One week vouchers expire in less than 24h

nothing

I have a roll of vouchers with 10080 minutes. It happens almost every day - vouchers expire in less than one day after they have been activated. I guess it happens the moment the hard timeout hit (360mins).

Is there any suggestions how to better log and trace vouchers lifespan?
(pfs 2.1 64bit, carp cluster)

Here is part of portal logs:

Dec 11 09:10:06 logportalauth[27110]: FAILURE: f8336cb2, , x.x.x.x, voucher expired
Dec 11 09:10:06 logportalauth[27110]: f8336cb2 (0/223) already used and expired
Dec 10 17:23:58 logportalauth[43722]: TIMEOUT: f8336cb2
Dec 10 16:15:07 logportalauth[47535]: Voucher login good for 10080 min.: f8336cb2

Looks like it travels through the time :)

nothing

That's how I have the vouchers configured:

woni

I have this very strainght problem too. There exists a ticket https://redmine.pfsense.org/issues/3369
Is there a workaround until the issue is solved?

pfs 2.1

nothing

How many vouchers you have in the roll and how many of them are already used and expired?
My roll was 255 vouchers big and the problems started when I used and expired 2/3 of the vouchers.

Workaround is to delete the roll and issue new one.

/the bug report is mine/

woni

I have 5000 vouchers in a roll.
Sorry, but your workaround is not a really good solution for me.
With 2.01, it's working.

jimp

Can you try this on a 2.1.1 snapshot? ( See https://forum.pfsense.org/index.php/topic,71546.0.html ) – Several issues in CP and with Vouchers were fixed. If it's still broken on 2.1.1, update the ticket.

nothing

Cool :)
Thanks!

nothing

Sorry, it doesn't work OK.
The problem I observe now is that all activated (but not currently in use) vouchers expire as usual.

Disregard that, I've misunderstood the logic of expiration.

woni

Hi Jimp,
I can't test it with 2.1.1 cause this system is in a productive area with a lot of users. On a testsystem with few users, I never have had this problem.
What files in 2.1.1 was changed? Can I put this files into 2.1 ?

Thx

jimp

@woni:

Hi Jimp,
I can't test it with 2.1.1 cause this system is in a productive area with a lot of users. On a testsystem with few users, I never have had this problem.
What files in 2.1.1 was changed? Can I put this files into 2.1 ?

Thx

I don't know the exact files/changes. There were a few that might be relevant and not all of them specifically in the CP code. 2.1.1 is nearly ready for release, it should be fine for production use at this stage.

nlan

Has this problem been fixed? Because I'm still getting this error with 2.1.4..  :-\

Paul6552

Had the problem with 2.1, upgraded to 2.1.4 - the problem still exists

Gertjan

@Paul6552:

Had the problem with 2.1, upgraded to 2.1.4 - the problem still exists

You re-used vouchers created in 2.1 in 2.1.4 ?

Paul6552

re-used and new one from 2.1.4, with both the same problem

periko

Can u please give me details of the voucher, I'm working on this and haven't not seen problems like this, please some details to test.
Running 2.1.4 x86.

miichael

I've got the same problem with 2.1.5.
My idle time is 30 min, hard idle time is 45 min.

Out of nowhere the system logs show the following while trying to login:
Nov 11 16:06:53 pfsense logportalauth[21694]: FAILURE: xxxxxx, 00:19:66:37:aa:53, 192.168.123.199, voucher expired

It started when about half of the vouchers were in use (the vouchers are intended to to be used for half a year). Now every used voucher is marked as used and expired.

And there seems to be no solution at all - or is there?
And is there a way to unmark a voucher as expired?

Please help.

Derelict

Did you make a change to the voucher settings?  That can invalidate entire rolls.  Don't know if they'd show up as expired though.

If you test one that's working from the same roll and test a known unused one in Status->Captive Portal->Zone->Test Vouchers do they report the same thing?

miichael

Yes, I changed the hard idle time from 90 to 45 min. yesterday. The vouchers though were marked as used and expired today, some 10-15 h later. Thus I don't see a relation - up to now.

The only valid vouchers are those, that were not unsed until now. Every used voucher is tested as used and expired.

Is there a way to reactivate the expired vouchers? Otherwise, my users get angy with me.

Derelict

I thought changing the captive portal would not invalidate the voucher rolls.  Are you sure you didn't change anything on the Vouchers tab?

miichael

Things on the Voucher-Tab like "# of Roll Bits"
and in "Services: Captive portal: Edit Voucher Rolls" are not touched.

In the Services: Captive portal:XXX I changed "Hard timeout" from 90 to 45. It's all.

Derelict

Sorry.  No idea where to go from there.

I just changed the timeout on a test system and the vouchers still test fine.

Just guessing now…  You're positive about the math for the voucher duration?  I get 262,800 minutes for 6 months.

Your system clock isn't like 2015 or something right?

Do you remote syslog?  Has the portalauth log wrapped since you started seeing this?  Anything in there?

miichael

I'm desperate. The most important thing for me would be how to reset the vouchers. Do you know any way?

The math is right 280 000 min., the date is also right. The portalauth.log reports the fault (sued and expired vouchers) about 15:40.

The syslog says around this time:

Nov 11 15:13:28 pfsense kernel: arp: 192.168.123.176 moved from 02:0f:b5:38:26:ba to 84:a6:c8:38:26:ba on bge0
Nov 11 15:15:45 pfsense check_reload_status: Synching vouchers
Nov 11 15:15:48 pfsense check_reload_status: Syncing firewall
Nov 11 15:15:54 pfsense check_reload_status: Synching vouchers
Nov 11 15:15:56 pfsense check_reload_status: Syncing firewall
Nov 11 15:16:16 pfsense check_reload_status: Synching vouchers
Nov 11 15:16:18 pfsense check_reload_status: Syncing firewall
Nov 11 15:16:26 pfsense kernel: arp: 192.168.123.168 moved from 02:0f:b5:3b:c3:9d to 5c:8d:4e:3b:c3:9d on bge0
Nov 11 15:21:06 pfsense lighttpd[93478]: (connections.c.137) (warning) close: 12 Connection reset by peer
Nov 11 15:21:26 pfsense check_reload_status: Synching vouchers
Nov 11 15:21:28 pfsense check_reload_status: Syncing firewall
Nov 11 15:22:10 pfsense kernel: arp: 192.168.123.176 moved from 84:a6:c8:38:26:ba to 02:0f:b5:38:26:ba on bge0
Nov 11 15:22:34 pfsense lighttpd[93478]: (connections.c.137) (warning) close: 16 Connection reset by peer
Nov 11 15:23:05 pfsense kernel: arp: 192.168.123.176 moved from 02:0f:b5:38:26:ba to 84:a6:c8:38:26:ba on bge0
Nov 11 15:28:11 pfsense lighttpd[93478]: (connections.c.137) (warning) close: 12 Connection reset by peer
Nov 11 15:30:45 pfsense kernel: arp: 192.168.123.176 moved from 84:a6:c8:38:26:ba to 02:0f:b5:38:26:ba on bge0
Nov 11 15:32:22 pfsense lighttpd[93478]: (connections.c.137) (warning) close: 18 Connection reset by peer
Nov 11 15:34:03 pfsense kernel: arp: 192.168.123.173 moved from 5c:8d:4e:3b:c3:9d to 02:0f:b5:3b:c3:9d on bge0
Nov 11 15:34:08 pfsense kernel: arp: 192.168.123.168 moved from 5c:8d:4e:3b:c3:9d to 02:0f:b5:3b:c3:9d on bge0
Nov 11 15:34:24 pfsense check_reload_status: Synching vouchers
Nov 11 15:34:27 pfsense check_reload_status: Synching vouchers
Nov 11 15:34:27 pfsense check_reload_status: Syncing firewall
Nov 11 15:34:29 pfsense check_reload_status: Syncing firewall
Nov 11 15:36:57 pfsense lighttpd[93478]: (connections.c.137) (warning) close: 16 Connection reset by peer
Nov 11 15:38:01 pfsense lighttpd[93478]: (connections.c.137) (warning) close: 12 Connection reset by peer
Nov 11 15:49:38 pfsense lighttpd[93478]: (connections.c.137) (warning) close: 12 Connection reset by peer
Nov 11 15:54:01 pfsense lighttpd[93478]: (connections.c.137) (warning) close: 12 Connection reset by peer
Nov 11 15:57:57 pfsense kernel: arp: 192.168.123.107 moved from 40:b0:fa:c8:2f:1f to 02:0f:b5:c8:2f:1f on bge0
Nov 11 15:59:52 pfsense lighttpd[93478]: (connections.c.137) (warning) close: 12 Connection reset by peer
Nov 11 16:02:26 pfsense lighttpd[93478]: (connections.c.137) (warning) close: 12 Connection reset by peer

This doesn't seem to me very unsual. I seem los, again. Any hint please?

Derelict

Doesn't have anything to do with expired vouchers but it looks like you have IP address conflicts all over the place.

Sorry.  No idea how to reactivate vouchers - if it's even possible.

miichael

The conflicts may be a result of multiple use of a voucher on different computers in my network.

I'll put the topic "reset of vouchers" as a new topic - there is maybe someone not reading our topic.

Thanks for reading
Michael

orangetek

I am also getting this problem after changing the hard timeout value from empty to some number. I am using 2.2.3. A temporary fix is to remove the hard timeout value.