Hello David, What was the previous PF version before the upgrade?
Thanks, Ludovic Zammit Product Support Engineer Principal Lead Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Jan 25, 2024, at 10:02 AM, David Moore via PacketFence-users > <packetfence-users@lists.sourceforge.net> wrote: > > I recently upgraded to PF 13.1 and have had a few issues, most of which I > have been able to resolve. The only lingering issue I'm aware of is with IP > Tables, but I'm not positive it's something to be concerned about because PF > is working. > > My PF server is ZEN running in VMWare ESXi the assigned hardware is 32 GB of > RAM, 4 Processors and 300 GB of disk space, my network consists of about 30 > nodes authenticating with 802.1x (Active Directory and MAC Auth for non-AD > devices) memory and disk space are fine but the CPU is constantly at 5Ghz of > consumption (is that normal for the processor?) > > Please see the details from packetfence.log and from systemctl status > packetfence-iptables below: > > packetfence.log: > Jan 25 09:43:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(14) INFO: > [mac:[undef]] getting security_events triggers for accounting cleanup > (pf::accounting::acct_maintenance) > Jan 25 09:43:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(17) INFO: > [mac:[undef]] processed 0 security_events during security_event maintenance > (1706193787.30847 1706193787.36479) > (pf::security_event::security_event_maintenance) > Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: saving existing > iptables to /usr/local/pf/var/iptables.bak (pf::iptables::iptables_save) > Jan 25 09:43:15 fence packetfence[562283]: -e(562283) WARN: We are using > IPSET (pf::ipset::iptables_generate) > Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: flushing iptables > (pf::ipset::iptables_flush_mangle) > Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: Adding Forward > rules to allow connections to the OAuth2 Providers and passthrough. > (pf::iptables::generate_passthrough_rules) > Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: Adding IP based > passthrough for connectivitycheck.gstatic.com > <http://connectivitycheck.gstatic.com/> > (pf::iptables::generate_passthrough_rules) > Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: Adding NAT > Masquerade statement. (pf::iptables::generate_passthrough_rules) > Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: restoring > iptables from /usr/local/pf/var/conf/iptables.conf > (pf::iptables::iptables_restore) > Jan 25 09:43:15 fence packetfence[562283]: -e(562283) WARN: Problem trying to > run command: LANG=C /sbin/iptables-restore < > /usr/local/pf/var/conf/iptables.conf called from iptables_restore. Child > exited with non-zero value 2 (pf::util::pf_run) > Jan 25 09:44:06 fence pfperl-api-docker-wrapper[562338]: pfperl-api(19) INFO: > [mac:[undef]] processed 0 security_events during security_event maintenance > (1706193846.10912 1706193846.12021) > (pf::security_event::security_event_maintenance) > Jan 25 09:44:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(15) INFO: > [mac:[undef]] Using 300 resolution threshold > (pf::pfcron::task::cluster_check::run) > Jan 25 09:44:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(14) INFO: > [mac:[undef]] getting security_events triggers for accounting cleanup > (pf::accounting::acct_maintenance) > Jan 25 09:44:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(15) INFO: > [mac:[undef]] All cluster members are running the same configuration version > (pf::pfcron::task::cluster_check::run) > Jan 25 09:44:16 fence packetfence[562283]: -e(562283) INFO: saving existing > iptables to /usr/local/pf/var/iptables.bak (pf::iptables::iptables_save) > Jan 25 09:44:16 fence packetfence[562283]: -e(562283) WARN: We are using > IPSET (pf::ipset::iptables_generate) > Jan 25 09:44:16 fence packetfence[562283]: -e(562283) INFO: flushing iptables > (pf::ipset::iptables_flush_mangle) > Jan 25 09:44:16 fence packetfence[562283]: -e(562283) INFO: Adding Forward > rules to allow connections to the OAuth2 Providers and passthrough. > (pf::iptables::generate_passthrough_rules) > Jan 25 09:44:16 fence packetfence[562283]: -e(562283) INFO: Adding IP based > passthrough for connectivitycheck.gstatic.com > <http://connectivitycheck.gstatic.com/> > (pf::iptables::generate_passthrough_rules) > Jan 25 09:44:16 fence packetfence[562283]: -e(562283) INFO: Adding NAT > Masquerade statement. (pf::iptables::generate_passthrough_rules) > Jan 25 09:44:16 fence packetfence[562283]: -e(562283) INFO: restoring > iptables from /usr/local/pf/var/conf/iptables.conf > (pf::iptables::iptables_restore) > Jan 25 09:44:16 fence packetfence[562283]: -e(562283) WARN: Problem trying to > run command: LANG=C /sbin/iptables-restore < > /usr/local/pf/var/conf/iptables.conf called from iptables_restore. Child > exited with non-zero value 2 (pf::util::pf_run) > Jan 25 09:45:06 fence pfperl-api-docker-wrapper[562338]: pfperl-api(13) INFO: > [mac:[undef]] processed 0 security_events during security_event maintenance > (1706193906.17069 1706193906.18816) > (pf::security_event::security_event_maintenance) > Jan 25 09:45:06 fence pfperl-api-docker-wrapper[562338]: pfperl-api(12) INFO: > [mac:[undef]] getting security_events triggers for accounting cleanup > (pf::accounting::acct_maintenance) > Jan 25 09:45:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(13) INFO: > [mac:[undef]] Using 300 resolution threshold > (pf::pfcron::task::cluster_check::run) > Jan 25 09:45:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(13) INFO: > [mac:[undef]] All cluster members are running the same configuration version > (pf::pfcron::task::cluster_check::run) > Jan 25 09:45:16 fence packetfence[562283]: -e(562283) INFO: saving existing > iptables to /usr/local/pf/var/iptables.bak (pf::iptables::iptables_save) > Jan 25 09:45:16 fence packetfence[562283]: -e(562283) WARN: We are using > IPSET (pf::ipset::iptables_generate) > Jan 25 09:45:16 fence packetfence[562283]: -e(562283) INFO: flushing iptables > (pf::ipset::iptables_flush_mangle) > Jan 25 09:45:17 fence packetfence[562283]: -e(562283) INFO: Adding Forward > rules to allow connections to the OAuth2 Providers and passthrough. > (pf::iptables::generate_passthrough_rules) > Jan 25 09:45:17 fence packetfence[562283]: -e(562283) INFO: Adding IP based > passthrough for connectivitycheck.gstatic.com > <http://connectivitycheck.gstatic.com/> > (pf::iptables::generate_passthrough_rules) > Jan 25 09:45:17 fence packetfence[562283]: -e(562283) INFO: Adding NAT > Masquerade statement. (pf::iptables::generate_passthrough_rules) > Jan 25 09:45:17 fence packetfence[562283]: -e(562283) INFO: restoring > iptables from /usr/local/pf/var/conf/iptables.conf > (pf::iptables::iptables_restore) > Jan 25 09:45:17 fence packetfence[562283]: -e(562283) WARN: Problem trying to > run command: LANG=C /sbin/iptables-restore < > /usr/local/pf/var/conf/iptables.conf called from iptables_restore. Child > exited with non-zero value 2 (pf::util::pf_run) > Jan 25 09:46:06 fence pfperl-api-docker-wrapper[562338]: pfperl-api(15) INFO: > [mac:[undef]] processed 0 security_events during security_event maintenance > (1706193966.18047 1706193966.2038) > (pf::security_event::security_event_maintenance) > Jan 25 09:46:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(15) INFO: > [mac:[undef]] getting security_events triggers for accounting cleanup > (pf::accounting::acct_maintenance) > Jan 25 09:46:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(16) INFO: > [mac:[undef]] Using 300 resolution threshold > (pf::pfcron::task::cluster_check::run) > Jan 25 09:46:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(16) INFO: > [mac:[undef]] All cluster members are running the same configuration version > (pf::pfcron::task::cluster_check::run) > Jan 25 09:46:17 fence packetfence[562283]: -e(562283) INFO: saving existing > iptables to /usr/local/pf/var/iptables.bak (pf::iptables::iptables_save) > > > systemctl status packetfence-iptables: > ● packetfence-iptables.service - PacketFence Iptables configuration > Loaded: loaded (/lib/systemd/system/packetfence-iptables.service; > enabled; vendor preset: enabled) > Active: active (running) since Wed 2024-01-24 14:15:55 EST; 1h 17min ago > Main PID: 562283 (perl) > Tasks: 1 (limit: 38474) > Memory: 188.3M > CPU: 46.312s > CGroup: /packetfence.slice/packetfence-iptables.service > └─562283 /usr/bin/perl -I/usr/local/pf/lib > -I/usr/local/pf/lib_perl/lib/perl5 -Mpf::db -Mpf::services::manager::iptables > -e my $db ; while(!$db) { eval { $db = db_ping() } ; sleep 1 } ; > pf::services::manager::iptables->new()->startAndCheck() > > Jan 24 15:33:11 fence.sixmoore.com <http://fence.sixmoore.com/> sudo[752059]: > pam_unix(sudo:session): session closed for user root > Jan 24 15:33:11 fence.sixmoore.com <http://fence.sixmoore.com/> sudo[752062]: > root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/ipset --add > pfsession_passthrough 172.217.13.99,443 > Jan 24 15:33:11 fence.sixmoore.com <http://fence.sixmoore.com/> sudo[752062]: > pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0) > Jan 24 15:33:11 fence.sixmoore.com <http://fence.sixmoore.com/> sudo[752062]: > pam_unix(sudo:session): session closed for user root > Jan 24 15:33:11 fence.sixmoore.com <http://fence.sixmoore.com/> > packetfence[562283]: -e(562283) INFO: Adding NAT Masquerade statement. > (pf::iptables::generate_passthrough_rules) > Jan 24 15:33:11 fence.sixmoore.com <http://fence.sixmoore.com/> > packetfence[562283]: -e(562283) INFO: restoring iptables from > /usr/local/pf/var/conf/iptables.conf (pf::iptables::iptables_restore) > Jan 24 15:33:11 fence.sixmoore.com <http://fence.sixmoore.com/> perl[752066]: > iptables-restore v1.8.7 (nf_tables): invalid port/service > `%%httpd_collector_port%%' specified > Jan 24 15:33:11 fence.sixmoore.com <http://fence.sixmoore.com/> perl[752066]: > Error occurred at line: 62 > Jan 24 15:33:11 fence.sixmoore.com <http://fence.sixmoore.com/> perl[752066]: > Try `iptables-restore -h' or 'iptables-restore --help' for more information. > Jan 24 15:33:11 fence.sixmoore.com <http://fence.sixmoore.com/> > packetfence[562283]: -e(562283) WARN: Problem trying to run command: LANG=C > /sbin/iptables-restore < /usr/local/pf/var/conf/iptables.conf called from > iptables_restore. Child exited with non-zero value 2 (pf::util::pf_run) > > I looked at the /usr/local/pf/var/conf/iptables.conf file and line 62 reads: > -A input-management-if --protocol tcp --match tcp --dport > %%httpd_collector_port%% --jump ACCEPT > > > Thanks > Dave > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!W7iDMR4-NGQYg2tqf9z2ToridNJj_dYDYn6ZAwKwbiwCtAc3O0rHn0tkPtUi9_h6LVad5cCvHyzMhFsldRoPu-QPOgTOHIeR8hJNXQ$
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
