we have a GB-800e firewall with GB-OS 5.0.4 running in our company. This firewall does regular reboots, e.g. one day reboot at 8:00 and 10:00, running 10 days without reboot, reboot again at 16:00.
It's totally random for me. I have activated syslog and there is a strange entry with long dstname=OPZKb+EQVcY597gBXnDhnB in near of each reboot:
How does firewall evaluate value of dstname=? Is it done by analysing the HTTP stream? 2008-04-23 15:57:34 Local2.Warning 10.xx.xx.xx Apr 23 15:57:34 id=firewall time="2008-04-23 13:57:34" fw="67900509" pri=4 msg="Accept persistent outbound, NAT" cat_action=pass dstname=www.spiegel.de proto=80/tcp src=10.xx.xx.xx srcport=3515 nat=xx.xx.xx.xx natport=3515 dst=xx.xx.xx.xx dstport=80 rule=6 sent=456 rcvd=970 pkts_sent=1 pkts_rcvd=1 op=GET arg=/static/sys/v8/icons/ic_pfeil_inaktiv.gif
Because this reboot is total random, I think it's connected with some action on computer within network. My first ieda was, that it could be a virus or trojan, that uses DNS protocol for communication.
My latest idea is, that Skype calls on port 80 or 443 crashes HTTP protocol analyzer in firewall, if Skype establish a call through port 80 or 443. Firewall blocks all ports by default. There are only a few ports TCP/UDP for VPN clients and TCP 80,443 open for communication, so Skype will mainly use port 80 and 443 for communication.
Update to 5.0.5 is planned for next days, but I found no information in release notes about such a problem.
Update: We updated to GB-2000e and there were also 2-3 updates and box is now running on version 5.2.0. But firewall still does reboots after kernel panic, sometimes 2-3 times a day, sometimes running 50 days without problems (which was the longest up time ever seen for our box for last 3 years).
The Microsoft Messenger /gataway/gateway.dll was accessed most times 1-3 minutes before the crash, but not every time. Only the output to syslog changed with each update, but the crash/reboot was never fixed with an update.
This is logged to the console window, date/time from 'Audit Events':
2009-06-26 11:41:09 Live Administration access 2009-06-26 10:40:22 Live GB-2000e version 5.2.0 slice 1 active
Fatal trap 12: page fault while in kernel mode fault virtual address = 0x47b3dacf fault code = supervisor write, page not present instruction pointer = 0x20:0xc0637e13 stack pointer = 0x28:0xd221ac78 frame pointer = 0x28:0xd221ac7c code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 36 (tun_cleanup) trap number = 12 panic: page fault Uptime: 17d21h34m3s Cannot dump. No dump device defined. Automatic reboot in 15 seconds - press a key on the console to abort Rebooting...
2009-06-08 13:00:54 Live GB-2000e version 5.2.0 slice 1 active 2009-06-08 13:00:47 Live Time zone set to Germany
Fatal trap 12: page fault while in kernel mode fault virtual address = 0x4a4c5a3d fault code = supervisor write, page not present instruction pointer = 0x20:0xc0637e13 stack pointer = 0x28:0xd2f019e8 frame pointer = 0x28:0xd2f019ec code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 88 (snort) trap number = 12 panic: page fault Uptime: 3m30s Cannot dump. No dump device defined. Automatic reboot in 15 seconds - press a key on the console to abort Rebooting...
04-17 14:56:23 Live GB-2000e version 5.2.0 slice 1 active 04-17 14:56:16 Live Time zone set to Germany
Fatal trap 12: page fault while in kernel mode fault virtual address = 0x4e1a73e8 fault code = supervisor write, page not present instruction pointer = 0x20:0xc0636f72 stack pointer = 0x28:0xd21d2a34 frame pointer = 0x28:0xd21d2a44 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 11 (swi1: net) trap number = 12 panic: page fault Uptime: 2d2h48m38s Cannot dump. No dump device defined. Automatic reboot in 15 seconds - press a key on the console to abort Rebooting...
02-09 15:53:00 Live GB-2000e version 5.1.3 slice 2 active 02-09 15:52:52 Live Time zone set to Germany
Fatal trap 12: page fault while in kernel mode fault virtual address = 0x32587745 fault code = supervisor write, page not present instruction pointer = 0x20:0xc06305c7 stack pointer = 0x28:0xd20b8c78 frame pointer = 0x28:0xd20b8c7c code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 35 (tun_cleanup) trap number = 12 panic: page fault Uptime: 11d6h13m21s Cannot dump. No dump device defined. Automatic reboot in 15 seconds - press a key on the console to abort Rebooting...
01-26 12:54:04 Live GB-2000e version 5.1.3 slice 2 active 01-26 12:53:57 Live Time zone set to Germany
Fatal trap 12: page fault while in kernel mode fault virtual address = 0xbfcbc9c8 fault code = supervisor read, page not present instruction pointer = 0x20:0xc0615af9 stack pointer = 0x28:0xd2da846c frame pointer = 0x28:0xd2da8470 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 84 (snort) trap number = 12 panic: page fault Uptime: 3d18h40m1s Cannot dump. No dump device defined.
01-09 14:47:49 Live GB-2000e version 5.1.3 slice 2 active 01-09 14:47:41 Live Time zone set to Germany
Fatal trap 12: page fault while in kernel mode fault virtual address = 0x622022a1 fault code = supervisor write, page not present instruction pointer = 0x20:0xc062f726 stack pointer = 0x28:0xd2079a38 frame pointer = 0x28:0xd2079a48 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 13 (swi1: net) trap number = 12 panic: page fault Uptime: 51d3h29m35s Cannot dump. No dump device defined. Automatic reboot in 15 seconds - press a key on the console to abort Rebooting...
10-28 10:10:44 Live GB-2000e version 5.1.3 slice 2 active 10-28 10:10:36 Live Time zone set to Germany
Fatal trap 12: page fault while in kernel mode fault virtual address = 0x2f92987b fault code = supervisor read, page not present instruction pointer = 0x20:0xc05662c0 stack pointer = 0x28:0xd2da8858 frame pointer = 0x28:0xd2da8858 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 84 (snort) trap number = 12 panic: page fault Uptime: 3d23h27m49s Cannot dump. No dump device defined. Automatic reboot in 15 seconds - press a key on the console to abort Rebooting...
IPS is running. I will check, if I can turn it off. Could it be, that IPS or Surf Sentinel have problems, if someone is sending chinese characters through Microsoft Messenger ?
Todays reboots...
2009-06-29 10:46:27 Live GB-2000e version 5.2.0 slice 1 active 2009-06-29 10:46:20 Live Time zone set to Germany
Fatal trap 12: page fault while in kernel mode fault virtual address= 0x75596550 fault code= supervisor write, page not present instruction pointer= 0x20:0xc0637e13 stack pointer = 0x28:0xd221ac78 frame pointer = 0x28:0xd221ac7c code segment= base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags= interrupt enabled, resume, IOPL = 0 current process= 36 (tun_cleanup) trap number= 12 panic: page fault Uptime: 3d0h5m7s Cannot dump. No dump device defined. Automatic reboot in 15 seconds - press a key on the console to abort Rebooting...
Turn it off as a test; if it stops rebooting then I would then raise a ticket to your support channel about the matter. It is not possible to fix that kind of issue through a forum.