search

inverse-inc / packetfence

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.
https://packetfence.org
GNU General Public License v2.0
1.39k stars 291 forks source link

Client.Timeout exceeded while awaiting headers - ntlm/test #8395

Open vanderti opened 5 days ago

vanderti commented 5 days ago

When visiting the Active Directory Domains page, I receive the following error:

image

This only happens for two domains on a remote network via VPN. One or both of the two domains randomly shows this error and the "Domain Joined" status is red while in reality it is joined.

The internal domain doesn't show this error.

Maybe a timeout is set too strict?

Steps to reproduce the behavior:

  1. Go to Active Directory Domains page
  2. See error

PacketFence ZEN Version 14.0

stgmsa commented 4 days ago

Hello @vanderti

could you please provide some details, including

  1. PF version (14.0) with commit id - this can be found by clicking the "?" at the top right of the admin UI.
  2. Does PacketFence have to establish a VPN connection to talk with the AD ? - If yes, the problem is probably due to the VPN, currently PacketFence directly talks to domain controller unless a VPN connection will "redirect" or "proxy" the traffic transparently.
  3. If the answer of question 2 is No. Does it take a longer time (RTT) to talk with the AD ? - currently the timeout is set to 2s.
  4. What are the ADs - the working ones and the not working ones - do they have multiple DCs to load balance the authentication requests ?
stgmsa commented 4 days ago

Hi @vanderti since the ZEN iso is built during the release, the content of the ios is solid after release. you'll need to update (not to upgrade to a newer version) PacketFence to have the latest maintainance patches and bug fixes (and probably fix the issue you mentioned) unless there's some special networking conditions.

vanderti commented 4 days ago

Hi @stgmsa

Here's the version and commit ID:

Packetfence Version 14.0.0 GIT Commit ID c6b1fdb33c37914e0512ea0b470f0b4ff43f9728

PacketFence itself doesn't establish the connection, this is an always-on connection via a Palo Alto firewall.

The RTT to the remote AD's is around 9ms according to a ping from the PacketFence server. The RTT to the local AD is around 0.8 ms.

Yes, there are multiple remote AD's serving the domain. Would setting a sticky DC be the solution?

To my knowledge I'm on the latest PacketFence commit as I've updated the installation yesterday morning.