On Mon, Mar 27, 2017 at 02:42:23PM +0200, Mathieu BLANC wrote: > Hello all, > > I have a pair of firewalls running 6.0 (patched with openup in october, no > patch > applied since then). > > Since the upgrade, this pair has some problem with kernel > panics (4 times since the upgrade in october). > > The last one was this morning. The two firewall crashed at the same time with > these logs : > > /bsd: panic: kernel diagnostic assertion "(sk->inp == NULL) || > (sk->inp->inp_pf_sk == NULL)" failed: file "../../../../net/pf.c", line 6891 > /bsd: Starting stack trace... > /bsd: panic() at panic+0x10b > /bsd: __assert() at __assert+0x25 > /bsd: pf_state_key_unref() at pf_state_key_unref+0xc6 > /bsd: pf_pkt_unlink_state_key() at pf_pkt_unlink_state_key+0x15 > /bsd: m_free() at m_free+0xa0 > /bsd: sbdroprecord() at sbdroprecord+0x61 > /bsd: soreceive() at soreceive+0xb4f > /bsd: recvit() at recvit+0x139 > /bsd: sys_recvfrom() at sys_recvfrom+0x9d > /bsd: syscall() at syscall+0x27b > /bsd: --- syscall (number 29) --- > /bsd: end of kernel > /bsd: end trace frame: 0x7f7ffffdc870, count: 247 > /bsd: 0x18ccb3b21ada: > /bsd: End of stack trace. >
Hello, This morning, another crash. I found in daemon.log something very interesting. At the same second the firewall crashed, i had the same resource checked by relayd which was gone down : Yesterday : Mar 27 11:51:48 fw5 relayd[94179]: host W.X.Y.Z, check tcp (16010ms,tcp connect timeout), state up -> down, availability 99.94% Mar 27 11:51:48 fw5 relayd[89662]: table XXXX_http_vip: 0 added, 1 deleted, 0 changed, 0 killed This morning : Mar 28 09:08:54 fw5 relayd[46733]: host W.X.Y.Z, check tcp (16010ms,tcp connect timeout), state up -> down, availability 99.95% Mar 28 09:08:54 fw5 relayd[29633]: table XXXX_http_vip: 0 added, 1 deleted, 0 changed, 0 killed I called the admin in charge of host W.X.Y.Z. What he did on W.X.Y.Z was an iptables REJECT command on the host (to remove it from relayd). We have tested with DROP and it seems to not trigger the bug (i'll try to make more tests).
