Pritunl Link: Failed to login to Unifi

ahsupport · August 18, 2023, 4:27pm

Right now we’re trying to setup pritunl_link for a failover server and we’re getting this error in the journal

Aug 18 12:02:02 pritunl2 pritunl-link[3019130]: [2023-08-18 12:02:02][ERRO] ▶ state: Failed to deploy state
Aug 18 12:02:02 pritunl2 pritunl-link[3019130]: advertise: Failed to login to Unifi
Aug 18 12:02:02 pritunl2 pritunl-link[3019130]: ORIGINAL STACK TRACE:
Aug 18 12:02:02 pritunl2 pritunl-link[3019130]: github.com/pritunl/pritunl-link/advertise.unifiGetClient
Aug 18 12:02:02 pritunl2 pritunl-link[3019130]:         /home/admin/go/pkg/mod/github.com/pritunl/pritunl-link@v0.0.0-20230224225645-20a97ecd8f11/advertise/unifi.go:236 +0xd12971
Aug 18 12:02:02 pritunl2 pritunl-link[3019130]: github.com/pritunl/pritunl-link/advertise.UnifiAddPorts
Aug 18 12:02:02 pritunl2 pritunl-link[3019130]:         /home/admin/go/pkg/mod/github.com/pritunl/pritunl-link@v0.0.0-20230224225645-20a97ecd8f11/advertise/unifi.go:896 +0xd18872
Aug 18 12:02:02 pritunl2 pritunl-link[3019130]: github.com/pritunl/pritunl-link/advertise.Ports
Aug 18 12:02:02 pritunl2 pritunl-link[3019130]:         /home/admin/go/pkg/mod/github.com/pritunl/pritunl-link@v0.0.0-20230224225645-20a97ecd8f11/advertise/advertise.go:232 +0xcff416
Aug 18 12:02:02 pritunl2 pritunl-link[3019130]: github.com/pritunl/pritunl-link/ipsec.deploy
Aug 18 12:02:02 pritunl2 pritunl-link[3019130]:         /home/admin/go/pkg/mod/github.com/pritunl/pritunl-link@v0.0.0-20230224225645-20a97ecd8f11/ipsec/ipsec.go:516 +0xd1d88a
Aug 18 12:02:02 pritunl2 pritunl-link[3019130]: github.com/pritunl/pritunl-link/ipsec.runDeploy
Aug 18 12:02:02 pritunl2 pritunl-link[3019130]:         /home/admin/go/pkg/mod/github.com/pritunl/pritunl-link@v0.0.0-20230224225645-20a97ecd8f11/ipsec/ipsec.go:674 +0xd1e704
Aug 18 12:02:02 pritunl2 pritunl-link[3019130]: runtime.goexit
Aug 18 12:02:02 pritunl2 pritunl-link[3019130]:         /usr/local/go/src/runtime/asm_amd64.s:1594 +0x46b6c0

I checked that the credentials were correct, it used to say API error so we updated the Firmware but now it’s just this

zach · August 19, 2023, 11:46pm

This was an issue with rate limiting on the API. A cache has been added to prevent rate limiting issues. This will be included in the next release.

ahsupport · August 23, 2023, 4:36pm

We updated to the new version but we’re still having issues

Aug 23 15:19:23 - systemd[1]: Started Pritunl Link Daemon.
Aug 23 15:19:23 -  pritunl-link[401572]: [2023-08-23 15:19:23][INFO] ▶ cmd.start: Starting link ◆ version="1.0.2828.23"
Aug 23 15:19:28 -  pritunl-link[401572]: [2023-08-23 15:19:28][INFO] ▶ state: Deploying state ◆ local_address="..." ◆ public_address="..." ◆ address6="" ◆ states_len=1 ◆ default_interface=>
Aug 23 15:19:28 - pritunl-link[401572]: [2023-08-23 15:19:28][INFO] ▶ advertise: Unifi api error ◆ status=401 ◆ response="{\"meta\":{\"rc\":\"error\",\"msg\":\"api.err.NoSiteContext\"},\"data\":[]}"
Aug 23 15:19:28 - pritunl-link[401572]: advertise: Unifi api error
Aug 23 15:19:28 - pritunl-link[401572]: ORIGINAL STACK TRACE:
Aug 23 15:19:28 - pritunl-link[401572]: github.com/pritunl/pritunl-link/advertise.unifiGetPorts
Aug 23 15:19:28 - pritunl-link[401572]:         /go/src/github.com/pritunl/pritunl-link/advertise/unifi.go:730 +0xd1c31f
Aug 23 15:19:28 - pritunl-link[401572]: github.com/pritunl/pritunl-link/advertise.UnifiAddPorts
Aug 23 15:19:28 - pritunl-link[401572]:         /go/src/github.com/pritunl/pritunl-link/advertise/unifi.go:963 +0xd1e80f
Aug 23 15:19:28 - pritunl-link[401572]: github.com/pritunl/pritunl-link/advertise.Ports
Aug 23 15:19:28 - pritunl-link[401572]:         /go/src/github.com/pritunl/pritunl-link/advertise/advertise.go:232 +0xd04f36
Aug 23 15:19:28 - pritunl-link[401572]: github.com/pritunl/pritunl-link/ipsec.deploy
Aug 23 15:19:28 - pritunl-link[401572]:         /go/src/github.com/pritunl/pritunl-link/ipsec/ipsec.go:516 +0xd23bea
Aug 23 15:19:28 - pritunl-link[401572]: github.com/pritunl/pritunl-link/ipsec.runDeploy
Aug 23 15:19:28 - pritunl-link[401572]:         /go/src/github.com/pritunl/pritunl-link/ipsec/ipsec.go:674 +0xd24a64
Aug 23 15:19:28 - pritunl-link[401572]: runtime.goexit
Aug 23 15:19:28 - pritunl-link[401572]:         /usr/local/go/src/runtime/asm_amd64.s:1598 +0x46d5c0
Aug 23 15:19:28 - pritunl-link[401572]: [2023-08-23 15:19:28][ERRO] ▶ state: Failed to deploy state

I can see that the pritunl API is occasionally logging in, but when I look at the journals it’s just repeating this error and occasionally changing to “AUTHENTICATION_FAILED_LIMIT_REACHED”

zach · August 23, 2023, 6:27pm

The update is currently only in the unstable repository. You will need to change stable to unstable in the repository file. A new Unifi account will need to be created for the API user or the service will need to be stopped until the API limit expires.

ahsupport · August 23, 2023, 9:01pm

We had already updated using the unstable repository, I did remake the pritunl account on unifi but also discovered something else while shutting them off to check for the Authentication limit reached error. When one is on by itself, it seems to start up the IPSEC threads and then sit idle not sending any more error messages, but as soon as the linked site has pritunl link activated, both journals start displaying the Authentication limit reached and No Site context errors again.

zach · August 25, 2023, 8:49pm

When I was testing the fix it seems the authentication limit stays active for a significant amount of time. You need to verify a new Unifi account is configured after installing the update to configure an account that isn’t already locked.

Only the pritunl-link client will utilize the Unifi API to make adjustments to the firewall and routing. The ipsec process will not utilize the API.