Louis Guillaume wrote:
> Hi,
> 
> My firewall...
> 
> # uname -a
> NetBSD xxx.xxx.xxx 3.1_STABLE NetBSD 3.1_STABLE (GENERIC) #2: Sun Jan 14
> 16:48:08 EST 2007
> louis@xxx.xxx.xxx:/usr/obj/sys/arch/i386/compile/GENERIC i386
> 
> # ipf -V
> ipf: IP Filter: v4.1.8 (396)
> Kernel: IP Filter: v4.1.8
> Running: yes
> Log Flags: 0 = none set
> Default: pass all, Logging: available
> Active list: 0
> Feature mask: 0x10a
> 
> ...panics while an internal user is connected to certain Cisco VPNs. The
> ipnat.conf file contains this:
> 
> map sip1 192.168.1.0/24 -> 0.0.0.0/32 proxy port isakmp ipsec/udp
> 
> ... without this line there is no connecting to the VPN in question.
> 
> From what I understand, this is actually a mis-configuration on the part
> of the VPN administrator, but that shouldn't panic the firewall!!
> 
> Also a funny thing happens using the Cisco VPN client. You hit connect
> and it doesn't work. Then if you try a second time it works!! This is
> true for all VPN connections, even the non-problematic ones.
> 
> And the panic is not reliable. It happens only sometimes, but the
> backtrace shows that the panic was in ipnat. Unfortunately I don't have
> the crash dump because the firewall is net-booted and there is not
> dumpdev. Maybe I can copy it down next time this happens.
> 


Found this in dmesg...

fr_movequeue(c0c4d054,c0888ca0,c0b4e044,0,c096fcd0) at
netbsd:fr_movequeue+0x5a
fr_natin(c096fcd0,c0c4d000,1,320,14) at netbsd:fr_natin+0xf5
fr_checknatin(c096fcd0,c096fccc,c096fcd0,c0ae5900,4) at
netbsd:fr_checknatin+0xd3
fr_check(c609580e,14,c0b4e044,0,c096fde8) at netbsd:fr_check+0x4ea
fr_check_wrapper(0,c096fde8,c0b4e044,1,1) at netbsd:fr_check_wrapper+0x72
pfil_run_hooks(c08866a0,c096fe50,c0b4e044,1,0) at netbsd:pfil_run_hooks+0x6e
ip_input(c0ae5900,0,0,246,0) at netbsd:ip_input+0x15d
ipintr(c0960010,30,10,80010010,c096c000) at netbsd:ipintr+0x76
DDB lost frame for netbsd:Xsoftnet+0x41, trying 0xc096fe70
Xsoftnet() at netbsd:Xsoftnet+0x41
--- interrupt ---
0x246:
rebooting...