MaxMind Database Download Error
-
After upgrading from pfBlockerNG-devel v 3.0.0_8 to version 3.0.0_10, I am receiving the following error when the cron update occurs:
Download Process Starting [ 02/24/21 06:00:00 ]
HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1) Retry in 5 seconds...
HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1) Retry in 5 seconds...
..HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1) Retry in 5 seconds...
HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1) Retry in 5 seconds...
..HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1) Retry in 5 seconds...
HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1) Retry in 5 seconds...
... unknown http status code | 0. unknown http status code | 0
Failed to Download GeoLite2-Country.mmdbUpdates occurred without error on the prior version of pfBlockerNG-devel, and no changes have been made to the firewall rules in the interim. Is anyone else seeing database update errors with this new version?
-
@dalillama
Do you have connectivity to Maxmind?
ping download.maxmind.com
-
Tracked the problem down to a missing /var/db/uniqueid file. The update now completes correctly.
Thanks for the followup!
-
@dalillama
What was the issue with the ID? -
@bbcan177 The /var/db/uniqueid file had been inadventently deleted from the system at some point. While MaxMind updates occurred without error in 3.0.0_8, the changes in 3.0.0_10 to include the uniqueid as part of the download string apparently broke the download if the uniqueid file was not present.
I admit I didn't have time to review the new code, but saw the change flagged in the changelog and noticed the /var/db/uniqueid file was missing when troubleshooting the issue. Restoring the file from a snapshot enabled the MaxMind download to function again. Obviously this was a bit of a corner case and I doubt it's worth the effort to tweak the code to fail more gracefully.
-
@dalillama
So I assume that MaxMind was rate-limiting based on the cURL user-agent string. When the ID was missing, it was a generic string "pfSense/pfBlockerNG cURL download agent-". Then when the ID was found, the UA string was not rate-limited because it included the ID.