Authentication Issues

jacobedwards · Jul 21, 2014, 8:41 AM

Hello All,

I seem to be having an issue with our PFSense firewall that I could do with some help with.

To begin, I never setup this system and know next to nothing about configuration or troubleshooting in regards to PFSense, so please be patient with me.

So, I recently changed the administrator password on our "Firewall 1", which in turn caused an issue that throws out the following error on the top of my first firewall.

Acknowledge All .:. 07-10-14 14:35:21 - [sync_settings]An authentication failure occured while trying to access https://192.168.2.2:443 (pfsense.host_firmware_version). .:.

Now, for some reason, none of my NAT Rules seem to be working anymore, for instance, for port forwarding to my DVR box.

I changed the password on Firewall 2 also, but it did not seem to make any difference.

I also changed the password on Firewall 1 and 2 back to the default, but that too seemed to make no difference either.

Has anybody encountered this issue, and know how to solve it? Any help would be greatly appreciated.

Cheeeeeers! ;)

vindenesen · Jul 21, 2014, 9:32 AM

Hi jacobedwards,

I'm not so sure about your NAT issues. But what I do know, is that if you have a high availability setup with two firewalls, and you change your admin password, you also need to change the high availability settings. The password for the other firewall needs to be entered there.

You do not mention what version of pfSense you are using, but if it's 2.1 or never, you will find the settings under System -> High Avail. Sync. If "Remote System Username" has a value (it needs to be admin), then also make sure that the corresponding password is present in "Remote System Password". Note: This applies only to your primary firewall. Your secondary should not have any values in Username or Password.

jacobedwards · Jul 21, 2014, 9:46 AM

Ops, my apologies.

I'm using version 2.0.1-RELEASE.

I went into Virtual IP's - CARP Settings on Firewall 1.

I made sure that the Remote Username and Password were the same as the default admin account.

I went into Virtual IP's - CARP Settings on Firewall 2.

I tried to remove Remote Username and Password, but everytime I save it returns. I then changed them to Default Admin account.

However, issue is still occurring (Acknowledge All) at top of Firewall 1 only, not Firewall 2.

vindenesen · Jul 21, 2014, 9:41 AM

Then I think you will find the settings under Firewall -> Virtual IPs. Select the "CARP Settings" tab.

vindenesen · Jul 21, 2014, 10:00 AM

@jacobedwards:

I went into Virtual IP's - CARP Settings on Firewall 1.

I made sure that the Remote Username and Password were the same as the default admin account.

I went into Virtual IP's - CARP Settings on Firewall 2.

I tried to remove Remote Username and Password, but everytime I save it returns. I then changed them to Default Admin account.

However, issue is still occurring (Acknowledge All) at top of Firewall 1 only, not Firewall 2.

Yes, it makes sense that the messages is only appearing on the primary firewall, as that is the one who's trying to sync the settings over to the backup firewall. The password you are entering in the carp settings on the primary must be the password for the admin-account on the secondary firewall.

On the CARP settings, is "Synchronize Users and Groups" selected?

I assume you have clicked on "Acknowledge all", and the message keeps reappering?

jacobedwards · Jul 21, 2014, 10:44 AM

Haha the message has gone away now! Thanks a bunch!

Another issue has occurred though.

My secondary internet connection is appearing as "Offline" in the Gateway monitor, even though it isn't.

This is stopping my NAT Rules from working correctly as they route through the connection that is apparently "Offline".

Any reason it would be doing this?

vindenesen · Jul 21, 2014, 10:52 AM

Hmm, not really sure. You could try to restart the apinger-service, and see if that does anything. This is the service that monitors the gateways. You'll be able to restart it here: Status -> Services.

Edit: You should really consider upgrading to 2.1.4. Alot has been fixed since 2.0.1.

jacobedwards · Jul 21, 2014, 11:02 AM

If I was to perform the upgrade, would everything have to be reconfigured? Or would it stay exactly the same but with additional features?

Just because, if anything fucks up, I have no idea how to reconfigure it all again.

vindenesen · Jul 21, 2014, 11:10 AM

Theoretically, you should not need to reconfigure anything after the upgrade. I've personally never experienced issues with an upgrade, but I have never upgraded a system that runs a version that is soon to be three years old. Maybe you should consider purchasing support from ESF (pfSense).

Also see: https://doc.pfsense.org/index.php/Upgrade_Guide#Upgrading_CARP

Someone else may also have input to this.

Did you try to restart apinger?

jacobedwards · Jul 21, 2014, 11:32 AM

In Status -> Services, I only have the following:

bandwidthd
bsnmpd
ntpd
snort
squid
zabbix_agentd

No apinger? :S

vindenesen · Jul 21, 2014, 11:33 AM

Ah, I guess it's not visible as a service in 2.0.1 then.

jacobedwards · Jul 21, 2014, 12:03 PM

So I'm planning on upgrading from 2.0.1 to 2.1.4.

Anything I should know beforehand? I have backed up configuration files just incase.

Will any problems occur that anybody knows off?

Should I do anything before I perform the upgrade, I.E. Remove packages etc?

vindenesen · Jul 21, 2014, 4:18 PM

@jacobedwards:

So I'm planning on upgrading from 2.0.1 to 2.1.4.

Anything I should know beforehand? I have backed up configuration files just incase.

Will any problems occur that anybody knows off?

Should I do anything before I perform the upgrade, I.E. Remove packages etc?

You might have better luck if you post this in the forum for "Installation and upgrades", or maybe a mod can split your post out in a new thread.