The pfSense Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - parsalog

Pages: [1]
1
Not sure where to post this, but I think I found the source issue and a work around.   

Symptom : random reboot / reset of firewall , sometimes with error, sometimes not. time between reboot anywhere from 10 minutes to 2 day. When I did get a crash report, always the same error.

Fatal trap 12: page fault while in kernel mode .......

Tried everything, better cooling, different chipset NIC, disabling on board SATA , (bios :turning off hyper threading, turing off vt-d , turning off above 4g decoding ) , I did system tunables too, mbuf , some storm threshold, and I forget what else......

My firewall was a custom made one (supermicro) , so I eventually gave up and ordered a brand new firewall from pfSense . Got the same exact problem , but I noticed it didn't pop up till after I noticed AES-NI was disabled and turned it on.   I put my old firewall back in, and turned off crypto acceleration , and I am now on day three without a reset !

Can any one else confirm this experience with 2.4.x  ?    Incidentally all 8 of my other pfSense firewalls , had no issues on 2.3.x , and the new one is too new to install the 2.3.x .

not sure if it is part of it, but I have VLANs and virtual IPs, and a lot of IPsec tunnels all configured for AES128-GCM and AES-XCBC

Hardware is a Supermicro 5019S-ML  , Intel Xeon E3-1275  , 64GB ECC ram

2
IPsec / IPsec dropping VLAN traffic to only one site
« on: November 17, 2017, 01:40:06 pm »
This problem has me baffled . I just upgraded my firewall , I am on the newest version of pfsense, clean install. I recreated all my IPsec tunnels, to 8 different sites. For only one site, my VLAN traffic fails in one direction. The VLAN is a Voice VLAN , so the symptom with only 1 of 8 locations is I can hear them on the phone, but they cannot hear me, voice traffic is UDP. If I try pinging from that VLAN interface , the pings fail. Pinging does fail in the opposite direction as well. 

the other three non VLAN subnets all can connect thru the same tunnel without issue.

3
Routing and Multi WAN / BGP local-AS missing from Neighbor Parameters
« on: December 02, 2016, 10:33:54 am »
I have found myself in a scenario where I need more than one AS assigned to the same box. One is a public AS the other is a private AS. Doing a little research it appears the command that I am looking for is "local-AS" , but it is not in the pull down options for "Neighbor Parameters" . Does any one know if openBGPD supports it, is there an easy way to edit the list?

4
I have three LAN subnets 10.1.1.0/24 10.1.2.0/24 10.1.3.0/24  , well more actually, but they fall outside the scope of this issue.

all wireless devices(tablets, phones...) get assigned to the 10.1.3.0/24 via reservations from a DHCP superscope

all server equipment (web, email...)fall in the 10.1.1.0 /24

any phone or tablet using the 10.1.3.0/24 can access the outside internet without issue.

my problem is they cannot reach the internal 10.1.1.0/24 .

That said they do "appear" to have the ability to ping, but tcp traffic fails, port 80, 443  . Cant send email, or pull up internal websites .

I have pfsense configured with a LAN of 10.1.1.1 /16 and I have an Virtual IP type "IF Alias" of 10.1.2.1/24 and 10.1.3.1/24 on the same interface .

5
IPsec / Cron Ipsec auto restart on fail , and email notify
« on: April 17, 2013, 11:37:33 am »
I had seen this topic previously, but not an answer fitting exactly what I needed. From what I can tell GRE is part of the IPsec service (racoon). My GRE tunnels tend to fail about once a week (connecting to Cisco equipment), and I have to restart the service. Using elements from others I wrote this PHP script which runs as a cron, that sends a restart command ( rather than off and on ), only when it can't ping the other side, and then email notifies me. my code is horrible, and someone with more talent can probably clean it up quite a bit, but it does work. I figure it might help someone else any how. I run it with this cron command " */4     *     *     *     *     root     /usr/local/bin/php -q /root/pingresetvpn.php  "

<?php
require_once("util.inc");
require_once("functions.inc");
require_once("pkg-utils.inc");
require_once("globals.inc");
require_once("ipsec.inc");
require_once("vpn.inc");
require_once("service-utils.inc");
require_once("vslb.inc");
include('phpmailer/class.phpmailer.php');

$ipsec=$config['ipsec'];
$value = 0 ;
$outside = 0 ;
exec("/sbin/ping -c 1 -t 1 IpOfOtherSide",$ret1,$exit1);//first GRE tunnel, should work the same for IPsec tunnel
exec("/sbin/ping -c 1 -t 1 IpOfOtherSide",$ret2,$exit2);// second GRE tunnel, should work the same for IPsec tunnel
exec("/sbin/ping -c 1 -t 1 8.8.8.8",$ret4,$exit4); //googles DNS server but any external pingable site will do
print  $exit1."\n";
print  $exit2."\n";
print  $exit4."\n";
if ($exit1 == null){
Print "ping1 Success \n";
$value += 1;
}
Else{
Print "ping1 Fail \n";}
if ($exit2 == null){
Print "ping2 Success \n";
$value += 1;
}
Else{
Print "ping2 Fail \n";}
if ($exit4 == null){
Print "ping4 Success \n";
$outside += 1;}
Else{
Print "ping4 Fail \n";}
print "Value is ".$value."\n";
if ($value == 2){
print "All is Well in Asthland \n";
}
Else {
   if ($outside == 1){
      print "All is Well outside the relm , but not at home \n";
      vpn_ipsec_force_reload();
      print "IPsec restarted accrodngly \n";
      $mail = new PHPMailer();
      $mail->IsSMTP();
      $mail->Host = "youropenrelaymailserver";
      $mail->From = "you@yourdomain.com";
      $mail->FromName  =  "Firewall Report";
      $mail->AddAddress("you@yourdomain.com");
      $mail->Port  =  "25";
      $mail->Subject = "GRE is down restarting VPN ";
      $mail->Body = "IPsec has been restarted check for problems";
      if(!$mail->Send())
         {
         echo 'Message was not sent.';
         echo 'Mailer error: ' . $mail->ErrorInfo;
         }
   }
   if ($outside == 0){
      print "Not the VPN fault wait for internet \n";
      $mail = new PHPMailer();
      $mail->IsSMTP();
      $mail->Host = "youropenrelaymailserver";
      $mail->From = "you@yourdomain.com";
      $mail->FromName  =  "Firewall Report";
      $mail->AddAddress("you@yourdomain.com");
      $mail->Port  =  "25";
      $mail->Subject = "Internet is down";
      $mail->Body = "could not ping outside";
      if(!$mail->Send())
         {
         echo 'Message was not sent.';
         echo 'Mailer error: ' . $mail->ErrorInfo;
         }
   }
}
exit(1);
?>

6
IPsec / GRE keep alive, connection drops once a week.
« on: February 20, 2013, 05:58:57 pm »
Does anybody know of a way to enable keep alive on GRE. My GRE connections turn off about once a week for unknown reasons, and I have to restart the IPsec service to get them to turn back on.

I am connecting to Verizon, thru a IPsec transport , they have Cisco equipment on the other side. they say I am showing carrier transition errors. On that note I unaware of any GRE diagnostic tools.

I did have to increase net.link.gre.max_nesting in the system tunables to make the connection work in the first place.

any ideas would be appreciated.

thank you.

7
not sure where to post this, I am having a couple issues with OpenBGPD.

I am connecting to Verizons network(cisco) to put my verizon tablets behind our firewall. And I am down to the last step, BGP . It connects, but the route never gets added.

also, this is being done via GRE and IPsec transport. I can ping both sides of the GRE connection for both internal IPs x.x.x.x and y.y.y.y

my config is this

# This file was created by the package manager.  Do not edit!

AS 12345
fib-update yes
network 0.0.0.0/0
group "Verizon" {
   remote-as 1234
      neighbor x.x.x.x {
        descr "Verizon Las Vegas NV"
      announce all 
      set nexthop x.x.x.x
}
      neighbor y.y.y.y {
        descr "Verizon Tempe AZ"
      announce all 
      set nexthop y.y.y.y
}
}
deny from any
deny to any
allow from x.x.x.x
allow x.x.x.x
allow from y.y.y.y
allow to y.y.y.y


OpenBGPD Summary

Neighbor                   AS    MsgRcvd    MsgSent  OutQ Up/Down  State/PrfRcvd
Verizon Tempe AZ         1234         38         36     0 00:05:27      1
Verizon Las Vegas NV     1234         38         37     0 00:05:27      1

also, the bgp connection resets exactly every 15 minutes.

neighbor y.y.y.y (Verizon Tempe AZ): write error: Operation not permitted
neighbor y.y.y.y (Verizon Tempe AZ): write error: Operation not permitted
neighbor y.y.y.y (Verizon Tempe AZ): state change Established -> Idle, reason: Fatal error
neighbor x.x.x.x (Verizon Las Vegas NV): write error: Operation not permitted
neighbor x.x.x.x (Verizon Las Vegas NV): write error: Operation not permitted
neighbor x.x.x.x (Verizon Las Vegas NV): state change Established -> Idle, reason: Fatal error
route z.z.z.z/24 vanished before delete
check_reload_status: Reloading filter
neighbor y.y.y.y (Verizon Tempe AZ): state change Idle -> Connect, reason: Start
neighbor x.x.x.x (Verizon Las Vegas NV): state change Idle -> Connect, reason: Start
neighbor x.x.x.x (Verizon Las Vegas NV): state change Connect -> OpenSent, reason: Connection opened
neighbor y.y.y.y (Verizon Tempe AZ): state change Connect -> OpenSent, reason: Connection opened
neighbor x.x.x.x (Verizon Las Vegas NV): state change OpenSent -> OpenConfirm, reason: OPEN message received
neighbor x.x.x.x (Verizon Las Vegas NV): state change OpenConfirm -> Established, reason: KEEPALIVE message received
neighbor y.y.y.y (Verizon Tempe AZ): state change OpenSent -> OpenConfirm, reason: OPEN message received
neighbor y.y.y.y (Verizon Tempe AZ): state change OpenConfirm -> Established, reason: KEEPALIVE message received

8
Hardware / missing NIC port, em0: The EEPROM Checksum Is Not Valid
« on: July 12, 2012, 12:15:51 pm »
I have 6 "Supermicro SuperServer 5017C-LF" running 2.0.1-RELEASE (amd64) FreeBSD 8.1-RELEASE-p6
Intel(R) Pentium(R) CPU G620T @ 2.20GHz with 4 Gb ram and an intel 40GB SSD

3 of them installed without issue, the other 3 only show one out of 2 NIC ports.
All have the same parts, purchased at the same time, built at the same time.....

Checking the logs on all 3 I find “kernel: em0: The EEPROM Checksum Is Not Valid “

Jul 11 16:25:35 kernel: em0: <Intel(R) PRO/1000 Network Connection 7.2.3> port 0xf020-0xf03f mem 0xf7a00000-0xf7a1ffff,0xf7a23000-0xf7a23fff irq 20 at device 25.0 on pci0
Jul 11 16:25:35 kernel: em0: Using an MSI interrupt
Jul 11 16:25:35 kernel: em0: The EEPROM Checksum Is Not Valid
Jul 11 16:25:35 kernel: device_attach: em0 attach returned 5


The other port works correctly shows

Jul 11 16:25:35 kernel: em1: <Intel(R) PRO/1000 Network Connection 7.2.3> port 0xe000-0xe01f mem 0xf7900000-0xf791ffff,0xf7920000-0xf7923fff irq 16 at device 0.0 on pci2
Jul 11 16:25:35 kernel: em1: Using MSIX interrupts with 3 vectors
Jul 11 16:25:35 kernel: em1: [ITHREAD]
Jul 11 16:25:35 kernel: em1: [ITHREAD]
Jul 11 16:25:35 kernel: em1: [ITHREAD]


I updated one to the most recent BIOS , but it still shows the same error.  ???

any ideas?

9
Hopefully this is the right forum for this quesstion

Topology:

I have 6 remote sites, all connecting to 1 main office where all the servers are, via IPsec vpns.  - works

Goal:

I am trying to get rid of my watchguard firewalls and transition to pfsense, one site at a time.

Problem :

I have established 1 new VPN from the main office to 1 remote site, with the new pfsesne unit on each end. Tunnel works perfect, except now at my main office I have two gateways, the old watchguard unit, and the new pfsesne unit.

The remote sites connected via pfsense can only see computers at the main office that have the pfsense as their gateway.
The remote sites connected via watchguard can only see computers at the main office that have the watchguard as their gateway.

Details:

Both the watchguard and pfsense at the main office are using the same subnet, and the same internet connection. Watchguard is 10.1.1.254 , pfsense is 10.1.1.253

All network devices at the main office are currently pointed to the old watchguard for the gateway.
All remote sites have a different subnet , so the new pfsense on the remote end is 10.1.9.1
All the other remote sites with the watchguard units I am trying to replace are similar 10.1.5.1, 10.1.7.1 , 10.1.30.1   

When I configured the VPN tunnel in phase 2, I told it the local network is 10.1.1.1/24

I can change anything on either end, any idea how to make this transition work?

10
Routing and Multi WAN / router crashing??
« on: July 30, 2007, 01:03:43 am »
hello all,

I am new to pfsense, I have been using it for about 6 months on 3 different computers. 2 work perfect one not so much all of a sudden (this week it started crashing). the first time it crashed I said something about watch dog on the screen and it listed the two network interfaces. Since then it has crashed to more times two days later and one day later(today). this time no error message.

here are the symptoms, web interface stops, all routing stops (when I say stops I mean I cant access the router, or the servers behind) router stays on. ssh works. I can ssh into it and reboot, and it comes up like nothing happened.

the physical hardware is a IBM Xseries 335 w/ 1 2.4 Xeon 512mb ram 1 40 HD , Inte PCI-X gig NIC.
the added NIC is the WAN, the on board NIC is the LAN, and one on board nic not used.

PfSense ver 1.0.1 . average states open 1000 , CPU 1% Ram 8% swap and HD 1%

Any ideas on how I should start diagnosing the problem?

thanks in advanced.

Pages: [1]