[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: A couple more questions...
From: |
Mark . Burgess |
Subject: |
Re: A couple more questions... |
Date: |
Sun, 17 Nov 2002 22:29:17 +0100 (MET) |
Are you running the latest version? There was a bugfix in 2.0.4.
Also - have you limited the number of concurrent connections on the server?
M
On 13 Nov, Tracy R Reed wrote:
> Thanks to those who helped me with my last query. The problem with
> authenticating was mainly due to the fact that our architecture involves a
> lot of NAT so machines did not appear to cfservd to be coming from the ip
> they claimed they were coming from. I had to add nearly all of our
> netblocks to SkipVerify. Not good for security, I know. But it seems to be
> the only way out. I also found a lot of machines which had been
> reinstalled and thus had the public key changed so I had to delete that
> from the cache on cfservd not to mention a wide variety of client
> misconfigurations.
>
> So now that I think I have all of the clients configured correctly I am
> running into what might be performance issues. Sometimes the clients take
> a long time to get authenticated. cfagent is started every 5 minutes from
> cron on the client machines. Is this too often? The server is coughing up
> a lot of:
>
> Nov 13 01:02:32 cfmaster cfmaster.mydomain.com[9423]: Denying repeated
> connection from 1.2.3.4
> Nov 13 01:06:23 cfmaster cfmaster.mydomain.com[25083]: Host
> authorization/authentication failed or access denied
>
> And occasionally I get this:
>
> Nov 13 06:09:11 cfmaster cfservd[17286]: Server seems to be paralyzed. DOS
> attack? Committing apoptosis...
>
> When the clients take a long time authenticating I think other cfagent
> processes are getting started (every 5 minutes) and they produce these
> errors:
>
> cfengine:cfclient: Challenge response from server cfmaster/5.6.7.8 was
> incorrect!
> cfengine:cfclient: Authentication dialogue with cfmaster failed
> cfengine:cfclient: Challenge response from server cfmaster/5.6.7.8 was
> incorrect!
> cfengine:cfclient: Authentication dialogue with cfmaster failed
> cfengine:cfclient: Challenge response from server cfmaster/5.6.7.8 was
> incorrect!
> cfengine:cfclient: Authentication dialogue with cfmaster failed
> cfengine:cfclient: Received signal 13 (SIGPIPE) while doing
> [lock.cfagent_conf.cfclient.tidy._var_cfengine_inputs]
> cfengine:cfclient: Logical start time Tue Nov 12 21:38:10 2002
> cfengine:cfclient: This sub-task started really at Tue Nov 12 21:38:10 2002
>
> cfengine:cfclient: Received signal 13 (SIGPIPE) while doing
> [lock.cfagent_conf.cfclient.tidy._var_cfengine_inputs]
> cfengine:cfclient: Logical start time Tue Nov 12 21:38:10 2002
> cfengine:cfclient: This sub-task started really at Tue Nov 12 21:38:10 2002
>
> cfengine:cfclient: Received signal 13 (SIGPIPE) while doing
> [lock.cfagent_conf.cfclient.tidy._var_cfengine_inputs]
> cfengine:cfclient: Logical start time Tue Nov 12 21:38:10 2002
> cfengine:cfclient: This sub-task started really at Tue Nov 12 21:38:10 2002
>
> cfengine:cfclient: Challenge response from server cfmaster/5.6.7.8 was
> incorrect!
> cfengine:cfclient: Authentication dialogue with cfmaster failed
>
> Once I was debugging cfservd and ctrl-z'd it to look at some output and
> forgot to resume and a whole lot of machines ended up with a bunch of
> cfagent processes running on them. Shouldn't it do some sort of locking
> and not try to run if a cfagent is already running?
>
> Today I have received 5146 emails from 903 hosts that are having this
> problem. Suggestions?
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272 Email: Mark.Burgess@iu.hio.no
Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~