Re: [PacketFence-users] Packetfence config related fallback plan

[Zammit, Ludovic via PacketFence-users]

Hello,

You could check if everything is in order in packetfence with 
/usr/local/pf/bin/pfcmd checkup

You could also post your /usr/local/pf/var/conf/haproxy-db.conf

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:         <https://community.akamai.com/>  
<http://blogs.akamai.com/>  <https://twitter.com/akamai>  
<http://www.facebook.com/AkamaiTechnologies>  
<http://www.linkedin.com/company/akamai-technologies>  
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>

> On Apr 15, 2022, at 7:22 AM, Misbah Hussaini <misbhaud...@gmail.com> wrote:
> 
> Thanks for that tip Fabrice, yes indeed the host entry was missing from the 
> pf.conf file under the database section but it was there in pfconfig.conf. 
> 
> I have added it to pf.conf and ran below commands, I will observe to identify 
> if this brings a difference. 
> 
> systemctl restart packetfence-config
> /usr/local/pf/bin/pfcmd configreload
> /usr/local/pf/bin/pfcmd service pf restart
> Is there a script to perform health check on galera cluster nodes?
> 
> Regards
> 
> 
> On Fri, 15 Apr 2022 at 05:22, Fabrice Durand <oeufd...@gmail.com 
> <mailto:oeufd...@gmail.com>> wrote:
> probably a misconfiguration issue.
> https://www.packetfence.org/doc/PacketFence_Clustering_Guide.html#_packetfence_configuration_modification_first_server_only
>  
> <https://www.packetfence.org/doc/PacketFence_Clustering_Guide.html#_packetfence_configuration_modification_first_server_only>
> 
> Notice host=127.0.0.1
> 
> if you forgot that then it means that each server will use the local database 
> instance to insert and it will result with table lock.
> 
> Le jeu. 14 avr. 2022 à 14:22, Zammit, Ludovic via PacketFence-users 
> <packetfence-users@lists.sourceforge.net 
> <mailto:packetfence-users@lists.sourceforge.net>> a écrit :
> Hello Misbah,
> 
> We only an issue with chunk = ‘8192’ for EAP TLS and not EAP PEAP.
> 
> I way too big to cover your entire cluster config on the mailing list, I will 
> suggest you to take some consulting hours with Akamai and we will do a sanity 
> check on your cluster to see why the database would disconnect.
> 
> Thanks,
> 
> Ludovic Zammit
> Product Support Engineer Principal
> 
> Cell: +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:       <https://community.akamai.com/>  
> <http://blogs.akamai.com/>  
> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!VcDV4FR1w_luRWYBtxCdcyVE2KVsxsmTxq9m8UsFTgAvuWeNm56Pa82n7cmVexmc9utgd1GrHh7LTa99m7c$>
>   
> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!VcDV4FR1w_luRWYBtxCdcyVE2KVsxsmTxq9m8UsFTgAvuWeNm56Pa82n7cmVexmc9utgd1GrHh7L4BHOBcg$>
>   
> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!VcDV4FR1w_luRWYBtxCdcyVE2KVsxsmTxq9m8UsFTgAvuWeNm56Pa82n7cmVexmc9utgd1GrHh7Lxn1WrxM$>
>   
> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!VcDV4FR1w_luRWYBtxCdcyVE2KVsxsmTxq9m8UsFTgAvuWeNm56Pa82n7cmVexmc9utgd1GrHh7LadywKH0$>
> 
>> On Apr 13, 2022, at 7:14 PM, Misbah Hussaini <misbhaud...@gmail.com 
>> <mailto:misbhaud...@gmail.com>> wrote:
>> 
>> Hello Ludovic,
>> 
>> Again we had an outage and this time it looks like DB had some sort of 
>> locking issues. The temp fix was to restart the mariadb service. I'm running 
>> PF 11.2 with 3 nodes cluster doing 802.1x and mac auth and I see below 
>> messages in packetfence.log at the time when the problem began and these 
>> messages continued till DB was restarted.
>> 
>> Packetfence.log:
>> 
>> Apr 13 21:47:12 NAC1 pfqueue[3025858]: pfqueue(3025858) ERROR: [mac:unknown] 
>> Database query failed with non retryable error: Lock wait timeout exceeded; 
>> try restarting transaction (errno: 1205) [INSERT INTO `node` ( `autoreg`, 
>> `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`, `category_id`, 
>> `computername`, `detect_date`, `device_class`, `device_manufacturer`, 
>> `device_score`, `device_type`, `device_version`, `dhcp6_enterprise`, 
>> `dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`, `last_arp`, 
>> `last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`, `notes`, 
>> `pid`, `regdate`, `sessionid`, `status`, `tenant_id`, `time_balance`, 
>> `unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 
>> ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE 
>> KEY UPDATE `last_dhcp` = ?, `tenant_id` = ?]{no, NULL, NULL, , NULL, 
>> SEPC4143C97B434, 2021-12-23 14:27:33, VoIP Device, Cisco Systems, Inc, 76, 
>> Cisco IP Phone CP-7945G, , , , 1,66,6,3,15,150,35, Cisco Systems, Inc. IP 
>> Phone CP-7945G, 0000-00-00 00:00:00, 2022-04-13 21:46:21, 2021-12-24 
>> 20:10:12, 0000-00-00 00:00:00, c4:14:3c:97:b4:34, NULL, , default, 
>> 0000-00-00 00:00:00, , unreg, 1, NULL, 0000-00-00 00:00:00, , no, 2022-04-13 
>> 21:46:21, 1} (pf::dal::db_execute)
>> Apr 13 21:47:12 NAC1 pfqueue[3025858]: pfqueue(3025858) ERROR: [mac:unknown] 
>> Unable to modify node 'c4:14:3c:97:b4:34 (pf::node::node_modify)
>> Apr 13 21:47:28 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN: 
>> [mac:00:11:22:33:44:55] Unable to pull accounting history for device 
>> 00:11:22:33:44:55. The history set doesn't exist yet. 
>> (pf::accounting_events_history::latest_mac_history)
>> Apr 13 21:47:38 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN: 
>> [mac:00:11:22:33:44:55] Unable to pull accounting history for device 
>> 00:11:22:33:44:55. The history set doesn't exist yet. 
>> (pf::accounting_events_history::latest_mac_history)
>> Apr 13 21:47:42 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN: 
>> [mac:00:11:22:33:44:55] Unable to pull accounting history for device 
>> 00:11:22:33:44:55. The history set doesn't exist yet. 
>> (pf::accounting_events_history::latest_mac_history)
>> Apr 13 21:47:52 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN: 
>> [mac:00:11:22:33:44:55] Unable to pull accounting history for device 
>> 00:11:22:33:44:55. The history set doesn't exist yet. 
>> (pf::accounting_events_history::latest_mac_history)
>> Apr 13 21:47:53 NAC1 packetfence[3029093]: pfperl-api(2533174) INFO: Using 
>> 300 resolution threshold (pf::pfcron::task::cluster_check::run)
>> Apr 13 21:47:53 NAC1 packetfence[3029094]: pfperl-api(2828317) INFO: 
>> processed 0 security_events during security_event maintenance 
>> (1649872073.11399 1649872073.12087)  
>> (pf::security_event::security_event_maintenance)
>> Apr 13 21:47:53 NAC1 packetfence[3029094]: pfperl-api(2828317) INFO: 
>> processed 0 security_events during security_event maintenance 
>> (1649872073.12281 1649872073.12537)  
>> (pf::security_event::security_event_maintenance)
>> Apr 13 21:47:53 NAC1 packetfence[3029095]: pfperl-api(2426219) INFO: getting 
>> security_events triggers for accounting cleanup 
>> (pf::accounting::acct_maintenance)
>> Apr 13 21:47:53 NAC1 packetfence[3029093]: pfperl-api(2533174) INFO: All 
>> cluster members are running the same configuration version 
>> (pf::pfcron::task::cluster_check::run)
>> Apr 13 21:48:03 NAC1 pfqueue[3025858]: pfqueue(3025858) ERROR: [mac:unknown] 
>> Database query failed with non retryable error: Lock wait timeout exceeded; 
>> try restarting transaction (errno: 1205) [INSERT INTO `node` ( `autoreg`, 
>> `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`, `category_id`, 
>> `computername`, `detect_date`, `device_class`, `device_manufacturer`, 
>> `device_score`, `device_type`, `device_version`, `dhcp6_enterprise`, 
>> `dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`, `last_arp`, 
>> `last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`, `notes`, 
>> `pid`, `regdate`, `sessionid`, `status`, `tenant_id`, `time_balance`, 
>> `unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 
>> ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE 
>> KEY UPDATE `last_dhcp` = ?, `tenant_id` = ?]{no, NULL, NULL, , NULL, 
>> Admin-PC, 2021-12-22 14:45:32, Windows OS, Dell Inc., 78, Microsoft Windows 
>> Kernel 10.0, 10.0, , , 1,3,6,15,31,33,43,44,46,47,119,121,249,252, MSFT 5.0, 
>> 0000-00-00 00:00:00, 2022-04-13 21:47:12, 2022-04-13 21:45:43, 0000-00-00 
>> 00:00:00, 98:90:96:cb:a3:02, NULL, , default, 0000-00-00 00:00:00, , unreg, 
>> 1, NULL, 0000-00-00 00:00:00, , no, 2022-04-13 21:47:12, 1} 
>> (pf::dal::db_execute)
>> Apr 13 21:48:03 NAC1 pfqueue[3025858]: pfqueue(3025858) ERROR: [mac:unknown] 
>> Unable to modify node '98:90:96:cb:a3:02 (pf::node::node_modify)
>> Apr 13 21:48:08 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN: 
>> [mac:00:11:22:33:44:55] Unable to pull accounting history for device 
>> 00:11:22:33:44:55. The history set doesn't exist yet. 
>> (pf::accounting_events_history::latest_mac_history)
>> Apr 13 21:48:19 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN: 
>> [mac:00:11:22:33:44:55] Unable to pull accounting history for device 
>> 00:11:22:33:44:55. The history set doesn't exist yet. 
>> (pf::accounting_events_history::latest_mac_history)
>> Apr 13 21:48:22 NAC1 pfqueue[3028686]: pfqueue(3028686) WARN: 
>> [mac:00:11:22:33:44:55] Unable to pull accounting history for device 
>> 00:11:22:33:44:55. The history set doesn't exist yet. 
>> (pf::accounting_events_history::latest_mac_history)
>> 
>> These are the messages in radius.log:
>> 
>> 
>> Apr 13 21:44:24 NAC1 auth[2559747]: (49313) Login OK: [prntnacact] (from 
>> client 192.168.254.12/32 
>> <https://urldefense.com/v3/__http://192.168.254.12/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDG9cdpfI4$>
>>  port 50335 cli 9c:93:4e:6c:b0:61)
>> Apr 13 21:45:24 NAC1 auth[2559747]: Adding client 192.168.254.22/32 
>> <https://urldefense.com/v3/__http://192.168.254.22/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGU1zM1us$>
>> Apr 13 21:45:24 NAC1 auth[2559747]: [mac:18:9c:5d:ab:b1:ef] Accepted user:  
>> and returned VLAN
>> Apr 13 21:45:24 NAC1 auth[2559747]: (49333) Login OK: [189c5dabb1ef] (from 
>> client 192.168.254.22/32 
>> <https://urldefense.com/v3/__http://192.168.254.22/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGU1zM1us$>
>>  port 50443 cli 18:9c:5d:ab:b1:ef)
>> Apr 13 21:48:44 NAC1 auth[2559747]: Adding client 192.168.254.11/32 
>> <https://urldefense.com/v3/__http://192.168.254.11/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGuNwZXn0$>
>> Apr 13 21:48:51 NAC1 auth[2559747]: (49406) rest: ERROR: Server returned no 
>> data
>> Apr 13 21:48:52 NAC1 auth[2559747]: (49406) Ignoring duplicate packet from 
>> client 192.168.254.11/32 
>> <https://urldefense.com/v3/__http://192.168.254.11/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGuNwZXn0$>
>>  port 1645 - ID: 56 due to unfinished request in component authenticate 
>> module eap_peap
>> Apr 13 21:48:57 NAC1 auth[2559747]: (49406) Ignoring duplicate packet from 
>> client 192.168.254.11/32 
>> <https://urldefense.com/v3/__http://192.168.254.11/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGuNwZXn0$>
>>  port 1645 - ID: 56 due to unfinished request in component authenticate 
>> module eap_peap
>> Apr 13 21:48:58 NAC1 auth[2559747]: Unresponsive child for request 49406, in 
>> component authenticate module eap_peap
>> Apr 13 21:49:02 NAC1 auth[2559747]: (49411) eap: ERROR: rlm_eap (EAP): No 
>> EAP session matching state 0xb15267b8b65b7e27
>> Apr 13 21:49:02 NAC1 auth[2559747]: (49411) eap: ERROR: rlm_eap (EAP): No 
>> EAP session matching state 0xb15267b8b65b7e27
>> Apr 13 21:49:02 NAC1 auth[2559747]: [mac:90:1b:0e:45:4b:2e] Rejected user: 
>> DOMAIN-A\USER-1
>> Apr 13 21:49:02 NAC1 auth[2559747]: (49411) Login incorrect (eap: rlm_eap 
>> (EAP): No EAP session matching state 0xb15267b8b65b7e27): [DOMAIN-A\USER-1] 
>> (from client 192.168.254.11/32 
>> <https://urldefense.com/v3/__http://192.168.254.11/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGuNwZXn0$>
>>  port 50408 cli 90:1b:0e:45:4b:2e)
>> Apr 13 21:49:16 NAC1 auth[2559747]: (49416) rest: ERROR: Server returned no 
>> data
>> Apr 13 21:49:17 NAC1 auth[2559747]: (49416) Ignoring duplicate packet from 
>> client 192.168.254.11/32 
>> <https://urldefense.com/v3/__http://192.168.254.11/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGuNwZXn0$>
>>  port 1645 - ID: 57 due to unfinished request in component post-auth module 
>> sql_reject
>> Apr 13 21:49:22 NAC1 auth[2559747]: (49416) Ignoring duplicate packet from 
>> client 192.168.254.11/32 
>> <https://urldefense.com/v3/__http://192.168.254.11/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGuNwZXn0$>
>>  port 1645 - ID: 57 due to unfinished request in component post-auth module 
>> sql_reject
>> Apr 13 21:49:23 NAC1 auth[2559747]: Unresponsive child for request 49416, in 
>> component post-auth module sql_reject
>> Apr 13 21:49:31 NAC1 auth[2559747]: (49422) rest: ERROR: Server returned no 
>> data
>> Apr 13 21:49:38 NAC1 auth[2559747]: Unresponsive child for request 49422, in 
>> component post-auth module sql_reject
>> Apr 13 21:52:19 NAC1 auth[2559747]: Adding client 192.168.254.23/32 
>> <https://urldefense.com/v3/__http://192.168.254.23/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGXsZBvhY$>
>> Apr 13 21:52:23 NAC1 auth[2559747]: (49485) rest: ERROR: Server returned no 
>> data
>> Apr 13 21:52:24 NAC1 auth[2559747]: (49485) Ignoring duplicate packet from 
>> client 192.168.254.23/32 
>> <https://urldefense.com/v3/__http://192.168.254.23/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGXsZBvhY$>
>>  port 1645 - ID: 19 due to unfinished request in component authenticate 
>> module eap_peap
>> Apr 13 21:52:29 NAC1 auth[2559747]: (49485) Ignoring duplicate packet from 
>> client 192.168.254.23/32 
>> <https://urldefense.com/v3/__http://192.168.254.23/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGXsZBvhY$>
>>  port 1645 - ID: 19 due to unfinished request in component authenticate 
>> module eap_peap
>> Apr 13 21:52:30 NAC1 auth[2559747]: Unresponsive child for request 49485, in 
>> component authenticate module eap_peap
>> Apr 13 21:52:34 NAC1 auth[2559747]: (49491) eap: ERROR: rlm_eap (EAP): No 
>> EAP session matching state 0x6b3884f06c319d1d
>> Apr 13 21:52:34 NAC1 auth[2559747]: (49491) eap: ERROR: rlm_eap (EAP): No 
>> EAP session matching state 0x6b3884f06c319d1d
>> Apr 13 21:52:34 NAC1 auth[2559747]: [mac:9c:93:4e:64:05:03] Rejected user: 
>> prntnacact
>> Apr 13 21:52:34 NAC1 auth[2559747]: (49491) Login incorrect (eap: rlm_eap 
>> (EAP): No EAP session matching state 0x6b3884f06c319d1d): [prntnacact] (from 
>> client 192.168.254.23/32 
>> <https://urldefense.com/v3/__http://192.168.254.23/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGXsZBvhY$>
>>  port 50420 cli 9c:93:4e:64:05:03)
>> Apr 13 21:52:43 NAC1 auth[2559747]: Adding client 192.168.254.14/32 
>> <https://urldefense.com/v3/__http://192.168.254.14/32__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGwUD4dog$>
>> Apr 13 21:52:49 NAC1 auth[2559747]: (49503) rest: ERROR: Server returned no 
>> data
>> 
>> Upon googling I found this post (PacketFence / Re: [PacketFence-users] 
>> ERROR: Server returned no data (sourceforge.net) 
>> <https://urldefense.com/v3/__https://sourceforge.net/p/packetfence/mailman/message/37624251/__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGYCuVwO0$>)
>>  to fix the "ERROR: Server returned no data" message and I have added the 
>> chunk = '8192' parameter in rest.conf and now observing whether this message 
>> reappears in the logs.
>> 
>> With regard to the "Unresponsive Child" message I found this post What does 
>> “unresponsive child” error message mean? | NetworkRADIUS 
>> <https://urldefense.com/v3/__https://networkradius.com/articles/2021/02/10/what-does-unresponsive-child-error-mean.html__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGCKCzOL4$>
>>  and it makes me nervous to troubleshoot the issue as it points to slowness 
>> in the DB (which relates well to locking messages in packetfence.log seen 
>> above). The problem is how I can identify the slow queries and fix them (is 
>> it the same query shown in pf log?). Is it advisable to change the current 
>> lock_wait_timeout value to something higher (currently set to 50 secs)? I'm 
>> wondering what other measures can be put in place to avoid this from 
>> recurring, does restarting the sql service daily help me?
>> 
>> Regards
>> Misbah
>> 
>> 
>> On Wed, 13 Apr 2022 at 17:17, Misbah Hussaini <misbhaud...@gmail.com 
>> <mailto:misbhaud...@gmail.com>> wrote:
>> Hello Ludovic,
>> 
>> Its already added as a switch and have been working fine for past 1 month 
>> but with few endpoints. When I googled this message, freeradius support list 
>> suggested to increase the max server count, which I did, and the issue was 
>> resolved. The concern I have is whether there are other such parameters 
>> which needs to be fine tuned for Production.
>> 
>> Also, the config change you suggested for Fingerbank-collector doesnt 
>> seemsto have worked. Currently im unmonitoring fingerbank using below 
>> command but I know it wont survive service restart or server reboots.
>> 
>> #monit unmonitor packetfence-fingerbank-collectod
>> 
>> On Wed, 13 Apr 2022, 17:11 Zammit, Ludovic, <luza...@akamai.com 
>> <mailto:luza...@akamai.com>> wrote:
>> Hello,
>> 
>> It looks like 192.168.254.14 is trying to ask for an authentication. Add it 
>> as the switch.
>> 
>> Thanks,
>> 
>> Ludovic Zammit
>> Product Support Engineer Principal
>> 
>> Cell: +1.613.670.8432
>> Akamai Technologies - Inverse
>> 145 Broadway
>> Cambridge, MA 02142
>> Connect with Us:      <https://community.akamai.com/>  
>> <http://blogs.akamai.com/>  
>> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGmf93nOA$>
>>   
>> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGAOZt8JE$>
>>   
>> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGU4YNUu0$>
>>   
>> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!X8YZVKku_bNrqgXpIkdCpp5P1ktjClpCv_a_1WORLYqeCTHsmQD0mNTj2YgDoR55nQ3VfuWUcPDGX66Lolo$>
>> 
>>> On Apr 12, 2022, at 3:02 AM, Misbah Hussaini <misbhaud...@gmail.com 
>>> <mailto:misbhaud...@gmail.com>> wrote:
>>> 
>>> Thanks Ludovic, I'm testing this config change.
>>> 
>>> Meanwhile, I checked the radius log when the issue of auth occurred for us 
>>> and I found below lines. As I mentioned earlier, I increased the max 
>>> threads to a higher value in radius.conf file and the issue was resolved 
>>> and auth started working. Does everybody have to increase this value in 
>>> Production? I'm asking especially because we are planning to increase the 
>>> number of devices (by another 250) and perhaps then I need to use a much 
>>> higher value to avoid recurrence of this problem.
>>> 
>>> Apr  7 10:06:23 NAC1 auth[368888]: Ignoring request to auth address 
>>> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
>>> 192.168.254.14 port 1645 proto udp
>>> Apr  7 10:06:25 NAC1 auth[368888]: rlm_sql (sql): No connections available 
>>> and at max connection limit
>>> Apr  7 10:06:25 NAC1 auth[368888]: Ignoring request to auth address 
>>> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
>>> 192.168.254.14 port 1645 proto udp
>>> Apr  7 10:06:26 NAC1 auth[368888]: rlm_sql (sql): No connections available 
>>> and at max connection limit
>>> Apr  7 10:06:26 NAC1 auth[368888]: Ignoring request to auth address 
>>> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
>>> 192.168.254.14 port 1645 proto udp
>>> Apr  7 10:06:28 NAC1 auth[368888]: rlm_sql (sql): No connections available 
>>> and at max connection limit
>>> Apr  7 10:06:28 NAC1 auth[368888]: Ignoring request to auth address 
>>> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
>>> 192.168.254.14 port 1645 proto udp
>>> Apr  7 10:06:30 NAC1 auth[368888]: rlm_sql (sql): No connections available 
>>> and at max connection limit
>>> Apr  7 10:06:30 NAC1 auth[368888]: Ignoring request to auth address 
>>> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
>>> 192.168.254.14 port 1645 proto udp
>>> Apr  7 10:06:37 NAC1 auth[368888]: rlm_sql (sql): No connections available 
>>> and at max connection limit
>>> Apr  7 10:06:37 NAC1 auth[368888]: Ignoring request to auth address 
>>> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
>>> 192.168.254.28 port 1645 proto udp
>>> Apr  7 10:06:42 NAC1 auth[368888]: rlm_sql (sql): No connections available 
>>> and at max connection limit
>>> Apr  7 10:06:42 NAC1 auth[368888]: Ignoring request to auth address 
>>> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
>>> 192.168.254.28 port 1645 proto udp
>>> Apr  7 10:06:57 NAC1 auth[368888]: rlm_sql (sql): No connections available 
>>> and at max connection limit
>>> Apr  7 10:06:57 NAC1 auth[368888]: Ignoring request to auth address 
>>> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
>>> 192.168.254.13 port 1645 proto udp
>>> Apr  7 10:07:02 NAC1 auth[368888]: rlm_sql (sql): No connections available 
>>> and at max connection limit
>>> Apr  7 10:07:02 NAC1 auth[368888]: Ignoring request to auth address 
>>> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
>>> 192.168.254.13 port 1645 proto udp
>>> Apr  7 10:07:04 NAC1 auth[368888]: rlm_sql (sql): No connections available 
>>> and at max connection limit
>>> Apr  7 10:07:04 NAC1 auth[368888]: Ignoring request to auth address 
>>> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
>>> 192.168.254.23 port 1645 proto udp
>>> Apr  7 10:07:07 NAC1 auth[368888]: rlm_sql (sql): No connections available 
>>> and at max connection limit
>>> Apr  7 10:07:07 NAC1 auth[368888]: Ignoring request to auth address 
>>> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
>>> 192.168.254.13 port 1645 proto udp
>>> Apr  7 10:07:09 NAC1 auth[368888]: rlm_sql (sql): No connections available 
>>> and at max connection limit
>>> Apr  7 10:07:09 NAC1 auth[368888]: Ignoring request to auth address 
>>> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
>>> 192.168.254.23 port 1645 proto udp
>>> Apr  7 10:07:12 NAC1 auth[368888]: rlm_sql (sql): No connections available 
>>> and at max connection limit
>>> Apr  7 10:07:12 NAC1 auth[368888]: Ignoring request to auth address 
>>> 192.168.197.90 port 1812 bound to server packetfence from unknown client 
>>> 192.168.254.13 port 1645 proto udp
>>> 
>>> 
>>> 
>>> Regards
>>> Misbah
>>> 
>>> 
>>> On Mon, 11 Apr 2022 at 17:19, Zammit, Ludovic <luza...@akamai.com 
>>> <mailto:luza...@akamai.com>> wrote:
>>> Hello,
>>> 
>>> You can disable the TCP FB Collector analyzing:
>>> 
>>> You can disable the TCP fingerprinting by doing
>>> 
>>> 
>>> # systemctl edit packetfence-fingerbank-collector.service
>>> 
>>> 
>>> In the editor that opens, add:
>>> 
>>> 
>>> [Service]
>>> 
>>> Environment=COLLECTOR_DISABLE_TCP_HANDLER=true
>>> 
>>> 
>>> Close the editor, then do:
>>> 
>>> 
>>> # systemctl daemon-reload
>>> 
>>> # systemctl restart packetfence-fingerbank-collector
>>> 
>>> 
>>> Thanks,
>>> 
>>> Ludovic Zammit
>>> Product Support Engineer Principal
>>> 
>>> Cell: +1.613.670.8432
>>> Akamai Technologies - Inverse
>>> 145 Broadway
>>> Cambridge, MA 02142
>>> Connect with Us:     <https://community.akamai.com/>  
>>> <http://blogs.akamai.com/>  
>>> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!SWp7hL-2PyHJAaiZfWDTkgAbemIa3M4LNPnjmB3JPvhxHR1E_qQlKru872B5eN-rzoWFo7aUcvRhkGXhfII$>
>>>   
>>> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!SWp7hL-2PyHJAaiZfWDTkgAbemIa3M4LNPnjmB3JPvhxHR1E_qQlKru872B5eN-rzoWFo7aUcvRhn3hmSw4$>
>>>   
>>> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!SWp7hL-2PyHJAaiZfWDTkgAbemIa3M4LNPnjmB3JPvhxHR1E_qQlKru872B5eN-rzoWFo7aUcvRhiw82adM$>
>>>   
>>> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!SWp7hL-2PyHJAaiZfWDTkgAbemIa3M4LNPnjmB3JPvhxHR1E_qQlKru872B5eN-rzoWFo7aUcvRhY_n9_Qc$>
>>> 
>>>> On Apr 11, 2022, at 2:51 AM, Misbah Hussaini <misbhaud...@gmail.com 
>>>> <mailto:misbhaud...@gmail.com>> wrote:
>>>> 
>>>> Hello,
>>>> 
>>>> We are currently doing only wired 802.1x & MAC auth, the server config is  
>>>> 
>>>> Intel(R) Xeon(R) CPU E5-2407 v2 @ 2.40GHz 
>>>> 16GB RAM (Free RAM - 8GB)
>>>> Running Debian X64.
>>>> 
>>>> Also, I would like to disable the packetfence-fingerbank-collector from 
>>>> monit config as it is generating too many zombie processes alerts, I guess 
>>>> the monit config is managed by pfcmd geenratemonitconfig but I dunno how 
>>>> to disable specifically fingerbank-collector.
>>>> 
>>>> Regards
>>>> Misbah
>>>> 
>>>> 
>>>> On Sat, 9 Apr 2022 at 00:23, Zammit, Ludovic <luza...@akamai.com 
>>>> <mailto:luza...@akamai.com>> wrote:
>>>> Hello Misbah,
>>>> 
>>>> I highly doubt that you would cap a cluster capacity with only 250 devices 
>>>> registered.
>>>> 
>>>> You have an ongoing issue that need to be fixed.
>>>> 
>>>> What’s the spec on the PF servers? Are you doing 802.1x or Mac 
>>>> authentication ? Wired ? Wireless?
>>>> 
>>>> We have cluster of 3 running 10 000 unique radius authentication without 
>>>> choking.
>>>> 
>>>> Thanks,
>>>> 
>>>> Ludovic Zammit
>>>> Product Support Engineer Principal
>>>> 
>>>> Cell: +1.613.670.8432
>>>> Akamai Technologies - Inverse
>>>> 145 Broadway
>>>> Cambridge, MA 02142
>>>> Connect with Us:    <https://community.akamai.com/>  
>>>> <http://blogs.akamai.com/>  
>>>> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!WpjZfRBMI0mVuUAS2zXkY5v4UuJaTKuuP0bM29s40nnrJwz_hjxk8aolOJkcFWvyf6EOzIffTyvneW7Z63Y$>
>>>>   
>>>> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!WpjZfRBMI0mVuUAS2zXkY5v4UuJaTKuuP0bM29s40nnrJwz_hjxk8aolOJkcFWvyf6EOzIffTyvn00CMBGY$>
>>>>   
>>>> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!WpjZfRBMI0mVuUAS2zXkY5v4UuJaTKuuP0bM29s40nnrJwz_hjxk8aolOJkcFWvyf6EOzIffTyvnAn0KVkA$>
>>>>   
>>>> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!WpjZfRBMI0mVuUAS2zXkY5v4UuJaTKuuP0bM29s40nnrJwz_hjxk8aolOJkcFWvyf6EOzIffTyvnCNH0oAI$>
>>>> 
>>>>> On Apr 7, 2022, at 4:18 AM, Misbah Hussaini via PacketFence-users 
>>>>> <packetfence-users@lists.sourceforge.net 
>>>>> <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>>>>> 
>>>>> Hello,
>>>>> 
>>>>> Firstly, I'm happy with the way Packetfence is working in the 
>>>>> environment. A big thanks to the team for the project and awesome 
>>>>> documentation. I have configured Packetfence in a 3 node cluster and 
>>>>> registered 250+ devices so far.
>>>>> 
>>>>> I faced a problem with the radius server reaching the max connections 
>>>>> limit and most of the users were disconnected while I fixed the problem 
>>>>> (had to increase the max spare servers to a high value in radius.conf). I 
>>>>> was optimistic with the cluster setup, thinking I should not be facing 
>>>>> downtime issues but didn't realize that a config issue could lead to a 
>>>>> blackout. 
>>>>> 
>>>>> Now, this leads me to wonder if there is a way in which I could have 
>>>>> decreased the downtime for the end users while we fixed the problem in 
>>>>> the config. Also, I would appreciate highlighting any other Production 
>>>>> related settings that need to be fine tuned to avoid such instances in 
>>>>> future..
>>>>> 
>>>>> 
>>>>> Regards
>>>>> Misbah
>>>>> _______________________________________________
>>>>> PacketFence-users mailing list
>>>>> PacketFence-users@lists.sourceforge.net 
>>>>> <mailto:PacketFence-users@lists.sourceforge.net>
>>>>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HgrKFaieZq5jctGQKZZFOfERw1Xxn-35gkE2_VNs6FiuvQnK4pMpdGzvoWG00YjT$
>>>>>  
>>>>> <https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HgrKFaieZq5jctGQKZZFOfERw1Xxn-35gkE2_VNs6FiuvQnK4pMpdGzvoWG00YjT$>
>>>>>  
>>>> 
>>> 
>> 
> 
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> <mailto:PacketFence-users@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
> <https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!VcDV4FR1w_luRWYBtxCdcyVE2KVsxsmTxq9m8UsFTgAvuWeNm56Pa82n7cmVexmc9utgd1GrHh7LQMsy2x8$>

smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users