• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

HA XMLRPC error

Scheduled Pinned Locked Moved HA/CARP/VIPs
44 Posts 4 Posters 9.2k Views 4 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B Offline
    bolvar
    last edited by Sep 4, 2019, 5:31 PM

    Hy!
    I have made a HA cfg with two Dell R420 and i have cfg a lot of time reinstall the pfsense, and almost everything is working but i get this XMLRP error.
    If i made some change it replicates two the secondary node so the ha is working.
    The error i get continuosly:

    Sep 4 18:37:09 php-fpm 56930 /rc.filter_synchronize: New alert found: A communications error occurred while attempting to call XMLRPC method restore_config_section:
    Sep 4 18:37:09 php-fpm 56930 /rc.filter_synchronize: A communications error occurred while attempting to call XMLRPC method restore_config_section:
    Sep 4 18:36:08 php-fpm 56930 /rc.filter_synchronize: Beginning XMLRPC sync data to http://10.0.0.2:80/xmlrpc.php.
    Sep 4 18:36:08 php-fpm 56930 /rc.filter_synchronize: New alert found: A communications error occurred while attempting to call XMLRPC method restore_config_section:
    Sep 4 18:36:08 php-fpm 56930 /rc.filter_synchronize: A communications error occurred while attempting to call XMLRPC method restore_config_section:
    Sep 4 18:35:08 php-fpm 56930 /rc.filter_synchronize: Beginning XMLRPC sync data to http://10.0.0.2:80/xmlrpc.php.
    Sep 4 18:35:08 php-fpm 56930 /rc.filter_synchronize: XMLRPC versioncheck: 19.1 -- 19.1
    Sep 4 18:35:08 php-fpm 56930 /rc.filter_synchronize: XMLRPC reload data success with http://10.0.0.2:80/xmlrpc.php (pfsense.host_firmware_version).
    Sep 4 18:35:08 php-fpm 56930 /rc.filter_synchronize: Beginning XMLRPC sync data to http://10.0.0.2:80/xmlrpc.php.
    Sep 4 18:35:07 check_reload_status Syncing firewall

    This is on the first node, on the secondary there are no log entry for this.

    I have searched the forum but nothing usefull i found.

    Anybody has a good solution for this?

    Thanks for the help!

    bolvar

    1 Reply Last reply Reply Quote 0
    • B Offline
      bolvar
      last edited by bolvar Sep 24, 2019, 10:31 AM Sep 24, 2019, 9:34 AM

      Seriously nonody have any idea for this? :/

      I found this error but no ide what is the problem.
      pfsense1.jpg

      There are no default deny rule in my ha interface, no bogon network enabled.

      1 Reply Last reply Reply Quote 0
      • J Offline
        johnpoz LAYER 8 Global Moderator
        last edited by Sep 24, 2019, 10:59 AM

        @bolvar said in HA XMLRPC error:

        There are no default deny rule in my ha interface

        All interfaces have a default deny, its just not shown in the gui

        All of that traffic is out of state anyway - so yeah would be blocked. Notice the A in the flags of the traffic.. Those are Fin, Ack and even see one RST, Ack..

        If there is no state, then traffic is blocked - unless its a SYN which would open a new state if the rules allow the traffic.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07 | Lab VMs 2.8, 25.07

        B 1 Reply Last reply Sep 24, 2019, 12:15 PM Reply Quote 0
        • B Offline
          bolvar @johnpoz
          last edited by bolvar Sep 24, 2019, 12:15 PM Sep 24, 2019, 12:15 PM

          @johnpoz

          Hmm okey, but if i made a rule for this problem, why dont it workes?

          1 Reply Last reply Reply Quote 0
          • J Offline
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz Sep 24, 2019, 12:53 PM Sep 24, 2019, 12:51 PM

            Not sure what you think the problem is, that traffic is not syn.. Its out of state via the A... What rule are you creating? One that allows out of state traffic? That would be not a fix to why the traffic is out of state.

            Out of state traffic can be a sign of asymmetrical traffic, it can be indication that states have been reset, etc. There are many things that "could" cause it.. You need to look to why the traffic is out of state.

            https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-for-legitimate-connection-packets.html

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07 | Lab VMs 2.8, 25.07

            B 1 Reply Last reply Sep 24, 2019, 3:55 PM Reply Quote 0
            • B Offline
              bolvar @johnpoz
              last edited by Sep 24, 2019, 3:55 PM

              @johnpoz

              Yeah im not a pro in pfsense thats true :D. The problem is what i dont understand in the link says that the pocket lost, and it send its again, but how can this be posible, its a direct cable.

              1 Reply Last reply Reply Quote 0
              • J Offline
                johnpoz LAYER 8 Global Moderator
                last edited by Sep 24, 2019, 4:51 PM

                because it didn't get an answer, because its blocked by the firewall looks like ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07 | Lab VMs 2.8, 25.07

                B 1 Reply Last reply Sep 25, 2019, 7:43 AM Reply Quote 0
                • B Offline
                  bolvar @johnpoz
                  last edited by Sep 25, 2019, 7:43 AM

                  @johnpoz
                  But why :D . I made a rule to communicate from the second to the primary, but it didnt solve the problem. Could the xmlrpc error came from this?

                  J 1 Reply Last reply Sep 25, 2019, 12:55 PM Reply Quote 0
                  • J Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by Sep 25, 2019, 10:10 AM

                    Are you seeing syn blocks? If you do not see a SYN in the blocks then your only out of state..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07 | Lab VMs 2.8, 25.07

                    1 Reply Last reply Reply Quote 0
                    • J Offline
                      JeGr LAYER 8 Moderator @bolvar
                      last edited by Sep 25, 2019, 12:55 PM

                      @bolvar said in HA XMLRPC error:

                      @johnpoz
                      But why :D . I made a rule to communicate from the second to the primary, but it didnt solve the problem. Could the xmlrpc error came from this?

                      Because that indicates asymmetric traffic. Like you forcing it out to one interface instead of the one it should or would be taking. Then you end up with traffic that comes from/to an interface, that was not expected. You'd have to show your rules, gateways, routing etc. to see where that may come from. And why you have traffic from the firewall on port 80. Did you disable HTTPS for the WebUI?

                      Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                      If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                      1 Reply Last reply Reply Quote 0
                      • J Offline
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz Sep 25, 2019, 12:59 PM Sep 25, 2019, 12:57 PM

                        that is the sync traffic.. makes no sense that there would be any issues.. But as you stated we have no actual details of how he has everything configured or connected.

                        https://docs.netgate.com/pfsense/en/latest/highavailability/configuring-high-availability.html

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 25.07 | Lab VMs 2.8, 25.07

                        1 Reply Last reply Reply Quote 0
                        • J Offline
                          JeGr LAYER 8 Moderator
                          last edited by Sep 25, 2019, 12:58 PM

                          Aye, if there's some "route everything via VPN" or other such tidbits in play, hell knows what hoops the traffic will hop through ;)

                          Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                          1 Reply Last reply Reply Quote 0
                          • J Offline
                            johnpoz LAYER 8 Global Moderator
                            last edited by johnpoz Sep 25, 2019, 1:24 PM Sep 25, 2019, 1:02 PM

                            Would seem odd it would send traffic out a vpn since its a directly attached interface.. Maybe he just need to restart the sync process? Not a lot of ha experience, but would seem almost impossible to mess up to be honest since it is suppose to be a dedicated connection via a wire between the 2 boxes.

                            But all of the traffic looks to be out of state, since there are no syn's blocked. And looks like something wanting to close the connection since there is Fin and RST even in there.

                            Are those outbound blocks, sure looks like it, just noticed that - see the little black arrows?

                            outboundblocks.png

                            That makes ZERO sense! So some floating rule, not sure how you could even do default deny rule outbound on an interface?

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 25.07 | Lab VMs 2.8, 25.07

                            B 1 Reply Last reply Oct 1, 2019, 6:47 AM Reply Quote 0
                            • J Offline
                              JeGr LAYER 8 Moderator
                              last edited by Sep 25, 2019, 1:23 PM

                              Aye, we have quite some cluster customers, but never seen that on a Sync interface. The original error is one we have on 1-2 locations, too, though, but nothing with that kind of OOS traffic

                              Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                              If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                              1 Reply Last reply Reply Quote 0
                              • B Offline
                                bolvar @johnpoz
                                last edited by Oct 1, 2019, 6:47 AM

                                @johnpoz

                                What not make sense, is i think i have found the problem.

                                Under System/Routing/Gateways if i disable the Gateway Monitoring the problem gone...What the f**k.
                                At the sync he checks the interfaces states?

                                I have only 1 public ip, so on my wan interface i have a private ip.

                                The problem could came from this?

                                1 Reply Last reply Reply Quote 0
                                • J Offline
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by johnpoz Oct 1, 2019, 10:51 AM Oct 1, 2019, 10:49 AM

                                  I have no idea how you would be getting outbound blocking? It does not do that out of the box - you must of put in a floating rule.

                                  And you prob had something setup to flush states on gateway loss? Not sure why you would setup a gateway on your sync interface?? That makes no sense to do such a thing. What would you even set it too?

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 25.07 | Lab VMs 2.8, 25.07

                                  B 1 Reply Last reply Oct 1, 2019, 11:19 AM Reply Quote 0
                                  • B Offline
                                    bolvar @johnpoz
                                    last edited by Oct 1, 2019, 11:19 AM

                                    @johnpoz

                                    There are no gw on the sync interface.
                                    I have no floating rule set up.
                                    So this is a big question how realy this ha workes, beacause now i feel the outdate-ed netgate video and setup is a crap.

                                    1 Reply Last reply Reply Quote 0
                                    • J Offline
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by johnpoz Oct 1, 2019, 11:23 AM Oct 1, 2019, 11:22 AM

                                      Very odd to be sure... I would hope someone with more HA experience could chime in.. While I have setup a HA for play in vm.. Never ran into such blocks..

                                      Is this the video your talking about?
                                      https://www.slideshare.net/NetgateUSA/high-availability-on-pfsense-24-pfsense-hangout-march-2017

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 25.07 | Lab VMs 2.8, 25.07

                                      1 Reply Last reply Reply Quote 0
                                      • DerelictD Offline
                                        Derelict LAYER 8 Netgate
                                        last edited by Derelict Oct 2, 2019, 12:37 AM Oct 2, 2019, 12:27 AM

                                        Nothing magical about XMLRPC sync. It's just a TCP/HTTPS connection to the webgui port on the secondary.

                                        I suppose on the sending node that could happen if something has killed the state.

                                        Do you have state killing on gateway failure enabled in System > Advanced, Miscellaneous?

                                        Chattanooga, Tennessee, USA
                                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                        B 1 Reply Last reply Oct 2, 2019, 7:50 AM Reply Quote 0
                                        • J Offline
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by Oct 2, 2019, 12:34 AM

                                          But how/why would it be an outbound block?

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 25.07 | Lab VMs 2.8, 25.07

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received