pfSense

When a firewall has many local accounts, the time it takes for local_sync_accounts() to finish grows large enough to trigger timeouts and other problems for XMLRPC.

Notably, in an HA cluster this becomes a burden because that function is called for each filter sync.

On stand-alone firewalls the function is only called during bootup, so it does not have quite the same impact in that scenario, though it still delays the boot process.

To illustrate the issue I made a playback script that calls local_sync_accounts() and nothing else:

: grep -c '<user>' /conf/config.xml 
44
: time pfSsh.php playback localsyncusers
1.379u 5.649s 1:17.53 9.0%    633+216k 0+16190io 0pf+0w

For 44 accounts this particular test firewall needed 1 min 17 seconds to complete the sync process. This could easily overrun PHP/XMLRPC timeouts depending on the speed of the firewall cpu/disks/etc.

We have at least one customer hitting the issue ( 16693 ), plus at least one user report ( https://forum.pfsense.org/index.php?topic=127546.0 )