VPN connections crash my server

[giblad]

Hi guys

I’m having a problem with my server which is causing me to loose sleep…..not good 🙁

Whenever a VPN client connects into my server, this appears in the log:

Oct 11 14:08:49 server pppd[610]: DSAccessControl plugin: User ‘xxxx’ authorized for access\n
Oct 11 14:08:49 server pppd[610]: Unsupported protocol 0x8057 received
Oct 11 14:08:49 server pppd[610]: local IP address 192.168.1.10
Oct 11 14:08:49 server pppd[610]: remote IP address 192.168.1.201
Oct 11 14:08:52 server DirectoryService[42]: Search connection failure: During an attempt to bind to [127.0.0.1] LDAP server.
Oct 11 14:08:52 server DirectoryService[42]: Search connection failure: Disabled future attempts to bind to [127.0.0.1] LDAP server for next 0 seconds.
Oct 11 14:08:52 server servermgrd: servermgr_dns: Reloaded named
Oct 11 14:08:55 server pop3[508]: login: [192.168.1.101] xxxxxxx APOP User logged in
Oct 11 14:09:00 server pppd[610]: Connection terminated.
Oct 11 14:09:00 server pppd[610]: L2TP disconnecting…\n
Oct 11 14:09:00 server pppd[610]: L2TP disconnected\n
Oct 11 14:09:00 server vpnd[601]: –> Client with address = 192.168.1.201 has hungup\n
Oct 11 14:09:03 server servermgrd: servermgr_dns: Reloaded named

Obviously the enries in the log from DirectoryService are cause for concern and they appear during most VPN connections in from the outside world.

9 times out of 10, connections and disconnections cause no problems but 1 connection in 10 causes all authentication to the server (mail, AFP, ARD, etc) to fail completely and the only solution I have is to restart the server. On a headless Xserve running a hardware RAID card this is obviously not a good option.

The server itself is running it’s own DNS, Mail, NetBoot, AFP, Open Directory and of course VPN services.

DNS appears to be working correctly, DHCP too is good with no overlapping IP addresses. All appears normal.

Can anyone suggest a solution ?

Thanks

[andrina]

I had a very similar situation to this while ago – have you tried archiving the OD setup, demoting to standalone, repromoting your OD and bringing your archive of users back in?

Is this your only server running all these services? You may be better off splitting things up to at least a couple servers in the long run.

[giblad]

Hi Andrina

Thanks for your reply to my querie.

I have attempted this with no success. I even went as far as installing a universal 10.4.7 build of server and set up a minimum of settings (DHCP, DNS and a couple of users in the local netinfo database) and the problem is still there. The server has an Xserve RAID card and an Atto SCSI card which I have yet to rule out as the source of the problems but it’s looking like a hardware issue or possibly network related.

I’m going to be doing more testing with different configurations in the next few days and I’ll post my results once I’ve sorted it out.

[andrina]

Just to clarrify – have you removed the VPN server from the machine that’s running OD? Curious if it’s a combination of the two running on the same machine, or simply that the VPN server is querrying OD that causes the crash?

On your testing machine I’d set up a vanilla OD structure (i.e. only a few users, not an import of your OD) and set up VPN there also, and see if you can replicate the problem. It’s not a matter of incompatibility as there are several people I know running both services on one server.

Is VPN the only way to access this server – do you have SSH open, or any other ports open from your router/firewall into the server?

[giblad]

Andrina

Sorry it’s taken so long to reply.

I have already replicated the problem on a vanilla OD structure with just one user set up.

The server runs sweet without the VPN service enabled as it seems to be the VPN service that causes all authentication to fail.

It is impossible for me to seperate the VPN and OD as I only have only one available server. My test server does not belong to me.

I have now taken the VPN service away from the server and handed it over to a dedicated ‘box’ and all is well, however I am still no nearer to finding out what caused the problem in the first place and that is what is so frustrating.

If anyone else out there has had similar problems to this, then I would like to hear from you.

Thanks

[Ross]

I had this problem with one client, but i didn’t get to spend much time troubleshooting it. I ended up switching it to a replica and didn’t have the issue and I never went back to figure it out.

But I have done the same setup about 100 times other places and have never seen this. If it helps the server was just doing (Master, PDC, and VPN).

[crackmac]

I experienced a similar problem and was told that you should set up the VPN and then promote the machine to OD master. I started from scratch and haven’t had the balls to upgrade the server to an OD master yet because it’s not absolutly necessary in my case.
I would save all your settings; reinstall the server keeping the it a standalone server; Set up VPN; then Promote to OD masster.
–Kevin

[QUOTE][u]Quote by: giblad[/u]

Andrina

Sorry it’s taken so long to reply.

I have already replicated the problem on a vanilla OD structure with just one user set up.

The server runs sweet without the VPN service enabled as it seems to be the VPN service that causes all authentication to fail.

It is impossible for me to seperate the VPN and OD as I only have only one available server. My test server does not belong to me.

I have now taken the VPN service away from the server and handed it over to a dedicated ‘box’ and all is well, however I am still no nearer to finding out what caused the problem in the first place and that is what is so frustrating.

If anyone else out there has had similar problems to this, then I would like to hear from you.

Thanks

[/QUOTE]

[techmistake]

I’ve also been plauged by this aswell, or so it seems. I’m a rookie, but it sure seems like there is a connection. Almost like the server fails to authenticate people for a minute, or sometimes longer, sometimes it even deadlocks. Did the seperation of the VPN and OD provide a long term fix? I have an extra 10.3.9 server and a monowall I can use for this.

[Simple1]

I also have this problem will load balancing by adding another server as connected to a directory system help? this is my recent log nothing similar to anything everyone else has posted but the symtoms are exactly alike.

May 2 11:59:57 nameserver imap[13911]: idle for too long, closing connection
May 2 11:59:57 nameserver imap[13938]: idle for too long, closing connection
May 2 12:00:11 nameserver pppd[14687]: Serial link appears to be disconnected.
May 2 12:00:11 nameserver pppd[14687]: MPPE disabled
May 2 12:00:13 nameserver servermgrd: servermgr_dns: Reloaded named
May 2 12:00:14 nameserver ARDAgent [353]: UDPWritePacket error 65 No route to host for -64.168.0.237
May 2 12:00:14 nameserver pppd[14687]: Connection terminated.
May 2 12:00:14 nameserver pppd[14687]: PPTP disconnecting…\n
May 2 12:00:14 nameserver pppd[14687]: PPTP disconnected\n
May 2 12:00:14 nameserver vpnd[50]: –> Client with address = 192.168.0.234 has hungup\n
May 2 12:00:14 nameserver DirectoryService[75]: Search connection failure: During an attempt to bind to [127.0.0.1] LDAP server.
May 2 12:00:14 nameserver DirectoryService[75]: Search connection failure: Disabled future attempts to bind to [127.0.0.1] LDAP server for next 0 seconds.
May 2 12:00:47 nameserver imap[13011]: idle for too long, closing connection
May 2 12:01:29 nameserver imap[9718]: IOERROR: opening /Volumes/Data/Mail/spool/imap/user/susan/4B/SAVANNAH/TRASH COUTURE/cyrus.header: No such file or directory
May 2 12:01:55 nameserver imap[9886]: IOERROR: creating /Volumes/Data/Mail/spool/imap/user/amber_robinson/Sent Messages/cyrus.index.NEW: Resource temporarily unavailable
May 2 12:02:17 nameserver imap[11312]: idle for too long, closing connection
May 2 12:02:17 nameserver imap[13474]: idle for too long, closing connection
May 2 12:02:54 nameserver imap[10919]: idle for too long, closing connection
May 2 12:03:24 nameserver servermgrd: [51] error in getAndLockContext: flock(servermgr_netboot) FATAL time out
May 2 12:03:24 nameserver servermgrd: [51] process will force-quit to avoid deadlock
May 2 12:04:09 nameserver DirectoryService[75]: Search connection failure: During an attempt to bind to [127.0.0.1] LDAP server.
May 2 12:04:09 nameserver DirectoryService[75]: Search connection failure: Disabled future attempts to bind to [127.0.0.1] LDAP server for next 0 seconds.
May 2 12:04:39 nameserver pop3[14383]: AOD: authentication error: cannot find user: massimo (0)
May 2 12:04:39 nameserver pop3[14383]: badlogin: cpe-74-73-146-145.nyc.res.rr.com [74.73.146.145] APOP (<[email protected]>) Error: -4
May 2 12:04:54 nameserver imap[13937]: AOD: authentication error: cannot find user: amber_robinson (0)
May 2 12:04:54 nameserver imap[13937]: badlogin: [192.168.0.166] CRAM-MD5
May 2 12:05:24 nameserver /System/Library/CoreServices/mcxd.app/Contents/MacOS/mcxd: DSOpenNode(): dsOpenDirNode(“/LDAPv3/127.0.0.1”) == -14002

The server did come back to life itself but most of the time when it does happen it doesn’t come back. any help in the right direction is helpful.

[JonThompson]

Has anyone resolved this yet on their boxes, without splitting vpn? My Xserve, after working without issue for months, has suddenly come down with this issue. I think that a restart took care of it for the moment, but I am not sure how long that will last.

[JonThompson]

Just got a bit closer to solving this one. Killing coreservicesd caused the system to immediately resolve itself. Now, what is going on there?

OK, that wasn’t it. By the way, how many of you have their HDs Software RAIDed?

I think I got it. If I turn off the firewall, the problem goes away. Allowing access to the password server ports through the public IP then appears to eliminate the problem. Question now is what can of worms am I opening up by allowing public access to the password service ports and/or how am I and other misconfigured so that we need this port open?

[JonThompson]

OK, I think I have put this one to bed, thanks to a non-working Leopard Server VPN.

My guess is that everyone in this list used vpnaddkeyagentuser multiple times. (blush)

Here is what I did to fix it…

1) Delete _all_ the VPN users from your directory… There are most likely several with the UID 57, so keep deleting until they all disappear.
2) Delete _all_ of the com.apple.ras keychain items from the system keychain.
3) Run vpnaddkeyagentuser _once_

What I think is happening now is that if you have multiple keychain items, VPN gets confused and hangs up the authentication system for a period of time. Eventually, all of the keys are tried (and timed out), and the proper one is found. However, the authentication system doesn’t like this and locks out all other authentication for a period of time.

In Leopard, this problem goes away because VPN will pseudo fail to work at all with multiple keychain items.

[Author]

Posts