[Freeipa-users] Freeipa 4.2.0 hangs intermittently

Mon Aug 22 08:57:19 UTC 2016

On 19.8.2016 19:32, Rakesh Rajasekharan wrote:
> I am running my set up on AWS cloud, and entropy is low at around 180 .
> 
> I plan to increase it bu installing haveged . But, would low entropy by any
> chance cause this issue of intermittent hang .
> Also, the hang is mostly observed when registering around 20 clients
> together

Possibly, I'm not sure. If you want to dig into this, I would do this:
1. look what process hangs on client (using pstree command or so)
$ pstree

2. look to what server and port is the hanging client connected to
$ lsof -p <PID of the hanging process>

3. jump to server and see what process is bound to the target port
$ netstat -pn

4. see where the process if hanging
$ strace -p <PID of the hanging process>

I hope it helps.

Petr^2 Spacek

> On Fri, Aug 19, 2016 at 7:24 PM, Rakesh Rajasekharan <
> rakesh.rajasekharan at gmail.com> wrote:
> 
>> yes there seems to be something thats worrying.. I have faced this today
>> as well.
>> There are few hosts around 280 odd left and when i try adding them to IPA
>> , the slowness begins..
>>
>> all the ipa commands like ipa user-find.. etc becomes very slow in
>> responding.
>>
>> the SYNC_RECV are not many though just around 80-90 and today that was
>> around 20 only
>>
>>
>> I have for now increased tcp_max_syn_backlog to 5000.
>> For now the slowness seems to have gone.. but I will do a try adding the
>> clients again tomorrow and see how it goes
>>
>> Thanks
>> Rakesh
>>
>> The issues
>>
>> On Fri, Aug 19, 2016 at 12:58 PM, Petr Spacek <pspacek at redhat.com> wrote:
>>
>>> On 18.8.2016 17:23, Rakesh Rajasekharan wrote:
>>>> Hi
>>>>
>>>> I am migrating to freeipa from openldap and have around 4000 clients
>>>>
>>>> I had openned a another thread on that, but chose to start a new one
>>> here
>>>> as its a separate issue
>>>>
>>>> I was able to change the nssslapd-maxdescriptors adding an ldif file
>>>>
>>>> cat nsslapd-modify.ldif
>>>> dn: cn=config
>>>> changetype: modify
>>>> replace: nsslapd-maxdescriptors
>>>> nsslapd-maxdescriptors: 17000
>>>>
>>>> and running the ldapmodify command
>>>>
>>>> I have now started moving clients running an openldap to Freeipa and
>>> have
>>>> today moved close to 2000 clients
>>>>
>>>> However, I have noticed that IPA hangs intermittently.
>>>>
>>>> running a kinit admin returns the below error
>>>> kinit: Generic error (see e-text) while getting initial credentials
>>>>
>>>> from the /var/log/messages, I see this entry
>>>>
>>>>  prod-ipa-master-int kernel: [104090.315801] TCP: request_sock_TCP:
>>>> Possible SYN flooding on port 88. Sending cookies.  Check SNMP counters.
>>>
>>> I would be worried about this message. Maybe kernel/firewall is doing
>>> something fishy behind your back and blocking some connections or so.
>>>
>>> Petr^2 Spacek
>>>
>>>
>>>> Aug 18 13:00:01 prod-ipa-master-int systemd[1]: Started Session 4885 of
>>>> user root.
>>>> Aug 18 13:00:01 prod-ipa-master-int systemd[1]: Starting Session 4885 of
>>>> user root.
>>>> Aug 18 13:01:01 prod-ipa-master-int systemd[1]: Started Session 4886 of
>>>> user root.
>>>> Aug 18 13:01:01 prod-ipa-master-int systemd[1]: Starting Session 4886 of
>>>> user root.
>>>> Aug 18 13:02:40 prod-ipa-master-int python[28984]: ansible-command
>>> Invoked
>>>> with creates=None executable=None shell=True args= removes=None
>>> warn=True
>>>> chdir=None
>>>> Aug 18 13:04:37 prod-ipa-master-int sssd_be: GSSAPI Error: Unspecified
>>> GSS
>>>> failure.  Minor code may provide more information (KDC returned error
>>>> string: PROCESS_TGS)
>>>>
>>>> Could it be possible that its due to the initial load of adding the
>>> clients
>>>> or is there something else that I need to take care of.