's quite
possible that we are being bit by the same issue.
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
