help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A couple more questions...


From: Mark . Burgess
Subject: Re: A couple more questions...
Date: Sun, 17 Nov 2002 22:29:17 +0100 (MET)

Are you running the latest version? There was a bugfix in 2.0.4.
Also - have you limited the number of concurrent connections on the server?

M

On 13 Nov, Tracy R Reed wrote:
> Thanks to those who helped me with my last query. The problem with
> authenticating was mainly due to the fact that our architecture involves a
> lot of NAT so machines did not appear to cfservd to be coming from the ip
> they claimed they were coming from. I had to add nearly all of our
> netblocks to SkipVerify. Not good for security, I know. But it seems to be
> the only way out. I also found a lot of machines which had been
> reinstalled and thus had the public key changed so I had to delete that
> from the cache on cfservd not to mention a wide variety of client
> misconfigurations.
> 
> So now that I think I have all of the clients configured correctly I am
> running into what might be performance issues. Sometimes the clients take
> a long time to get authenticated. cfagent is started every 5 minutes from
> cron on the client machines. Is this too often? The server is coughing up
> a lot of:
> 
> Nov 13 01:02:32 cfmaster cfmaster.mydomain.com[9423]:  Denying repeated 
> connection from 1.2.3.4
> Nov 13 01:06:23 cfmaster cfmaster.mydomain.com[25083]: Host 
> authorization/authentication failed or access denied
> 
> And occasionally I get this:
> 
> Nov 13 06:09:11 cfmaster cfservd[17286]:  Server seems to be paralyzed. DOS 
> attack? Committing apoptosis...
> 
> When the clients take a long time authenticating I think other cfagent
> processes are getting started (every 5 minutes) and they produce these
> errors:
> 
> cfengine:cfclient: Challenge response from server cfmaster/5.6.7.8 was 
> incorrect!
> cfengine:cfclient: Authentication dialogue with cfmaster failed
> cfengine:cfclient: Challenge response from server cfmaster/5.6.7.8 was 
> incorrect!
> cfengine:cfclient: Authentication dialogue with cfmaster failed
> cfengine:cfclient: Challenge response from server cfmaster/5.6.7.8 was 
> incorrect!
> cfengine:cfclient: Authentication dialogue with cfmaster failed
> cfengine:cfclient: Received signal 13 (SIGPIPE) while doing 
> [lock.cfagent_conf.cfclient.tidy._var_cfengine_inputs]
> cfengine:cfclient: Logical start time Tue Nov 12 21:38:10 2002
> cfengine:cfclient: This sub-task started really at Tue Nov 12 21:38:10 2002
> 
> cfengine:cfclient: Received signal 13 (SIGPIPE) while doing 
> [lock.cfagent_conf.cfclient.tidy._var_cfengine_inputs]
> cfengine:cfclient: Logical start time Tue Nov 12 21:38:10 2002
> cfengine:cfclient: This sub-task started really at Tue Nov 12 21:38:10 2002
> 
> cfengine:cfclient: Received signal 13 (SIGPIPE) while doing 
> [lock.cfagent_conf.cfclient.tidy._var_cfengine_inputs]
> cfengine:cfclient: Logical start time Tue Nov 12 21:38:10 2002
> cfengine:cfclient: This sub-task started really at Tue Nov 12 21:38:10 2002
> 
> cfengine:cfclient: Challenge response from server cfmaster/5.6.7.8 was 
> incorrect!
> cfengine:cfclient: Authentication dialogue with cfmaster failed
> 
> Once I was debugging cfservd and ctrl-z'd it to look at some output and
> forgot to resume and a whole lot of machines ended up with a bunch of
> cfagent processes running on them. Shouldn't it do some sort of locking
> and not try to run if a cfagent is already running?
> 
> Today I have received 5146 emails from 903 hosts that are having this
> problem. Suggestions?
> 



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~






reply via email to

[Prev in Thread] Current Thread [Next in Thread]