Hello Misbah, We only an issue with chunk = ‘8192’ for EAP TLS and not EAP PEAP.
I way too big to cover your entire cluster config on the mailing list, I will suggest you to take some consulting hours with Akamai and we will do a sanity check on your cluster to see why the database would disconnect. Thanks, Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Apr 13, 2022, at 7:14 PM, Misbah Hussaini <misbhaud...@gmail.com> wrote: > > Hello Ludovic, > > Again we had an outage and this time it looks like DB had some sort of > locking issues. The temp fix was to restart the mariadb service. I'm running > PF 11.2 with 3 nodes cluster doing 802.1x and mac auth and I see below > messages in packetfence.log at the time when the problem began and these > messages continued till DB was restarted. > > Packetfence.log: > > Apr 13 21:47:12 NAC1 pfqueue[3025858]: pfqueue(3025858) ERROR: [mac:unknown] > Database query failed with non retryable error: Lock wait timeout exceeded; > try restarting transaction (errno: 1205) [INSERT INTO `node` ( `autoreg`, > `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`, `category_id`, > `computername`, `detect_date`, `device_class`, `device_manufacturer`, > `device_score`, `device_type`, `device_version`, `dhcp6_enterprise`, > `dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`, `last_arp`, > `last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`, `notes`, > `pid`, `regdate`, `sessionid`, `status`, `tenant_id`, `time_balance`, > `unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, > ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE > KEY UPDATE `last_dhcp` = ?, `tenant_id` = ?]{no, NULL, NULL, , NULL, > SEPC4143C97B434, 2021-12-23 14:27:33, VoIP Device, Cisco Systems, Inc, 76, > Cisco IP Phone CP-7945G, , , , 1,66,6,3,15,150,35, Cisco Systems, Inc. IP > Phone CP-7945G, 0000-00-00 00:00:00, 2022-04-13 21:46:21, 2021-12-24 > 20:10:12, 0000-00-00 00:00:00, c4:14:3c:97:b4:34, NULL, , default, 0000-00-00 > 00:00:00, , unreg, 1, NULL, 0000-00-00 00:00:00, , no, 2022-04-13 21:46:21, > 1} (pf::dal::db_execute) > Apr 13 21:47:12 NAC1 pfqueue[3025858]: pfqueue(3025858) ERROR: [mac:unknown] > Unable to modify node 'c4:14:3c:97:b4:34 (pf::node::node_modify) > Apr 13 21:47:28 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN: > [mac:00:11:22:33:44:55] Unable to pull accounting history for device > 00:11:22:33:44:55. The history set doesn't exist yet. > (pf::accounting_events_history::latest_mac_history) > Apr 13 21:47:38 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN: > [mac:00:11:22:33:44:55] Unable to pull accounting history for device > 00:11:22:33:44:55. The history set doesn't exist yet. > (pf::accounting_events_history::latest_mac_history) > Apr 13 21:47:42 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN: > [mac:00:11:22:33:44:55] Unable to pull accounting history for device > 00:11:22:33:44:55. The history set doesn't exist yet. > (pf::accounting_events_history::latest_mac_history) > Apr 13 21:47:52 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN: > [mac:00:11:22:33:44:55] Unable to pull accounting history for device > 00:11:22:33:44:55. The history set doesn't exist yet. > (pf::accounting_events_history::latest_mac_history) > Apr 13 21:47:53 NAC1 packetfence[3029093]: pfperl-api(2533174) INFO: Using > 300 resolution threshold (pf::pfcron::task::cluster_check::run) > Apr 13 21:47:53 NAC1 packetfence[3029094]: pfperl-api(2828317) INFO: > processed 0 security_events during security_event maintenance > (1649872073.11399 1649872073.12087) > (pf::security_event::security_event_maintenance) > Apr 13 21:47:53 NAC1 packetfence[3029094]: pfperl-api(2828317) INFO: > processed 0 security_events during security_event maintenance > (1649872073.12281 1649872073.12537) > (pf::security_event::security_event_maintenance) > Apr 13 21:47:53 NAC1 packetfence[3029095]: pfperl-api(2426219) INFO: getting > security_events triggers for accounting cleanup > (pf::accounting::acct_maintenance) > Apr 13 21:47:53 NAC1 packetfence[3029093]: pfperl-api(2533174) INFO: All > cluster members are running the same configuration version > (pf::pfcron::task::cluster_check::run) > Apr 13 21:48:03 NAC1 pfqueue[3025858]: pfqueue(3025858) ERROR: [mac:unknown] > Database query failed with non retryable error: Lock wait timeout exceeded; > try restarting transaction (errno: 1205) [INSERT INTO `node` ( `autoreg`, > `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`, `category_id`, > `computername`, `detect_date`, `device_class`, `device_manufacturer`, > `device_score`, `device_type`, `device_version`, `dhcp6_enterprise`, > `dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`, `last_arp`, > `last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`, `notes`, > `pid`, `regdate`, `sessionid`, `status`, `tenant_id`, `time_balance`, > `unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, > ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE > KEY UPDATE `last_dhcp` = ?, `tenant_id` = ?]{no, NULL, NULL, , NULL, > Admin-PC, 2021-12-22 14:45:32, Windows OS, Dell Inc., 78, Microsoft Windows > Kernel 10.0, 10.0, , , 1,3,6,15,31,33,43,44,46,47,119,121,249,252, MSFT 5.0, > 0000-00-00 00:00:00, 2022-04-13 21:47:12, 2022-04-13 21:45:43, 0000-00-00 > 00:00:00, 98:90:96:cb:a3:02, NULL, , default, 0000-00-00 00:00:00, , unreg, > 1, NULL, 0000-00-00 00:00:00, , no, 2022-04-13 21:47:12, 1} > (pf::dal::db_execute) > Apr 13 21:48:03 NAC1 pfqueue[3025858]: pfqueue(3025858) ERROR: [mac:unknown] > Unable to modify node '98:90:96:cb:a3:02 (pf::node::node_modify) > Apr 13 21:48:08 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN: > [mac:00:11:22:33:44:55] Unable to pull accounting history for device > 00:11:22:33:44:55. The history set doesn't exist yet. > (pf::accounting_events_history::latest_mac_history) > Apr 13 21:48:19 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN: > [mac:00:11:22:33:44:55] Unable to pull accounting history for device > 00:11:22:33:44:55. The history set doesn't exist yet. > (pf::accounting_events_history::latest_mac_history) > Apr 13 21:48:22 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN: > [mac:00:11:22:33:44:55] Unable to pull accounting history for device > 00:11:22:33:44:55. The history set doesn't exist yet. > (pf::accounting_events_history::latest_mac_history) > > These are the messages in radius.log: > > > Apr 13 21:44:24 NAC1 auth[2559747]: (49313) Login OK: [prntnacact] (from > client 192.168.254.12/32 > <https://urldefense.com/v3/__http://192.168.254.12/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDG9cdpfI4$> > port 50335 cli 9c:93:4e:6c:b0:61) > Apr 13 21:45:24 NAC1 auth[2559747]: Adding client 192.168.254.22/32 > <https://urldefense.com/v3/__http://192.168.254.22/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGU1zM1us$> > Apr 13 21:45:24 NAC1 auth[2559747]: [mac:18:9c:5d:ab:b1:ef] Accepted user: > and returned VLAN > Apr 13 21:45:24 NAC1 auth[2559747]: (49333) Login OK: [189c5dabb1ef] (from > client 192.168.254.22/32 > <https://urldefense.com/v3/__http://192.168.254.22/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGU1zM1us$> > port 50443 cli 18:9c:5d:ab:b1:ef) > Apr 13 21:48:44 NAC1 auth[2559747]: Adding client 192.168.254.11/32 > <https://urldefense.com/v3/__http://192.168.254.11/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGuNwZXn0$> > Apr 13 21:48:51 NAC1 auth[2559747]: (49406) rest: ERROR: Server returned no > data > Apr 13 21:48:52 NAC1 auth[2559747]: (49406) Ignoring duplicate packet from > client 192.168.254.11/32 > <https://urldefense.com/v3/__http://192.168.254.11/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGuNwZXn0$> > port 1645 - ID: 56 due to unfinished request in component authenticate > module eap_peap > Apr 13 21:48:57 NAC1 auth[2559747]: (49406) Ignoring duplicate packet from > client 192.168.254.11/32 > <https://urldefense.com/v3/__http://192.168.254.11/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGuNwZXn0$> > port 1645 - ID: 56 due to unfinished request in component authenticate > module eap_peap > Apr 13 21:48:58 NAC1 auth[2559747]: Unresponsive child for request 49406, in > component authenticate module eap_peap > Apr 13 21:49:02 NAC1 auth[2559747]: (49411) eap: ERROR: rlm_eap (EAP): No EAP > session matching state 0xb15267b8b65b7e27 > Apr 13 21:49:02 NAC1 auth[2559747]: (49411) eap: ERROR: rlm_eap (EAP): No EAP > session matching state 0xb15267b8b65b7e27 > Apr 13 21:49:02 NAC1 auth[2559747]: [mac:90:1b:0e:45:4b:2e] Rejected user: > DOMAIN-A\USER-1 > Apr 13 21:49:02 NAC1 auth[2559747]: (49411) Login incorrect (eap: rlm_eap > (EAP): No EAP session matching state 0xb15267b8b65b7e27): [DOMAIN-A\USER-1] > (from client 192.168.254.11/32 > <https://urldefense.com/v3/__http://192.168.254.11/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGuNwZXn0$> > port 50408 cli 90:1b:0e:45:4b:2e) > Apr 13 21:49:16 NAC1 auth[2559747]: (49416) rest: ERROR: Server returned no > data > Apr 13 21:49:17 NAC1 auth[2559747]: (49416) Ignoring duplicate packet from > client 192.168.254.11/32 > <https://urldefense.com/v3/__http://192.168.254.11/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGuNwZXn0$> > port 1645 - ID: 57 due to unfinished request in component post-auth module > sql_reject > Apr 13 21:49:22 NAC1 auth[2559747]: (49416) Ignoring duplicate packet from > client 192.168.254.11/32 > <https://urldefense.com/v3/__http://192.168.254.11/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGuNwZXn0$> > port 1645 - ID: 57 due to unfinished request in component post-auth module > sql_reject > Apr 13 21:49:23 NAC1 auth[2559747]: Unresponsive child for request 49416, in > component post-auth module sql_reject > Apr 13 21:49:31 NAC1 auth[2559747]: (49422) rest: ERROR: Server returned no > data > Apr 13 21:49:38 NAC1 auth[2559747]: Unresponsive child for request 49422, in > component post-auth module sql_reject > Apr 13 21:52:19 NAC1 auth[2559747]: Adding client 192.168.254.23/32 > <https://urldefense.com/v3/__http://192.168.254.23/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGXsZBvhY$> > Apr 13 21:52:23 NAC1 auth[2559747]: (49485) rest: ERROR: Server returned no > data > Apr 13 21:52:24 NAC1 auth[2559747]: (49485) Ignoring duplicate packet from > client 192.168.254.23/32 > <https://urldefense.com/v3/__http://192.168.254.23/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGXsZBvhY$> > port 1645 - ID: 19 due to unfinished request in component authenticate > module eap_peap > Apr 13 21:52:29 NAC1 auth[2559747]: (49485) Ignoring duplicate packet from > client 192.168.254.23/32 > <https://urldefense.com/v3/__http://192.168.254.23/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGXsZBvhY$> > port 1645 - ID: 19 due to unfinished request in component authenticate > module eap_peap > Apr 13 21:52:30 NAC1 auth[2559747]: Unresponsive child for request 49485, in > component authenticate module eap_peap > Apr 13 21:52:34 NAC1 auth[2559747]: (49491) eap: ERROR: rlm_eap (EAP): No EAP > session matching state 0x6b3884f06c319d1d > Apr 13 21:52:34 NAC1 auth[2559747]: (49491) eap: ERROR: rlm_eap (EAP): No EAP > session matching state 0x6b3884f06c319d1d > Apr 13 21:52:34 NAC1 auth[2559747]: [mac:9c:93:4e:64:05:03] Rejected user: > prntnacact > Apr 13 21:52:34 NAC1 auth[2559747]: (49491) Login incorrect (eap: rlm_eap > (EAP): No EAP session matching state 0x6b3884f06c319d1d): [prntnacact] (from > client 192.168.254.23/32 > <https://urldefense.com/v3/__http://192.168.254.23/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGXsZBvhY$> > port 50420 cli 9c:93:4e:64:05:03) > Apr 13 21:52:43 NAC1 auth[2559747]: Adding client 192.168.254.14/32 > <https://urldefense.com/v3/__http://192.168.254.14/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGwUD4dog$> > Apr 13 21:52:49 NAC1 auth[2559747]: (49503) rest: ERROR: Server returned no > data > > Upon googling I found this post (PacketFence / Re: [PacketFence-users] ERROR: > Server returned no data (sourceforge.net) > <https://urldefense.com/v3/__https://sourceforge.net/p/packetfence/mailman/message/37624251/__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGYCuVwO0$>) > to fix the "ERROR: Server returned no data" message and I have added the > chunk = '8192' parameter in rest.conf and now observing whether this message > reappears in the logs. > > With regard to the "Unresponsive Child" message I found this post What does > “unresponsive child” error message mean? | NetworkRADIUS > <https://urldefense.com/v3/__https://networkradius.com/articles/2021/02/10/what-does-unresponsive-child-error-mean.html__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGCKCzOL4$> > and it makes me nervous to troubleshoot the issue as it points to slowness > in the DB (which relates well to locking messages in packetfence.log seen > above). The problem is how I can identify the slow queries and fix them (is > it the same query shown in pf log?). Is it advisable to change the current > lock_wait_timeout value to something higher (currently set to 50 secs)? I'm > wondering what other measures can be put in place to avoid this from > recurring, does restarting the sql service daily help me? > > Regards > Misbah > > > On Wed, 13 Apr 2022 at 17:17, Misbah Hussaini <misbhaud...@gmail.com > <mailto:misbhaud...@gmail.com>> wrote: > Hello Ludovic, > > Its already added as a switch and have been working fine for past 1 month but > with few endpoints. When I googled this message, freeradius support list > suggested to increase the max server count, which I did, and the issue was > resolved. The concern I have is whether there are other such parameters which > needs to be fine tuned for Production. > > Also, the config change you suggested for Fingerbank-collector doesnt seemsto > have worked. Currently im unmonitoring fingerbank using below command but I > know it wont survive service restart or server reboots. > > #monit unmonitor packetfence-fingerbank-collectod > > On Wed, 13 Apr 2022, 17:11 Zammit, Ludovic, <luza...@akamai.com > <mailto:luza...@akamai.com>> wrote: > Hello, > > It looks like 192.168.254.14 is trying to ask for an authentication. Add it > as the switch. > > Thanks, > > Ludovic Zammit > Product Support Engineer Principal > > Cell: +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > Connect with Us: <https://community.akamai.com/> > <http://blogs.akamai.com/> > <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGmf93nOA$> > > <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGAOZt8JE$> > > <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGU4YNUu0$> > > <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGX66Lolo$> > >> On Apr 12, 2022, at 3:02 AM, Misbah Hussaini <misbhaud...@gmail.com >> <mailto:misbhaud...@gmail.com>> wrote: >> >> Thanks Ludovic, I'm testing this config change. >> >> Meanwhile, I checked the radius log when the issue of auth occurred for us >> and I found below lines. As I mentioned earlier, I increased the max threads >> to a higher value in radius.conf file and the issue was resolved and auth >> started working. Does everybody have to increase this value in Production? >> I'm asking especially because we are planning to increase the number of >> devices (by another 250) and perhaps then I need to use a much higher value >> to avoid recurrence of this problem. >> >> Apr 7 10:06:23 NAC1 auth[368888]: Ignoring request to auth address >> 192.168.197.90 port 1812 bound to server packetfence from unknown client >> 192.168.254.14 port 1645 proto udp >> Apr 7 10:06:25 NAC1 auth[368888]: rlm_sql (sql): No connections available >> and at max connection limit >> Apr 7 10:06:25 NAC1 auth[368888]: Ignoring request to auth address >> 192.168.197.90 port 1812 bound to server packetfence from unknown client >> 192.168.254.14 port 1645 proto udp >> Apr 7 10:06:26 NAC1 auth[368888]: rlm_sql (sql): No connections available >> and at max connection limit >> Apr 7 10:06:26 NAC1 auth[368888]: Ignoring request to auth address >> 192.168.197.90 port 1812 bound to server packetfence from unknown client >> 192.168.254.14 port 1645 proto udp >> Apr 7 10:06:28 NAC1 auth[368888]: rlm_sql (sql): No connections available >> and at max connection limit >> Apr 7 10:06:28 NAC1 auth[368888]: Ignoring request to auth address >> 192.168.197.90 port 1812 bound to server packetfence from unknown client >> 192.168.254.14 port 1645 proto udp >> Apr 7 10:06:30 NAC1 auth[368888]: rlm_sql (sql): No connections available >> and at max connection limit >> Apr 7 10:06:30 NAC1 auth[368888]: Ignoring request to auth address >> 192.168.197.90 port 1812 bound to server packetfence from unknown client >> 192.168.254.14 port 1645 proto udp >> Apr 7 10:06:37 NAC1 auth[368888]: rlm_sql (sql): No connections available >> and at max connection limit >> Apr 7 10:06:37 NAC1 auth[368888]: Ignoring request to auth address >> 192.168.197.90 port 1812 bound to server packetfence from unknown client >> 192.168.254.28 port 1645 proto udp >> Apr 7 10:06:42 NAC1 auth[368888]: rlm_sql (sql): No connections available >> and at max connection limit >> Apr 7 10:06:42 NAC1 auth[368888]: Ignoring request to auth address >> 192.168.197.90 port 1812 bound to server packetfence from unknown client >> 192.168.254.28 port 1645 proto udp >> Apr 7 10:06:57 NAC1 auth[368888]: rlm_sql (sql): No connections available >> and at max connection limit >> Apr 7 10:06:57 NAC1 auth[368888]: Ignoring request to auth address >> 192.168.197.90 port 1812 bound to server packetfence from unknown client >> 192.168.254.13 port 1645 proto udp >> Apr 7 10:07:02 NAC1 auth[368888]: rlm_sql (sql): No connections available >> and at max connection limit >> Apr 7 10:07:02 NAC1 auth[368888]: Ignoring request to auth address >> 192.168.197.90 port 1812 bound to server packetfence from unknown client >> 192.168.254.13 port 1645 proto udp >> Apr 7 10:07:04 NAC1 auth[368888]: rlm_sql (sql): No connections available >> and at max connection limit >> Apr 7 10:07:04 NAC1 auth[368888]: Ignoring request to auth address >> 192.168.197.90 port 1812 bound to server packetfence from unknown client >> 192.168.254.23 port 1645 proto udp >> Apr 7 10:07:07 NAC1 auth[368888]: rlm_sql (sql): No connections available >> and at max connection limit >> Apr 7 10:07:07 NAC1 auth[368888]: Ignoring request to auth address >> 192.168.197.90 port 1812 bound to server packetfence from unknown client >> 192.168.254.13 port 1645 proto udp >> Apr 7 10:07:09 NAC1 auth[368888]: rlm_sql (sql): No connections available >> and at max connection limit >> Apr 7 10:07:09 NAC1 auth[368888]: Ignoring request to auth address >> 192.168.197.90 port 1812 bound to server packetfence from unknown client >> 192.168.254.23 port 1645 proto udp >> Apr 7 10:07:12 NAC1 auth[368888]: rlm_sql (sql): No connections available >> and at max connection limit >> Apr 7 10:07:12 NAC1 auth[368888]: Ignoring request to auth address >> 192.168.197.90 port 1812 bound to server packetfence from unknown client >> 192.168.254.13 port 1645 proto udp >> >> >> >> Regards >> Misbah >> >> >> On Mon, 11 Apr 2022 at 17:19, Zammit, Ludovic <luza...@akamai.com >> <mailto:luza...@akamai.com>> wrote: >> Hello, >> >> You can disable the TCP FB Collector analyzing: >> >> You can disable the TCP fingerprinting by doing >> >> >> # systemctl edit packetfence-fingerbank-collector.service >> >> >> In the editor that opens, add: >> >> >> [Service] >> >> Environment=COLLECTOR_DISABLE_TCP_HANDLER=true >> >> >> Close the editor, then do: >> >> >> # systemctl daemon-reload >> >> # systemctl restart packetfence-fingerbank-collector >> >> >> Thanks, >> >> Ludovic Zammit >> Product Support Engineer Principal >> >> Cell: +1.613.670.8432 >> Akamai Technologies - Inverse >> 145 Broadway >> Cambridge, MA 02142 >> Connect with Us: <https://community.akamai.com/> >> <http://blogs.akamai.com/> >> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!SWp7hL-2PyHJAaiZfWDTkgAbemIa3M4LNPnjmB3JPvhxHR1E_qQlKru872B5eN-rzoWFo7aUcvRhkGXhfII$> >> >> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!SWp7hL-2PyHJAaiZfWDTkgAbemIa3M4LNPnjmB3JPvhxHR1E_qQlKru872B5eN-rzoWFo7aUcvRhn3hmSw4$> >> >> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!SWp7hL-2PyHJAaiZfWDTkgAbemIa3M4LNPnjmB3JPvhxHR1E_qQlKru872B5eN-rzoWFo7aUcvRhiw82adM$> >> >> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!SWp7hL-2PyHJAaiZfWDTkgAbemIa3M4LNPnjmB3JPvhxHR1E_qQlKru872B5eN-rzoWFo7aUcvRhY_n9_Qc$> >> >>> On Apr 11, 2022, at 2:51 AM, Misbah Hussaini <misbhaud...@gmail.com >>> <mailto:misbhaud...@gmail.com>> wrote: >>> >>> Hello, >>> >>> We are currently doing only wired 802.1x & MAC auth, the server config is >>> >>> Intel(R) Xeon(R) CPU E5-2407 v2 @ 2.40GHz >>> 16GB RAM (Free RAM - 8GB) >>> Running Debian X64. >>> >>> Also, I would like to disable the packetfence-fingerbank-collector from >>> monit config as it is generating too many zombie processes alerts, I guess >>> the monit config is managed by pfcmd geenratemonitconfig but I dunno how to >>> disable specifically fingerbank-collector. >>> >>> Regards >>> Misbah >>> >>> >>> On Sat, 9 Apr 2022 at 00:23, Zammit, Ludovic <luza...@akamai.com >>> <mailto:luza...@akamai.com>> wrote: >>> Hello Misbah, >>> >>> I highly doubt that you would cap a cluster capacity with only 250 devices >>> registered. >>> >>> You have an ongoing issue that need to be fixed. >>> >>> What’s the spec on the PF servers? Are you doing 802.1x or Mac >>> authentication ? Wired ? Wireless? >>> >>> We have cluster of 3 running 10 000 unique radius authentication without >>> choking. >>> >>> Thanks, >>> >>> Ludovic Zammit >>> Product Support Engineer Principal >>> >>> Cell: +1.613.670.8432 >>> Akamai Technologies - Inverse >>> 145 Broadway >>> Cambridge, MA 02142 >>> Connect with Us: <https://community.akamai.com/> >>> <http://blogs.akamai.com/> >>> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!WpjZfRBMI0mVuUAS2zXkY5v4UuJaTKuuP0bM29s40nnrJwz_hjxk8aolOJkcFWvyf6EOzIffTyvneW7Z63Y$> >>> >>> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!WpjZfRBMI0mVuUAS2zXkY5v4UuJaTKuuP0bM29s40nnrJwz_hjxk8aolOJkcFWvyf6EOzIffTyvn00CMBGY$> >>> >>> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!WpjZfRBMI0mVuUAS2zXkY5v4UuJaTKuuP0bM29s40nnrJwz_hjxk8aolOJkcFWvyf6EOzIffTyvnAn0KVkA$> >>> >>> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!WpjZfRBMI0mVuUAS2zXkY5v4UuJaTKuuP0bM29s40nnrJwz_hjxk8aolOJkcFWvyf6EOzIffTyvnCNH0oAI$> >>> >>>> On Apr 7, 2022, at 4:18 AM, Misbah Hussaini via PacketFence-users >>>> <packetfence-users@lists.sourceforge.net >>>> <mailto:packetfence-users@lists.sourceforge.net>> wrote: >>>> >>>> Hello, >>>> >>>> Firstly, I'm happy with the way Packetfence is working in the environment. >>>> A big thanks to the team for the project and awesome documentation. I have >>>> configured Packetfence in a 3 node cluster and registered 250+ devices so >>>> far. >>>> >>>> I faced a problem with the radius server reaching the max connections >>>> limit and most of the users were disconnected while I fixed the problem >>>> (had to increase the max spare servers to a high value in radius.conf). I >>>> was optimistic with the cluster setup, thinking I should not be facing >>>> downtime issues but didn't realize that a config issue could lead to a >>>> blackout. >>>> >>>> Now, this leads me to wonder if there is a way in which I could have >>>> decreased the downtime for the end users while we fixed the problem in the >>>> config. Also, I would appreciate highlighting any other Production related >>>> settings that need to be fine tuned to avoid such instances in future.. >>>> >>>> >>>> Regards >>>> Misbah >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> PacketFence-users@lists.sourceforge.net >>>> <mailto:PacketFence-users@lists.sourceforge.net> >>>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HgrKFaieZq5jctGQKZZFOfERw1Xxn-35gkE2_VNs6FiuvQnK4pMpdGzvoWG00YjT$ >>>> >>>> <https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HgrKFaieZq5jctGQKZZFOfERw1Xxn-35gkE2_VNs6FiuvQnK4pMpdGzvoWG00YjT$> >>>> >>> >> >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
