Bug #14386
closed
``openvpn.auth-user.php`` gets stuck at 100% CPU usage when RADIUS authentication times out
Added by Orion Poplawski 12 months ago. Updated about 1 month ago.
100%
Description
This seems to be new behavior on pfsense plus 23.01-RELEASE. I'm seeing openvpn.auth-user.php processes stuck consuming 100% cpu. They seem to be correlated to openvpn AUTH_FAILED events as well as:
May 14 16:09:32 openvpn[8028]: /openvpn.auth-user.php: Error during RADIUS authentication : Operation timed out
Process:
26834 - R 1124:57.09 /usr/local/sbin/fcgicli -f /etc/inc/openvpn.auth-user.php -d username=USERNAME&password=PASSWORD&cn=CN&strictcn=false&authcfg=AUTHCFGE=&dev=ovpns3&untrusted_port=55994&modeid=server3&nas_port=1196
truss shows the process continually running:
recvfrom(0,0x820ea2280,8,0,NULL,0x0) = 0 (0x0)
Updated by Kris Phillips 11 months ago
Hello,
Do you see this same behavior in 23.05?
Updated by aleksei prokofiev 10 months ago
Can not reproduce on 23.05.1
23.05.1-RELEASE (amd64)
built on Wed Jun 28 03:57:27 UTC 2023
FreeBSD 14.0-CURRENT
Updated by Orion Poplawski 10 months ago
I just checked my 23.05 box and I see 5 of these runaways. I guess we'll need to update to 23.05.1 to test that...
Updated by Marcos M 7 months ago
I'm not sure that the Operation timed out log is related because the existence of the log means that the authentication process completes and the script returns, hence fcgicli should exit. The truss output seems to indicate that fcgicli is waiting on openvpn.auth-user.php to finish which implies the issue is with the .php file. I did manage to reproduce this issue once (unfortunately I did not have any debugging output applied); as expected no output was returned from openvpn.attributes.php. I also noticed the following in the OpenVPN logs rather than in the system logs (reversed):
Oct 11 14:08:17 openvpn 81755 /rc.newwanip: Netgate pfSense Plus package system has detected an IP change or dynamic WAN reconnection - -> 172.25.1.1 - Restarting packages. Oct 11 14:08:17 openvpn 81755 /rc.newwanip: rc.newwanip called with empty interface. Oct 11 14:08:17 openvpn 81755 /rc.newwanip: rc.newwanip: on (IP address: 172.25.1.1) (interface: []) (real interface: ovpns1). Oct 11 14:08:17 openvpn 81755 /rc.newwanip: rc.newwanip: Info: starting on ovpns1.
Perhaps the script isn't ending due to some issue around openlog()? A quick way to test that would be to simply omit
openlog() and closelog() altogether.
To narrow down the issue further, it'd be useful to know if this can be reproduced after doing any or all of the following:
- Disabling
Duplicate Connectionin the OpenVPN server config, or - Renaming
/etc/inc/openvpn.attributes.phpto/etc/inc/openvpn.attributes.php.bak(used for Cisco-AVPair rules) - Apply the following patch to omit openlog()
ShowHide
diff --git a/src/etc/inc/openvpn.auth-user.php b/src/etc/inc/openvpn.auth-user.php index 436c4e1bf6..b587d96ca3 100644 --- a/src/etc/inc/openvpn.auth-user.php +++ b/src/etc/inc/openvpn.auth-user.php @@ -34,7 +34,7 @@ require_once("auth.inc"); require_once("interfaces.inc"); /* setup syslog logging */ -openlog("openvpn", LOG_ODELAY, LOG_AUTH); +//openlog("openvpn", LOG_ODELAY, LOG_AUTH); global $common_name, $username, $dev, $untrusted_port; @@ -61,10 +61,10 @@ if (!$username) { syslog(LOG_ERR, "invalid user authentication environment"); if (isset($_GET['username'])) { echo "FAILED"; - closelog(); + //closelog(); return; } else { - closelog(); + //closelog(); return (-1); } } @@ -78,10 +78,10 @@ if (($strictusercn === true) && (mb_strtolower($common_name) !== mb_strtolower($ syslog(LOG_WARNING, "Username does not match certificate common name (\"{$username}\" != \"{$common_name}\"), access denied."); if (isset($_GET['username'])) { echo "FAILED"; - closelog(); + //closelog(); return; } else { - closelog(); + //closelog(); return (1); } } @@ -90,10 +90,10 @@ if (!is_array($authmodes)) { syslog(LOG_WARNING, "No authentication server has been selected to authenticate against. Denying authentication for user {$username}"); if (isset($_GET['username'])) { echo "FAILED"; - closelog(); + //closelog(); return; } else { - closelog(); + //closelog(); return (1); } } @@ -120,10 +120,10 @@ if ($authenticated == false) { syslog(LOG_WARNING, "user '{$username}' could not authenticate."); if (isset($_GET['username'])) { echo "FAILED"; - closelog(); + //closelog(); return; } else { - closelog(); + //closelog(); return (-1); } } @@ -159,7 +159,7 @@ if (!empty($content)) { } syslog(LOG_NOTICE, "user '{$username}' authenticated"); -closelog(); +//closelog(); if (isset($_GET['username'])) { echo "OK";
Updated by Orion Poplawski 7 months ago
Duplicate Connection was already disabled (multiple connections from the same user are not allowed - check box not checked.
I moved /etc/inc/openvpn.attributes.php out of the way.
Just had a re-occurrence, so I will now apply the patch.
Updated by Danilo Zrenjanin 7 months ago
The patch fixed the issue on a firewall with the same symptoms. There were no side effects after applying the patch.
23.05.1-RELEASE (amd64) built on Wed Jun 28 03:57:27 UTC 2023 FreeBSD 14.0-CURRENT
Updated by Orion Poplawski 6 months ago
Just had another reproducer. However, this time it did not appear to the associated with the auth timeout message initially reported, but a different variant:
Oct 27 10:04:22 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2 Oct 27 10:04:22 TLS: Username/Password authentication deferred for username 'USER' ... Oct 27 10:05:18 PUSH: Received control message: 'PUSH_REQUEST' Oct 27 10:05:34 Delayed exit in 5 seconds Oct 27 10:05:34 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1) Oct 27 10:05:34 SENT CONTROL [akialoa.cora.nwra.com]: 'AUTH_FAILED' (status=1)
Although now that I check I see that the "Duplicate Connection" box is checked on this particular VPN configuration, so I need to disable that now. Sigh
Updated by Marcos M 6 months ago
Orion Poplawski wrote in #note-8:
Just had another reproducer. However, this time it did not appear to the associated with the auth timeout message initially reported, but a different variant:
[...]
Although now that I check I see that the "Duplicate Connection" box is checked on this particular VPN configuration, so I need to disable that now. Sigh
Is that with the patch applied?
Updated by Orion Poplawski 6 months ago
Marcos M wrote in #note-9:
Orion Poplawski wrote in #note-8:
Just had another reproducer. However, this time it did not appear to the associated with the auth timeout message initially reported, but a different variant:
[...]
Although now that I check I see that the "Duplicate Connection" box is checked on this particular VPN configuration, so I need to disable that now. SighIs that with the patch applied?
Yes - patch applied and /etc/inc/openvpn.attributes.php moved out of the way.
Updated by Marcos M 6 months ago
In that case, it seems more likely that the issue is with fcgicli. Given this issue seems to have appeared in 23.01, it may be due to reintroducing the use of fcgicli here:
https://github.com/pfsense/pfsense/commit/758ee42ae096fee8436efc89f2c9bcc4ae7ea23d
Please try the following patch to use php-cgi instead (updated): ShowHide
diff --git a/src/usr/local/sbin/ovpn_auth_verify b/src/usr/local/sbin/ovpn_auth_verify
index 2bc39d3c0f..ea43f72a5b 100755
--- a/src/usr/local/sbin/ovpn_auth_verify
+++ b/src/usr/local/sbin/ovpn_auth_verify
@@ -25,7 +25,7 @@ if [ "$1" = "tls" ]; then
do
eval serial="\$tls_serial_${check_depth}"
if [ -n "$serial" ]; then
- RESULT=$(/usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=$2&depth=$3&certdepth=$4&certsubject=$5&serial=$serial&config=$config")
+ RESULT=$(/usr/local/bin/php-cgi -q -f /etc/inc/openvpn.tls-verify.php "servercn=$2&depth=$3&certdepth=$4&certsubject=$5&serial=$serial&config=$config")
if [ "${RESULT}" = "FAILED" ]; then
exit 1
fi
@@ -36,7 +36,7 @@ else
# Base64 and urlEncode usernames and passwords
password=$(echo -n "${password}" | openssl enc -base64 | sed -e 's_=_%3D_g;s_+_%2B_g;s_/_%2F_g')
username=$(echo -n "${username}" | openssl enc -base64 | sed -e 's_=_%3D_g;s_+_%2B_g;s_/_%2F_g')
- RESULT=$(/usr/local/sbin/fcgicli -f /etc/inc/openvpn.auth-user.php -d "username=$username&password=$password&cn=$common_name&strictcn=$3&authcfg=$2&modeid=$4&nas_port=$5")
+ RESULT=$(/usr/local/bin/php-cgi -q -f /etc/inc/openvpn.auth-user.php "username=$username&password=$password&cn=$common_name&strictcn=$3&authcfg=$2&modeid=$4&nas_port=$5")
fi
if [ "${RESULT}" = "OK" ]; then
diff --git a/src/usr/local/sbin/ovpn_auth_verify_async b/src/usr/local/sbin/ovpn_auth_verify_async
index fec42c36ba..78190296f2 100755
--- a/src/usr/local/sbin/ovpn_auth_verify_async
+++ b/src/usr/local/sbin/ovpn_auth_verify_async
@@ -35,7 +35,7 @@
# nas_port - $5
# ---------- Command Definitions
-fcgicli="/usr/local/sbin/fcgicli"
+phpcgi="/usr/local/bin/php-cgi"
openssl="/usr/bin/openssl"
sed="/usr/bin/sed"
auth_user_php="/etc/inc/openvpn.auth-user.php"
@@ -66,7 +66,7 @@ auth_server_1="cn=${common_name}&strictcn=${strictcn}&authcfg=${authcfg}&dev=${d
auth_server_2="modeid=${modeid}&nas_port=${nas_port}"
auth_args="${auth_credentials}&${auth_server_1}&${auth_server_2}"
-result=$("${fcgicli}" -f "${auth_user_php}" -d "${auth_args}")
+result=$("${phpcgi}" -f "${auth_user_php}" "${auth_args}")
# ---------- Write the Result
Updated by Orion Poplawski 6 months ago
The patched version of ovpn_auth_verify seems to work okay, but if I patch ovpn_auth_verify_async I get auth failures:
SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
not much else in the log to know why.
Updated by Orion Poplawski 4 months ago
FWIW - still present in 2.7.2 and 23.09.1.
Updated by Orion Poplawski 3 months ago
As I noted, patching ovpn_auth_verify_async gave me auth failures. I could try it again an see if that is still the case. Or just patch ovpn_auth_verify, but I wasn't sure if patching just that was sufficient.
Updated by Orion Poplawski 3 months ago
Okay, I have that applied and working now. And I don't seem to see a runaway with a simple auth failure. We'll see if anything else triggers it. Thanks.
Updated by Reid Linnemann 3 months ago
- Assignee set to Reid Linnemann
- Target version set to 24.03
Since fcgicli is continually calling recv() for 8 bytes, I think it's stuck in its read_packet loop. The socket's been closed by php-fpm but no fastcgi message has been received indicating the request is complete. Probably the socket is closed because php-fpm hits a terminal condition when accepting the connection, like running out of FDs, and just immediately closes the socket without sending any fastcgi messages back. fcgicli then loops on recv() because the return value is >= 0, interpreted as a short read. I'll correct this in devel and add some more foot-shooting protection. Do you have the ability to test this against a devel snapshot?
Updated by Orion Poplawski 3 months ago
I don't have a test instance at the moment, but I've thought about spinning one up for quite a while. I'll see what I can do. Thanks for taking a look at this - it sounds promising.
Updated by Reid Linnemann 3 months ago
What version(s) are you currently running and encountering this? Perhaps a test build of fcgicli would be appropriate.
Updated by Reid Linnemann 3 months ago
- Status changed from New to Feedback
Should be fixed in https://github.com/pfsense/FreeBSD-ports/commit/c0a12f594ba2a873ffd5ec8974c5582e6283fbdf. The 0 byte read handling is definitely the culprit.
Updated by Jim Pingle 3 months ago
- Project changed from pfSense Plus to pfSense
- Subject changed from openvpn.auth-user.php gets stuck at 100% cpu usage after RADIUS auth timed out to ``openvpn.auth-user.php`` gets stuck at 100% CPU usage when RADIUS authentication times out
- Category changed from OpenVPN to OpenVPN
- Target version changed from 24.03 to 2.8.0
- % Done changed from 0 to 100
- Affected Plus Version deleted (
23.01) - Plus Target Version set to 24.03
Updated by Jim Pingle about 1 month ago
- Status changed from Feedback to Resolved
No reports of failures since this went in. Can always reopen it if someone can reproduce the problem on current builds.