[ previous ] [ next ] [ threads ]
 From:  "Jeroen Visser" <monowall at forty dash two dot nl>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Version 1.22 freeze
 Date:  Mon, 12 Jun 2006 23:21:51 +0200
I've read all previous e-mails about the lockups and they frequently happen to me
too. (I posted in e-mails about IRQ 7, but that subject line was poorly chosen)

It only happens on the box with the highest load. I've replaced the hardware three
times now. (Normal server board, I don't know what brand is in it now, they are
all different, all bios stuph disabled).

It's all top of the notch hardware, new out of the box and I even replaced the
power cable and UPS it's connected to and the Ethernet cables. I downgraded from
1.22 to 1.21 and it still happened once. I'm now running the latest beta on a
production machine (kind of desperate now) which I replaced AGAIN last Friday.
1.21 ran for about 21 days, which almost convinced me it was a 1.22 problem only.

All other boxes are running smoothly (7 of them) but on rather low loads. 

The crashing box has a route table of about 50 lines. 
70 firewall rules. 
One DMZ with a routed /27 subnet, the rest is natted.
I use the traffic shaper. 
Only outbound nat (advanced outbound). 
IPSEC (one tunnel and 6 remote users who need to connect outside out VPN

I suspect two things at the moment. IPSEC and the Traffic shaper. (I even
suspected some sort of Internet attack, but there is no evidence whatsoever to
support this)

My plan is as follows. Since I replaced the hardware three times now, I rule out
the hardware causing any problems. When the system locks up again, I disable the
Traffic shaper. (The people using P2P are going to LOVE me for this one). If it
stays up for a month, it consider this solved. It has never been up longer than a
month since the 1.22 upgrade. 

If it crashes again, well then I have a problem. The 6 users can do without the
IPSEC tunnel, I'll move them to the VPN Concentrator, but the persistent tunnel
will be a problem. So disabling IPSEC is not really an option there. Maybe I'll
move the IPSEC tunnel to a new m0n0wall box that does just tunneling. 

I seem to have a few spares anyway now. ;-)

I'll keep you posted and I feel very much unfortunate to be one of the really
really few that experience this problem on good hardware.

*starts hearing rumors about packets traveling uphill and 
 some solarflare interference*

Jeroen Visser