So I'm still getting the same results. I've taken notice to the time of the log
entries as well: After my test PC is registered and authenticated it will get
rejected exactly 4 hours later. The last few times it's been kicked off the
network it was always exactly 4 hours after the radius acceptance time. The
node, however, has an unreg date of 1 year from now. I get errors saying PF
can't connect to mysql at the time of the pc getting rejected but at the same
time if I plug a separate PC into the same switch, it gets accepted fine by PF.
It seems like the rejected PC keeps trying to get authorized from the
passive/slave server in my cluster setup.
Passive Server Radius logs:
Feb 15 08:02:08 httpd.aaa(3083) ERROR: [mac:c8:5b:76:6e:34:59] radius authorize
failed with error: DBIx::Class::Storage::DBI::catch {...} (): DBI Connection
failed: Can't connect to local MySQL server through socket
'/var/lib/mysql/mysql.sock' (2) at
/usr/share/perl5/vendor_perl/DBIx/Class/Storage/DBI.pm line 1492. at
/usr/local/pf/lib/fingerbank/Base/CRUD.pm line 416
(pf::api::radius_authorize)
Feb 15 08:02:08 httpd.aaa(3083) WARN: [mac:c8:5b:76:6e:34:59] Use of
uninitialized value $radius_return in numeric eq (==) at
/usr/local/pf/lib/pf/radius/rest.pm line 47.
(pf::radius::rest::format_response)
Feb 15 08:02:08 httpd.aaa(3083) WARN: [mac:c8:5b:76:6e:34:59] Use of
uninitialized value $radius_return in numeric eq (==) at
/usr/local/pf/lib/pf/radius/rest.pm line 52.
(pf::radius::rest::format_response)
[root@packetfence2 pf_admin]# tail /usr/local/pf/logs/radius.log
Wed Feb 15 08:02:08 2017 : ERROR: (20) rest: ERROR:
{"reply:PacketFence-Authorization-Status":"allow"}
Wed Feb 15 08:02:08 2017 : Info: rlm_rest (rest): Need 2 more connections to
reach 10 spares
Wed Feb 15 08:02:08 2017 : Info: rlm_rest (rest): Opening additional connection
(45), 1 of 63 pending slots used
Wed Feb 15 08:02:08 2017 : Info: rlm_sql (sql): Closing connection (43): Hit
idle_timeout, was idle for 71074 seconds
Wed Feb 15 08:02:08 2017 : Info: rlm_sql (sql): Closing connection (44): Hit
idle_timeout, was idle for 71074 seconds
Wed Feb 15 08:02:08 2017 : Info: rlm_sql (sql): Opening additional connection
(45), 1 of 64 pending slots used
Wed Feb 15 08:02:08 2017 : Info: rlm_sql (sql): Need 2 more connections to
reach 10 spares
Wed Feb 15 08:02:08 2017 : Info: rlm_sql (sql): Opening additional connection
(46), 1 of 63 pending slots used
Wed Feb 15 08:02:08 2017 : [mac:c8:5b:76:6e:34:59] Accepted user: and returned
VLAN
Wed Feb 15 08:02:08 2017 : Auth: (20) Rejected in post-auth: [c85b766e3459]
(from client pf port 13 cli c8:5b:76:6e:34:59)
Master server Radius log from the same time period and a different PC:
Wed Feb 15 08:03:23 2017 : [mac:68:f7:28:85:34:78] Accepted user: and returned
VLAN 10
Wed Feb 15 08:03:23 2017 : Auth: (9) Login OK: [68f728853478] (from client pf
port 19 cli 68:f7:28:85:34:78)
________________________________
From: Campanaro, Michael <[email protected]>
Sent: Tuesday, February 14, 2017 8:10 AM
To: [email protected]
Subject: Re: [PacketFence-users] Active/Passive cluster - Slave server
rejecting user Auth
Fabrice,
I have no max_connections line set up in my /etc/my.cnf, should I add that line
in with a set number? I'm not sure how that could cause it as the test PC I'm
having problems with is the only PC I had connected to PacketFence at the
moment as I'm still testing it before deployment. My two servers are on two
CentOS 7 vm's so the disks are virtual, I don't think there should be any io
issues. I'll try adding the max connections line though and see if I have
better results.
Thanks,
Mike
________________________________
From: Durand fabrice <[email protected]>
Sent: Monday, February 13, 2017 8:26 PM
To: [email protected]
Subject: Re: [PacketFence-users] Active/Passive cluster - Slave server
rejecting user Auth
Michael,
so first check how many maximum connection are configured in my.cnf (or
equivalent) then raise this value.
It can also be something related to the disk io, if the disk is slow then the
number of threads can raise too.
Regards
Fabrice
Le 2017-02-13 à 15:34, Campanaro, Michael a écrit :
Fabrice,
I checked the mariadb logs but don't see anything out of the ordinary in them.
There are no errors or warnings. I looked at the DB graph on the status tab of
the admin gui and what I noticed is that around the time I last had my issue
the connected thread count increased considerably.
________________________________
From: Fabrice Durand <[email protected]><mailto:[email protected]>
Sent: Monday, February 13, 2017 2:56 PM
To:
[email protected]<mailto:[email protected]>
Subject: Re: [PacketFence-users] Active/Passive cluster - Slave server
rejecting user Auth
Hello Michael,
there is probably some logs from mysql, also can you check the status tab on
the admin gui and check the graph related to the DB.
You will probably be able to see if there is something wrong from the graph.
Regards
Fabrice
Le 2017-02-13 à 14:29, Campanaro, Michael a écrit :
Hey Fabrice,
I checked back through the logs and found this error at the time when my test
PC was rejected:
Feb 13 12:43:38 httpd.aaa(3846) ERROR: [mac:c8:5b:76:6e:34:59] radius authorize
failed with error: DBIx::Class::Storage::DBI::catch {...} (): DBI Connection
failed: Can't connect to local MySQL server through socket
'/var/lib/mysql/mysql.sock' (2) at
/usr/share/perl5/vendor_perl/DBIx/Class/Storage/DBI.pm line 1492. at
/usr/local/pf/lib/fingerbank/Base/CRUD.pm line 416
(pf::api::radius_authorize)
Any ideas as to why I would lose connection to my database like that out of
nowhere? Like I said everything is fine for a few hours but then the PC gets
kicked randomly so I'm not sure what could be causing it.
Thanks,
-Mike
________________________________
From: Fabrice Durand <[email protected]><mailto:[email protected]>
Sent: Monday, February 13, 2017 1:54 PM
To:
[email protected]<mailto:[email protected]>
Subject: Re: [PacketFence-users] Active/Passive cluster - Slave server
rejecting user Auth
Hello Michael,
it looks that the issue is MySQL.
Can you check when it happen if it's possible to connect to the DB ?
Regards
Fabrice
Le 2017-02-13 à 13:34, Campanaro, Michael a écrit :
I have an Active/Passive cluster setup between two PF servers but have been
having an issue lately. After I register and authenticate my test PC,
everything works fine for a few hours but then randomly my connection will drop
and I am placed in the default VLAN with no internet connection. If I go to the
Audit page on the Admin gui, it shows a bunch of Access-Reject messages for my
PC even though it was previously registered and accepted earlier in the day.
I check the logs on my master server and I see nothing out of the ordinary. But
when I check the logs on my slave server I get multiple warning and error
messages. Below are some relevant log entries I'm getting on my slave server:
Packetfence.log:
Feb 13 12:42:36 httpd.aaa(3846) INFO: [mac:c8:5b:76:6e:34:59] Database
/usr/local/fingerbank/db/fingerbank_Local.db was changed or handles weren't
initialized. Creating handle. (fingerbank::DB::SQLite::build_handle)
Feb 13 12:42:36 httpd.aaa(3846) WARN: [mac:c8:5b:76:6e:34:59] Use of
uninitialized value $mysql_ver in numeric lt (<) at
/usr/share/perl5/vendor_perl/DBIx/Class/Storage/DBI/mysql.pm line 117.
(DBIx::Class::Storage::DBI::mysql::sql_maker)
Feb 13 12:42:36 httpd.aaa(3846) WARN: [mac:c8:5b:76:6e:34:59] Use of
uninitialized value $mysql_ver in numeric lt (<) at
/usr/share/perl5/vendor_perl/DBIx/Class/Storage/DBI/mysql.pm line 117.
(DBIx::Class::Storage::DBI::mysql::sql_maker)
Feb 13 12:42:36 httpd.aaa(3846) WARN: [mac:c8:5b:76:6e:34:59] Use of
uninitialized value $mysql_ver in numeric lt (<) at
/usr/share/perl5/vendor_perl/DBIx/Class/Storage/DBI/mysql.pm line 117.
(DBIx::Class::Storage::DBI::mysql::sql_maker)
Feb 13 12:42:36 httpd.aaa(3846) ERROR: [mac:c8:5b:76:6e:34:59] radius authorize
failed with error: DBIx::Class::Storage::DBI::catch {...} (): DBI Connection
failed: Can't connect to local MySQL server through socket
'/var/lib/mysql/mysql.sock' (2) at
/usr/share/perl5/vendor_perl/DBIx/Class/Storage/DBI.pm line 1492. at
/usr/local/pf/lib/fingerbank/Base/CRUD.pm line 416
Radius.log:
Mon Feb 13 12:42:35 2017 : [mac:c8:5b:76:6e:34:59] Accepted user: and returned
VLAN
Mon Feb 13 12:42:36 2017 : Auth: (4) Rejected in post-auth: [c85b766e3459]
(from client pf port 9 cli c8:5b:76:6e:34:59)
Mon Feb 13 12:43:38 2017 : Info: rlm_rest (rest): Closing connection (6): Hit
idle_timeout, was idle for 65 seconds
Mon Feb 13 12:43:38 2017 : Info: rlm_rest (rest): Closing connection (5): Hit
idle_timeout, was idle for 62 seconds
Mon Feb 13 12:43:38 2017 : Info: rlm_rest (rest): Closing connection (7): Hit
idle_timeout, was idle for 62 seconds
Mon Feb 13 12:43:38 2017 : Info: rlm_rest (rest): Opening additional connection
(8), 1 of 64 pending slots used
Mon Feb 13 12:43:38 2017 : ERROR: (5) rest: ERROR: Server returned:
Mon Feb 13 12:43:38 2017 : ERROR: (5) rest: ERROR:
{"reply:PacketFence-Authorization-Status":"allow"}
It also seems that the only way I can get my test PC connected properly again
is if I reboot the slave server. But that only fixes my problem for another few
hours as this cycle keeps repeating. Any ideas as to what could be wrong?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x135) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x135) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
