ConfigSync Does not work - solved again

neuernick

Hi
I run two Pf sense instances both as virtual Machine using 2 individual Xenservers inside one Xenserver-Pool (Citrix opensource version)
both are running fine, both have a wan if with an puplic IP and a LAN interface. I setup Carp in the LAN and WAN int, Works.

I try to get pfsync working, therefore i have a Third interface Configured. This is running in its own vlan and subnet and can ping across
only the state and config sync does not work

Can i provide some Additinal information?
Could somebody maybe sheet a little bit of light to me :)

cheers
neuernick

cmb

what log do you get when it fails?

neuernick

Sorry, this is a little bit annoyance for me, i do not see log entries regarding this Topic

i try a lot of config changes, adding rules remove rule (firewall) adding and removing users….

out of System section is get this.

Nov 7 18:27:20 check_reload_status: Syncing firewall
Nov 7 18:27:20 php-fpm[95925]: /system_usermanager.php: The command '/usr/sbin/pw groupadd -g -M 2001,2002,2003 2>&1' returned exit code '65', the output was 'pw: group name required'
Nov 7 18:27:20 php-fpm[95925]: /system_usermanager.php: Tried to remove user but got user pw instead. Bailing.
Nov 7 18:26:27 php-fpm[95925]: /rc.filter_configure_sync: Could not find IPv6 gateway for interface(lan).

From the master. nothing on the Slave
Firewall low volume of the usual stuff. nothing on the pfsync interface

by any chance, do i need to have the System Password the same as the CARP password?
Carp is working, in order to get Carp i configured on both Host manually

cmb

You don't seem to have config sync enabled at all, no logs there attempting anything.

neuernick

hi

i have it enabled

Config snippet from Slave
<hasync><pfsyncpeerip><pfsyncinterface>opt1</pfsyncinterface>
                <synchronizetoip><username><password></password>
                <pfsyncenabled>on</pfsyncenabled></username></synchronizetoip></pfsyncpeerip></hasync>

config snippet master

<hasync><pfsyncpeerip>10.x.x.2</pfsyncpeerip>
<pfsyncinterface>opt1</pfsyncinterface>
<synchronizetoip>10.x.x.2</synchronizetoip>
<username>admin</username>
<password>[prefer to keep it in my place ;)</password>
<synchronizeusers>on</synchronizeusers>
<synchronizerules>on</synchronizerules>
<synchronizecerts>on</synchronizecerts>
<synchronizeschedules>on</synchronizeschedules>
<synchronizealiases>on</synchronizealiases>
<synchronizevirtualip>on</synchronizevirtualip>
<synchronizecaptiveportal>on</synchronizecaptiveportal>
<synchronizednsforwarder>on</synchronizednsforwarder>
<synchronizeauthservers>on</synchronizeauthservers>
<synchronizedhcpd>on</synchronizedhcpd>
<synchronizewol>on</synchronizewol>
<synchronizestaticroutes>on</synchronizestaticroutes>
<synchronizelb>on</synchronizelb>
<synchronizenat>on</synchronizenat>
<synchronizeipsec>on</synchronizeipsec>
<synchronizeopenvpn>on</synchronizeopenvpn>
<pfsyncenabled>on</pfsyncenabled></hasync>
[/tt]

just for reference, here is the ps output

[2.2-BETA][root@c3po.wks20.de]/root: ps auxx
USER      PID  %CPU %MEM    VSZ  RSS TT  STAT STARTED      TIME COMMAND
root      11 199.0  0.0      0    32  -  RL    9:40AM 1705:58.19 [idle]
root        0  0.0  0.0      0  144  -  DLs  9:40AM    0:00.15 [kernel]
root        1  0.0  0.1  9472  760  -  ILs  9:40AM    0:00.03 /sbin/init –
root        2  0.0  0.0      0    16  -  DL    9:40AM    0:00.00 [crypto]
root        3  0.0  0.0      0    16  -  DL    9:40AM    0:00.00 [crypto returns]
root        4  0.0  0.0      0    32  -  DL    9:40AM    0:00.29 [cam]
root        5  0.0  0.0      0    16  -  DL    9:40AM    0:18.22 [pf purge]
root        6  0.0  0.0      0    16  -  DL    9:40AM    0:00.00 [balloon]
root        7  0.0  0.0      0    16  -  DL    9:40AM    0:00.00 [sctp_iterator]
root        8  0.0  0.0      0    16  -  DL    9:40AM    0:00.82 [pagedaemon]
root        9  0.0  0.0      0    16  -  DL    9:40AM    0:00.00 [vmdaemon]
root      10  0.0  0.0      0    16  -  DL    9:40AM    0:00.00 [audit]
root      12  0.0  0.0      0  352  -  WL    9:40AM    2:53.23 [intr]
root      13  0.0  0.0      0    32  -  DL    9:40AM    0:00.00 [ng_queue]
root      14  0.0  0.0      0    48  -  DL    9:40AM    0:02.20 [geom]
root      15  0.0  0.0      0    16  -  DL    9:40AM    0:18.52 [rand_harvestq]
root      16  0.0  0.0      0    64  -  DL    9:40AM    0:03.55 [usb]
root      17  0.0  0.0      0    16  -  SL    9:40AM    0:03.90 [xenwatch]
root      18  0.0  0.0      0    16  -  IL    9:40AM    0:00.08 [xenstore_rcv]
root      19  0.0  0.0      0    16  -  DL    9:40AM    0:00.10 [idlepoll]
root      20  0.0  0.0      0    16  -  DL    9:40AM    0:00.00 [pagezero]
root      21  0.0  0.0      0    16  -  DL    9:40AM    0:00.40 [bufdaemon]
root      22  0.0  0.0      0    16  -  DL    9:40AM    0:06.70 [syncer]
root      23  0.0  0.0      0    16  -  DL    9:40AM    0:00.41 [vnlru]
root      59  0.0  0.0      0    16  -  DL    9:40AM    0:00.85 [md0]
root      248  0.0  2.3 222072 23468  -  Ss    9:40AM    0:03.12 php-fpm: master process (/usr/local/lib/php-fpm.conf) (php-fpm)
root      264  0.0  0.3  19024  2560  -  INs  9:40AM    0:00.03 /usr/local/sbin/check_reload_status
root      266  0.0  0.2  19024  2408  -  IN    9:40AM    0:00.00 check_reload_status: Monitoring daemon of check_reload_status
root      276  0.0  0.4  13164  4424  -  Is    9:40AM    0:00.05 /sbin/devd
root    1823  0.0  0.7  46668  6612  -  S    5:21PM    0:01.29 /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf
root    4613  0.0  0.2  14664  2300  -  Is    9:40AM    0:00.27 /usr/sbin/syslogd -s -c -c -l /var/dhcpd/var/run/log -P /var/run/syslog.pid -f /var/etc/syslog.conf
root    9280  0.0  0.5  32428  5228  -  Is    9:40AM    0:00.00 /usr/sbin/sshd
root    9298  0.0  0.2  14756  2224  -  Is    9:40AM    0:00.01 /usr/local/sbin/sshlockout_pf 15
root    13706  0.0  0.2  16812  2340  -  Ss    9:40AM    0:01.66 /usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid
root    14640  0.0  0.2  18788  2348  -  Is    9:40AM    0:00.01 /usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf
root    15405  0.0  0.5  21720  5264  -  Ss    9:40AM    0:00.48 /usr/local/sbin/openvpn –config /var/etc/openvpn/server1.conf
root    18624  0.0  0.2  12460  2180  -  Ss    9:40AM    0:12.62 /usr/local/sbin/apinger -c /var/etc/apinger.conf
root    18650  0.0  0.3  28316  3004  -  I    9:40AM    0:00.51 rrdtool -
root    27651  0.0  3.9 222072 39704  -  I    11:45PM    0:00.05 php-fpm: pool lighty (php-fpm)
root    47414  0.0  1.8  28168 18052  -  Ss    9:42AM    0:04.87 /usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf -p /var/run/ntpd.pid
root    49311  0.0  0.2  8312  1960  -  SN  11:58PM    0:00.00 sleep 60
root    49983  0.0  0.6  55632  6124  -  Ss  11:00PM    0:00.16 sshd: root@pts/0 (sshd)
root    51653  0.0  0.2  8312  1960  -  S    11:58PM    0:00.00 sleep 55
root    55975  0.0  0.2  17144  2488  -  S    9:46AM    0:00.74 /bin/sh /usr/local/pkg/sqpmon.sh
root    60436  0.0  0.6  32240  6472  -  Is    9:46AM    0:00.00 /usr/local/sbin/squid -D
proxy  60942  0.0  0.9  44528  9464  -  S    9:46AM    0:04.90 (squid) -D (squid)
proxy  60997  0.0  0.2  10416  2016  -  I    9:46AM    0:00.00 (unlinkd) (unlinkd)
unbound 62716  0.0  1.1  41400 10768  -  Is    6:58PM    0:00.40 /usr/sbin/unbound -c /var/unbound/unbound.conf
root    67843  0.0  0.3  17144  2700  -  SN    6:58PM    0:02.40 /bin/sh /var/db/rrd/updaterrd.sh
root      24  0.0  0.2  17144  2180 v0  Is+  9:40AM    0:00.03 sh /etc/rc autoboot
root      269  0.0  4.7 230164 47436 v0  I+    9:40AM    0:00.56 /usr/local/bin/php -f /etc/rc.bootup
root    28423  0.0  0.2  8312  1960 v0  I+  11:58PM    0:00.00 sleep 60
root    91693  0.0  0.0      0    0 v0  Z+    9:40AM    0:00.01 <defunct>root    92287  0.0  0.2  17144  2400 v0  I+    9:40AM    0:00.17 /bin/sh /usr/local/sbin/xe-daemon -p /var/run/xe-daemon.pid
root    50834  0.0  0.3  17144  2784  0  Is  11:00PM    0:00.01 -sh (sh)
root    51156  0.0  0.3  17144  2672  0  I    11:00PM    0:00.00 /bin/sh /etc/rc.initial
root    52860  0.0  0.2  18816  2384  0  R+  11:58PM    0:00.00 ps auxx
root    74437  0.0  0.4  17484  3708  0  S    11:00PM    0:00.06 /bin/tcsh
[2.2-BETA][root@c3po.wks20.de]/root:

If i read the XML config correctly, the ha sync should be enabled

thanks a million for your help

cheers
volki</defunct>

cmb

yeah that seems fine. How'd you get Xen tools on there? Anything else you've manually installed? Can you ping the secondary's 10.x.x.x IP from the primary?

neuernick

pkg install xe-guest-utilty

ping works fine
telnet 10.10.1.2 80 GET give a valid HTML output
installed anc configured so far is squid and openvpn

i will reinstall out of the box again, and try to accomplish pfsunc/configsync before i do all the fancy stuff, it might be a sequenze issue

eri--

Normally you should have some output on the system logs containing sync or XMLRPC on it.
Can you show that?

Or even run /etc/rc.filter_synchronize manually and see how it goes.

neuernick

Hi

i run /etc/rc.filter_synchronize  manually and it did no change at all

i reinstalled both instances and now the config sync is working fine

i did not reinstall the xe utills
i did not reinstall squid and the openvpnclientpack

keep you postet

neuernick

Hi is reinstaleld, setup the Config/pfsync, and startet with the Config afterwards

this it works… ish

and after playing with squid, i checked the slave , and all of a sudden, it was not syncing any more ..

i used the squid 2 package

neuernick

and it is not working agai :/

i updated via webgui to the latest version, and reinstalled shellcmd + openvpnClientExport package

invoking
/etc/rc.filter_synchronize
does not help

neuernick

just a bump. to highlight that i am back in proplem land :)

neuernick

hi

i dump the log files and went over every sungli entry

this one got my attention

php-fpm[70539]: /xmlrpc.php: The command '/usr/sbin/pw groupadd -g -M 2001 2>&1' returned exit code '65', the output was 'pw: group name required'

there is one user without a group, i fixed this and all of a suden the PFsync is working again

cmb

Thanks, pretty sure Ermal fixed that one earlier today.