Automated Configuration Backup Fails To Upload

pdavis · Apr 23, 2023, 9:58 AM

I am getting a message that my backup is failing to upload to the Netgate servers (which I have it set to do after every config change).

The message states that "acb.netgate.com" can't be resolved, but when I do a DNS resolution test, it resolves just fine? Please advise:

stephenw10 · Apr 23, 2023, 2:49 PM

Do you see that error every time it tries to save?

How do you have the DNS configured in System > General setup?
You are only seeing a response from localhost/unbound in the test.

Steve

pdavis · Apr 23, 2023, 6:20 PM

@stephenw10 Thank you for the response. Yes, I see that error every time I make a config change.

I am only using Unbound/localhost for my DNS, and it is resolving the acb.netgate.home without any issues, so very strange.

stephenw10 · Apr 23, 2023, 8:38 PM

So you have 'DNS Resolution Behavior' set to 'Use local DNS, ignore remote DNS servers'?

Can it resolve that if you test using host at the CLI?

pdavis · Apr 23, 2023, 9:17 PM

@stephenw10 Yes, that's correct, I use local DNS and ignore downstream.

It resolves from the pfSense box and clients with no issues, so I'm not sure I believe the error message. Ping and traceroute output below:

Ping:

Traceroute:

stephenw10 · Apr 23, 2023, 9:51 PM

Hmm, anything further logged in the system log?

pdavis · Apr 23, 2023, 10:02 PM

@stephenw10 Actually, I do see an entry 15 or so minutes after my most recent change where the backup initiated, and I didn't get an error message.

Maybe it just tried to upload the backup too quickly following my config change, and all services weren't fully back up yet. I will keep an eye on it, and let you know if I see again - my only suggestion would be maybe to increase the time between the change and the upload?

stephenw10 · Apr 23, 2023, 10:03 PM

What pfSense version is that?

ACB was changed to queue uploads asynchronously to allow for temporary issues.

pdavis · Apr 23, 2023, 10:06 PM

@stephenw10 The latest and greatest - pfSense Plus 23.01, AMD64

stephenw10 · Apr 23, 2023, 10:20 PM

Hmm, definitely applies there then. That would explain the log after 15mins, it will keep trying to upload queued backups. It must be failing for some other reason and just showing a resolution failure...

pdavis · Apr 23, 2023, 10:35 PM

@stephenw10 That's what I'm thinking as well - thank you for your help!

stephenw10 · Apr 24, 2023, 12:38 PM

Do you see anything in /tmp/backupdebug.txt ?

Is this new install? Upgrade to 23.01? What version was it running previously?

Steve

pdavis · Apr 24, 2023, 10:40 PM

@stephenw10 I do not see a backupdebug.txt file in my tmp directory. I upgraded from 22.05 to 23.01 in February

stephenw10 · Apr 24, 2023, 11:26 PM

And ACB has been working OK in 23.01 until recently?

pdavis · Apr 25, 2023, 12:03 AM

@stephenw10 Honestly I haven't made many configuration changes in 23.01 - the ones I have made have failed initially, but I just got around to posting about it now.

I see all the backups, including a test I took yesterday that completed on the first try, so perhaps this is just an intermittent issue.

stephenw10 · Apr 25, 2023, 12:49 PM

Ah, so it does actually backup? Hmm, that's even more weird then if it shows that error every time.

pdavis · Apr 25, 2023, 11:18 PM

@stephenw10 For clarity, it does not back up on the attempt that I get the message for - but from what I saw in the logs, it retries 15 minutes later or so, and I get no error.

stephenw10 · Apr 26, 2023, 8:31 AM

Ah, hmm. Do you see any other DNS resolution issues?

Are you using DNSoverTLS? With Quad9 perhaps? There seems to be an issue with that, as yet, undefined.

pdavis · Apr 26, 2023, 8:31 AM

@stephenw10 No, no other DNS resolution issues to speak of, Unbound is typically rock solid. I do use DNS over SSL/TLS

To give you a better sense of my configuration - I have pfBlockerNG installed, so all traffic for all clients on my primary LAN Interface/VLANs go through Unbound, with no downstream server.

The only exception is my guest interface/VLAN used for wireless and IOT - the DHCP server on that Interface/VLAN is set up to dole out external DNS servers (starts with Cloudflare, then to Google, then to Quad9), and I have firewall rules in place to prevent that Interface from exchanging traffic with my primary VLANs. I was actually adding secondary Google DNS server and Quad9 to that DNS server list when I got this error - I wouldn't think that would affect the resolver, but I attempted to replicate the error by changing the order of the DNS servers in the DHCP settings for the Guest network.

The error did reoccur - see below for the logs, the resolver is not showing any issues, but it is showing that Unbound was restarted. The General log shows the error message about the config upload failing.

Unbound log:

General log:

It has been 1/2 hour now since I made that change, and the backup has not attempted to reupload. Also, as another datapoint, the backup didn't fail when I changed some UPS settings in NUT a few days ago.

stephenw10 · Apr 26, 2023, 12:58 PM

@pdavis said in Automated Configuration Backup Fails To Upload:

I do use DNS over SSL/TLS

To Quad9?

That error sure looks like it actually failed to resolve. I can't see what else could trigger it.