Re: [PacketFence-users] inline, unpredictable behaviour

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Andy, list,

Yes, you are totally right. :-) Sorry. Let me try again.

I'm running packetfence 5.2.0, debian wheezy, installed from the repo's,
inline mode. My inline NATted network is 10.19.0.0/16 and packetfence
has ip 10.19.0.1 on eth0 as the gateway for the NATted network. We have
enabled the captive portal, with self registration.

Anyway: Things seem to work 'unpredictable'. After registration,
sometimes network detection works, but sometimes clients become trapped
in the "Sorry, your network should be enabled within a minute or two".

Having said that, we notice the following warnings in the logs:

> WARN: Problem trying to run command: LANG=C sudo ipset del
> PF-iL2_ID4_10.19.0.0 10.19.218.65 2>&1 called from
> iptables_update_set. Child exited with non-zero value 1
> (pf::util::pf_run)
(NOTE: manually running the same command as pf user seems to work!)

> Jul 08 18:55:55 httpd.webservices(3636) WARN: Problem trying to run
> command: LANG=C sudo /usr/sbin/conntrack -D -s 10.19.218.65 2>&1
> called from iptables_unmark_node. Child exited with non-zero value 1
> (pf::util::pf_run)
(NOTE again: manually running the same command as pf also seems to work)

> Jul 08 20:37:04 httpd.portal(3623) ERROR: WARNING ! Unknown
> switch(es) 10.19.0.1 (pf::SwitchFactory::instantiate)
(NOTE: this ip is the packetfence NAT address, gateway/dhcp, and there
is NO switch configured with this ip) (verified in switches.conf)

> WARN: Problem trying to run command: LANG=C sudo ipset del
> PF-iL2_ID_10.19.0.0 10.19.218.65 2>&1 called from
> iptables_update_set. Child exited with non-zero value 1
> (pf::util::pf_run)

Judging from that, I assume that the ipset PF-iL2_ID_10.19.0.0 exists,
however it does not? See:

> root@pf:/usr/local/pf/logs# su pf
> $ sudo ipset -L
> Name: PF-iL2_ID1_10.19.0.0
> Type: bitmap:ip
> Header: range 10.19.0.0-10.19.255.255
> Size in memory: 8312
> References: 2
> Members:
>
> Name: PF-iL2_ID2_10.19.0.0
> Type: bitmap:ip
> Header: range 10.19.0.0-10.19.255.255
> Size in memory: 8312
> References: 2
> Members:
>
> Name: PF-iL2_ID3_10.19.0.0
> Type: bitmap:ip
> Header: range 10.19.0.0-10.19.255.255
> Size in memory: 8312
> References: 2
> Members:
>
> Name: PF-iL2_ID4_10.19.0.0
> Type: bitmap:ip
> Header: range 10.19.0.0-10.19.255.255
> Size in memory: 8312
> References: 2
> Members:
> 10.19.218.65
>
> Name: PF-iL2_ID5_10.19.0.0
> Type: bitmap:ip
> Header: range 10.19.0.0-10.19.255.255
> Size in memory: 8312
> References: 2
> Members:
>
> Name: pfsession_Unreg_10.19.0.0
> Type: bitmap:ip,mac
> Header: range 10.19.0.0-10.19.255.255
> Size in memory: 1048688
> References: 1
> Members:
> 10.19.218.61,3C:97:0E:2F:14:F8
>
> Name: pfsession_Reg_10.19.0.0
> Type: bitmap:ip,mac
> Header: range 10.19.0.0-10.19.255.255
> Size in memory: 1048688
> References: 1
> Members:
> 10.19.218.65,60:67:20:5D:74:98
>
> Name: pfsession_Isol_10.19.0.0
> Type: bitmap:ip,mac
> Header: range 10.19.0.0-10.19.255.255
> Size in memory: 1048688
> References: 1
> Members:

So... I hope someone has the time to read/react to this. I know I'm
leaving out config files, but if those are relevant, I'll gladly post
them, of course. (but it's such a long email already...)

MJ