XMLRPC sync errors since upgrade to 2.4.4
-
In windiz's logs, it is exactly 60 seconds from the beginning of the sync to the error and that sounds like a timeout to me. Brainstorming, how large is your config export file? We have some decently complex ones for our data center that are about 180 KB, for reference...Suricata rules, pfBlockerNG, OpenVPN, etc.
Router2 isn't set to sync back to router1 is it? That would be a loop.
-
Yes, the timeout is 60s. It used to be possible to take longer than that to load the config and respond with more than ~50 users on some hardware. There have been improvements gone in since then though.
Steve
-
@teamits said in XMLRPC sync errors since upgrade to 2.4.4:
In windiz's logs, it is exactly 60 seconds from the beginning of the sync to the error and that sounds like a timeout to me. Brainstorming, how large is your config export file? We have some decently complex ones for our data center that are about 180 KB, for reference...Suricata rules, pfBlockerNG, OpenVPN, etc.
Router2 isn't set to sync back to router1 is it? That would be a loop.
Good catch, my logs are showing the same thing. While config sync isn't set at all on the secondary, the primary is syncing states from the secondary, and the secondary from the primary, as per pfSense's documentation.
I'm going to try to blow the firewall rules open on the sync interface for both firewalls and see if that does anything.
-
Blowing open the rules did nothing, unfortunately. I'm seeing data received on the secondary firewall, so it's not a cable issue. I'll do a packet capture and see if anything interesting turns up.
-
The transmission is encrypted using TLS, so I can't actually see what's going on.
-
You could set the GUI to http just while you test. However you should still be able to see the TCP sequence and lack or responses.
Make sure both nodes are time sync'd and then compare the log entries. Does the secondary log anything during that 60s window?Steve
-
Hello All,
I am facing the same issue after an upgrade from 2.4.3 to 2.4.4, I have gone through all the checks suggested on the thread and most are ok with the exception of an entry in Secondary system logs under the general tab. The error is XMLRPC unbound /var/unbound/root.key corrupt deleted and recreated each time a sync is performed.
On the primary node I will get the sporadic XMLRPC communication errors stated here. Please note the sync is successful and the changes from the primary are reflected on the secondary with some delay. This only started after the upgrade.
-
I'm facing exactly the same issue. And after upgrading to 2.4.4p1 from 2.4.3
Settings are replicated, however I see this on the secondary.nginx: 2018/12/17 16:36:37 [crit] 79693#100242: *18691 SSL_write() failed (SSL:) (13: Permission denied) while sending to client, client: 192.168.50.3, server: , request: "POST /xmlrpc.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.50.4"50.3 is the primary and 50.4 is the secondary
Any ideas?It looks like the config is received but the ack is never send back to the primary, thus the complaint.
-
Permission denied is almost always something being blocked by policy.
Are you running snort or suricata?
Is it enabled on the sync interface?
-
@derelict No snort or suricata ever installed. Not even pfblocker.
-
Do you see that same error if you just save the Unbound settings page on the secondary without making any changes?
Does Unbound actually start on the secondary?
Is the filesystem full?
Steve
-
on the secondary...
/root: df -h Filesystem Size Used Avail Capacity Mounted on /dev/gptid/5bd4713a-8d68-11e8-aed9-5b3c92e7c0e9 18G 1.0G 16G 6% / devfs 1.0K 1.0K 0B 100% /dev /dev/md0 3.4M 156K 3.0M 5% /var/run devfs 1.0K 1.0K 0B 100% /var/dhcpd/dev codeps -alx | grep unb 59 91398 1 0 20 0 48640 23480 kqread Is - 0:00.16 /usr/local/sbin/unbound -c /var/unbound/unbound.conf 0 86919 48899 0 20 0 6564 2456 piperd S+ 0 0:00.00 grep unb codeand no it is not happening if I save settings on secondary on dns resolv
-
So I reverted everything to http
nginx: 2018/12/19 10:01:20 [alert] 91226#100384: *10 writev() failed (13: Permission denied) while sending to client, client: 192.168.50.3, server: , request: "POST /xmlrpc.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.50.4"It is not an ssl issue too.
Where does this permission denied comes from? -
Permission deniedin the nginx log means something cut it off, like a state being killed/removed or possibly a firewall rule prevented the outbound connection. -
@jimp Well, definitely not on the configuration. It is repeatable on every config update, and others have it too.
If it was linux I would look at selinux...
Now, since we are talking freebsd here, it looks like an audit denial (but my freebsd knowledge is limited) -
@jimp said in XMLRPC sync errors since upgrade to 2.4.4:
Permission denied in the nginx log means something cut it off, like a state being killed/removed or possibly a firewall rule prevented the outbound connection.
We have been suffering this problem since 2.4.4 upgrade and insisted with 2.4.4-p1...
Does 2.4.4-p2 solve this problem? (it announces a lot of bugfixes with nginx/php)
-
XMLRPC sync is working fine for lots and lots of people in 2.4.4, 2.4.4-p1 or 2.4.4-p2. It is something else unique to your setup.
Do you have State Killing on Gateway Failure enabled? (System > Advanced, Miscellaneous)
-
@derelict Perhaps that should be "setups"? Problem still exists for me too with my config described above on -p1.
-
@derelict xmlrpc sync IS working fine even with the error.
And yes, state killing on gateway failure seems to nail it.
Unchecking the box eliminates xmlrpcsync errors.
I don't recall anymore why this was checked in the first place, but IMHO looks like a bug to me. -
It seems to me the pfsense devs are still in denial about this one. The syncing is working so I just ignore it.
