Restore 1.2.3 Config to 2.1 fails "The Configuration Could Not Be Restored"

DLeVasseur

Moving to a new PFSense install.

Original box is a 32-bit 1.2.3-RELEASE Diagnostics->Backup/Restore->"All", Check "Do not backup package information"->Download

New box is 64-bit SMP 2.1-RELEASE Diagnostics->Backup/Restore->"All", Choose File->Restore configuration = "The following input errors were detected: The configuration could not be restored"

I ran the XML through two separate XML validation programs, both came out with 0 errors.
Tried IE Instead of Chrome
Installed i386 tried restore, same issue.

Suggestions?  The 1.2.3 box has been up for years, I'd hate to have to reconfigure all of that, but it is possible.

DLeVasseur

SO I guess this just can't be done?

https://doc.pfsense.org/index.php/Can_I_restore_a_pfSense_configuration_to_a_different_version%3F

phil.davis

That should be supported. Unfortunately the error message is not so helpful. The validation of the config is done in /etc/inc/config.lib.inc config_install($conffile), which calls config_validate($conffile), which (assuming it can open the config file at all)  puts some information about any problem into $xmlerr. But the contents of $xmlerr never gets displayed anywhere.
If you can do a bit of PHP, in Diagnostics->Command Prompt, you should be able to manually call config_validate($conffile) and see what is $xmlerr - something like:

• use Diagnostics->Edit (or whatever way you like) to put the old 1.2.3 config onto the 2.1 filesystem, say as /tmp/config123.xml
• enter some PHP like this in Diagnostics->Command Prompt:

$conffile = "/tmp/config123.xml";
$result = config_validate($conffile);
var_dump($result);
var_dump($xmlerr);

I just did this with a good config, which I then changed to be bad (put " <enable>somewhere - it should only be a single "/").
The output of the above code was:

bool(false)
string(22) "> required at line 375"

This might give you a way to see what the XML parser is complaining about when it tries to validate the old config.</enable>

DLeVasseur

How do I get the XML file into the PFSense box?  the only thing I see is "edit file" which lets me look at files that are already on the box.

DLeVasseur

OK I figured that out.  The output came back as:

bool(true)
null

EDIT:  Nevermind.  Working on it…

phil.davis

In "Save / Load from path" put the filename - e.g. /tmp/config123.xml
Paste the file text into the big box
Press Save.

But you worked that out already.

Earlier in config_validate is:

        if (!($fp = fopen($conffile, "r"))) {
                $xmlerr = gettext("XML error: unable to open file");
                return false;
        }

But that should also tell you in $xmlerr that it cannot open the file.

Then the while loop:

while ($data = fread($fp, 4096)) {...

I am not sure about the magic significance of reading up to 4096 bytes at a time - maybe this code fails if there is a line of text in the config that is longer than 4096 bytes? Not sure about how all that works feeding pieces to xml_parse.

DLeVasseur

SWEET!  Thanks for the help!

I think it is working.  The errors in the config were "invalid character" which turned out to be spaces after a "name" descriptor.  So I had apparently written a rule say "NAT Email " with the space on the end and that was bad.

Not sure if 2.x already does it but might want to strip leading and ending spaces.

DLeVasseur

The only problem I'm having now is that after the config load I cannot access the webadmin.  I can ping it, everything seems to be working, but 404.

phil.davis

From the console, try:
11) Restart webConfigurator

A 404 is a real response from the HTTP server, so I guess that indicates that the firewall rules have not locked you out completely  :)

DLeVasseur

Tried that.  I might be wrong about it being a real 404.  It I'm out of office now.  Any steps to unlock it if it is the firewall?

phil.davis

These are the standard ways to get back in: https://doc.pfsense.org/index.php/I_locked_myself_out_of_the_WebGUI,_help!

DLeVasseur

@phil.davis:

These are the standard ways to get back in: https://doc.pfsense.org/index.php/I_locked_myself_out_of_the_WebGUI,_help!

Thanks for the help so far.  None of those suggestions worked, so on a whim I used option 2 on the PFsense box directly to change the IP address of the LAN adapter, I think I read somewhere this resets the web settings.  I changed it to a different IP than was previously on the box and I was able to get in.  But if I change the LAN IP to what was originally on the box, I am locked out again.

Somewhere there's something preventing web access when it is running on that original IP address.

phil.davis

Maybe there is another device on the LAN that is also using that original LAN IP? Try accessing the original LAN IP when pfSense is not using it, and maybe you will still get a response?
Or did you use the bottom address in the LAN subnet? (like 192.168.1.0/24) I have done that to myself in the past while quickly going through the initial wizard and not thinking. (Note: In 2.1.1 the validation has been enhanced to catch that sort of thing)
Otherwise, I am struggling to think what would be special about a particular LAN IP, unless you have a particular rule that blocks it.

DLeVasseur

No, this is a standalone box with nothing by my laptop connected.

So here's what I did that managed to get it working.  I changed the address from .1.1 to .44.1, this allowed me into the webconfigurator on port 80.  I then created a security certificate and changed the webconfigurator over to https and port 443.  I then changed the address back to the original .1.1 and was able to get in using the original address.

Not sure why but the box just will not accept a port 80 connection if it's IP is the .1.1  443 connection is fine.

I ran a port scanner and the port is open.  Anyway, 443 should be what is used anyway, so I think all is fine now.

lfph

Hi everyone,
i guess i'm on the right section of the forum as me too cannot use my xml file from 1.2.x to 2.1 and i get "The Configuration Could Not Be Restored", not really familiar with xml so i just put it as an attachment if someone has the time to look at it.
Thanks for the help,
S.

pfsense_xml.txt

DLeVasseur

I'm not sure if it is the cause, but I noticed at the bottom of your XML there is a bunch of package information.  I believe the Wiki states to export the 1.2.3 configuration without package data.  Package data cannot be imported.

lfph

thanks,
i have 2 backups 1 with package and 1 without, none are working; here is the one without (i think)

pfsense_xml1.txt

DLeVasseur

The steps outlined by Phil earlier in the post worked out beautifully to find the error.  It's really simple, just copy, paste (change the file name), run.

lfph

i'm sure it does but i don't understand it :-(

DLeVasseur

The file even fails basic XML validation.  What options are you using when you export it?