[ previous ] [ next ] [ threads ]
 From:  Goetz Goerisch <ggoerisch at gmx dot net>
 To:  Manuel Kasper <mk at neon1 dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch, "Michael D. Joy" <mdjoy at phy dot olemiss dot edu>
 Subject:  Re: [m0n0wall] Lockups since upgrade to 1.2b3
 Date:  Sun, 19 Dec 2004 12:53:07 +0100
Hi Manuel,

I'm running WRAP 1D-3, so I think this is not the case.
It's is incorrect that I reported the m0n0wall locks up.

What I have found out is the following:

If  a node inside the LAN connectes via an IPSec tunnel to m0n0wall's  
LAN interface
and the tunnel is terminated, m0n0wall doesn't cleans out all SAD/SPD's.
Therefore the node could not reach (ping) the m0n0wall and it seams as  
it is locked.
Because if another node connects to the m0n0wall and cleans out the  
left SAD/SPD entries
the node which connected via an IPSec tunnel could then again reach the  

I hope this is understandable?


On Dec 18, 2004, at 11:29 AM, Manuel Kasper wrote:

> On 17.12.2004 22:18 -0600, Michael D. Joy wrote:
>> I'm running a Wrap 1C-3 and am also experiencing hard locks after
>> 1.2b3 upgrade. I have since reverted to 1.2b2. Oddly enough, the
> Hmm, the only change from 1.2b2 to 1.2b3 that could possibly cause
> this (even though that would imply big problems with ipfilter), as
> far as I can imagine, is the UDP ack timeout (24 -> 240 seconds). You
> can try the following command on exec.php to set it back to 24 (until
> the next reboot):
> /sbin/sysctl net.inet.ipf.fr_udpacktimeout=24
> I can't see why 1.2b2 should work when 1.2b3 doesn't - both versions
> even use the exact same kernel image. As long as I can't reproduce it
> here (been running it on a net4501 ever since it was released) and
> there are no other indicators as to what's going wrong (console
> messages before it dies etc.), it'll be pretty hard to fix. However,
> two out of three people who reported this bug are running WRAPs - see
> <http://m0n0.ch/wall/list/? 
> action=show_msg&actionargs[]=109&actionargs[]=84>.
> - Manuel
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch