Hey all, I just ran into this massive problem this weekend. Several of my Fedora 9 systems are linked by IPSec (OpenSWAN) tunnels across three remote sites. I recently updated the kernels on them (about a half a dozen systems) to 2.6.26-45 and each and every system with IPsec destabilized. They would run for anywhere from a few minutes to a few hours and then lock dead up. No network. Outside pings on IPv4 and IPv6 all return "no route to host". If they had X-Windows running, no response to keyboard. Mouse MIGHT work but would also shortly lock up. USB locked pretty solid. No ability to log in. No user space activity. Enabled Magic SysRq key and each machine could be rebooted via Alt-SysRq S-U-B, so interrupts are functioning and the kernel is responding to the keyboard on that level even if it's a USB keyboard. Could not switch from X-Windows to a virtual console and cntrl-alt-del had no effect. Set sysctl kernel.panic = 5 with no effect so there doesn't seem to be a kernel panic involved that I can't see on the consoles. Backed up to the last 2.6.25 kernel and they are all stable again. All have now been running, once again, for over 24 hours. I don't know the status of any intervening 2.6.26 kernels. The machines that destabilized had not been rebooted on a 2.6.26 kernel before. Other systems with F9 2.6.26-45 kernels w/o IPSec seem stable. Restarting OpenSWAN a few times seems to be a pretty reliable way to lock the system up with or without X Windows present. Anyone else seeing this? Anyone with an idea what might be going wrong? I have not, as yet, tried as non-Fedora kernel. Some of my other systems are running OpenVZ kernels (some with IPsec), currently sitting at 2.6.24, and are stable. I'll be trying the OpenVZ 2.6.26 kernel as soon as it's released later this week. BTW... OpenSWAN 2.6.14, in Fedora 9, is pretty well busted for X.509 certificates (problems in connection identification for X.509). Been debugging this with the OpenSWAN dudes for the last week or so and finally got that resolved when I ran into this. OpenSWAN 2.6.18 should resolve the X.509 certificate issues and some rekeying issues. Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw WittsEnd com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Description: This is a digitally signed message part