Created
December 12, 2024 22:50
-
-
Save opoplawski/da2faf8206d55d7b7a473ccf2ed2f23b to your computer and use it in GitHub Desktop.
pfSense RADIUS authentication failing (timed out) and dumping core
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| We have three offices with nearly identical pfSense configurations. We have | |
| VPN servers for clients to connect to and a local RADIUS server to provide | |
| authentication for them. On one of our pfSense boxes, it fails to | |
| authenticate using the local RADIUS server. It sends requests and | |
| access-accept messages are returned. However, the php-fpm process appears to | |
| ignore the responses and then crashes. Here is some truss output: | |
| bind(9,{ AF_INET 0.0.0.0:0 },16) = 0 (0x0) | |
| fcntl(9,F_GETFL,) = 2 (0x2) | |
| fcntl(9,F_SETFL,O_RDWR|O_NONBLOCK) = 0 (0x0) | |
| sendto(9,"\^A\M-)\0\M-J\M-QM\^W\M-W\M-h7{L"...,202,0,{ AF_INET RADIUS:1812 | |
| },16) = 202 (0xca) | |
| select(10,{ 9 },0x0,0x0,{ 5.000000 }) = 1 (0x1) | |
| recvfrom(9,"\^B\M-)\0\M-t\rv\M-]O~\M-$}\M-4~"...,4096,MSG_WAITALL,{ AF_INET | |
| RADIUS:1812 },0x820d022fc) = 244 (0xf4) | |
| recvfrom(9,0x37bbc7deab51,4096,MSG_WAITALL,0x820d02300,0x820d022fc) ERR#35 | |
| 'Resource temporarily unavailable' | |
| select(10,{ 9 },0x0,0x0,{ 4.708796 }) = 0 (0x0) | |
| sendto(9,"\^A\M-)\0\M-J\M-QM\^W\M-W\M-h7{L"...,202,0,{ AF_INET RADIUS:1812 | |
| },16) = 202 (0xca) | |
| select(10,{ 9 },0x0,0x0,{ 5.000000 }) = 1 (0x1) | |
| recvfrom(9,"\^B\M-)\0\M-t\M-d\M-V\M-l)x\M-^N"...,4096,MSG_WAITALL,{ AF_INET | |
| RADIUS:1812 },0x820d022fc) = 244 (0xf4) | |
| recvfrom(9,0x37bbc7deab51,4096,MSG_WAITALL,0x820d02300,0x820d022fc) ERR#35 | |
| 'Resource temporarily unavailable' | |
| select(10,{ 9 },0x0,0x0,{ 4.994004 }) = 0 (0x0) | |
| sendto(9,"\^A\M-)\0\M-J\M-QM\^W\M-W\M-h7{L"...,202,0,{ AF_INET RADIUS:1812 | |
| },16) = 202 (0xca) | |
| select(10,{ 9 },0x0,0x0,{ 5.000000 }) = 1 (0x1) | |
| recvfrom(9,"\^B\M-)\0\M-tB+\M-a\^XzV\M-d$"...,4096,MSG_WAITALL,{ AF_INET | |
| RADIUS:1812 },0x820d022fc) = 244 (0xf4) | |
| recvfrom(9,0x37bbc7deab51,4096,MSG_WAITALL,0x820d02300,0x820d022fc) ERR#35 | |
| 'Resource temporarily unavailable' | |
| select(10,{ 9 },0x0,0x0,{ 4.993773 }) = 0 (0x0) | |
| __sysctl("kern.hostname",2,0x820d022d0,0x820cfe1b8,0x0,0) = 0 (0x0) | |
| getpid() = 54452 (0xd4b4) | |
| socket(PF_LOCAL,SOCK_DGRAM|SOCK_CLOEXEC,0) = 10 (0xa) | |
| getsockopt(10,SOL_SOCKET,SO_SNDBUF,0x820cfe160,0x820cfe15c) = 0 (0x0) | |
| connect(10,{ AF_UNIX "/var/run/log" },106) = 0 (0x0) | |
| sendto(10,"<35>1 2024-12-12T14:14:40.588858"...,158,0,NULL,0) = 158 (0x9e) | |
| SIGNAL 11 (SIGSEGV) code=SEGV_MAPERR trapno=12 addr=0x37bb6d8450f6 | |
| process killed, signal = 11 (core dumped) | |
| The second recvfrom() ERR#35 calls are very strange as well. We don't see | |
| that with successful RADIUS calls to another RADIUS server: | |
| bind(9,{ AF_INET 0.0.0.0:0 },16) = 0 (0x0) | |
| fcntl(9,F_GETFL,) = 2 (0x2) | |
| fcntl(9,F_SETFL,O_RDWR|O_NONBLOCK) = 0 (0x0) | |
| sendto(9,"\^A\M-7\0\M-J\M-S\M-^{BX1B\M^P"...,202,0,{ AF_INET RADIUS:1812 },16) | |
| = 202 (0xca) | |
| select(10,{ 9 },0x0,0x0,{ 5.000000 }) = 1 (0x1) | |
| recvfrom(9,"\^B\M-7\0\M-tL\M-6`\M^T\M^V\M^L"...,4096,MSG_WAITALL,{ AF_INET | |
| 10.10.11.10:1812 },0x820d022fc) = 244 (0xf4) | |
| close(9) = 0 (0x0) | |
| Interestingly, the other offices are able to use the RADIUS server in the | |
| problem office to authenticate. And the problem pfSense box is able to | |
| authenticate using the RADIUS servers in the other offices. | |
| I can't find any difference between the configuration of the RADIUS or the VPN | |
| servers and am pretty stumped here. Any ideas of things to check? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment