Multi server stopped working

[klasje]

Hello,

I set-up multi server last week between 2 directadmin instances.
This worked fine that same day.

Now when I try to test the directadmin multi servers, I get following errors in both directions on the server:

server.domain.com : : Timeout while trying to connect to 94.120.0.73
Unable to connect to secure socket
Some I/O error occurred. The OpenSSL error queue may contain more information on the error. If the error queue is empty (i.e. ERR_get_error() returns 0), ret can be used to find out more about the error: If ret == 0, an EOF was observed that violates the protocol. If ret == -1, the underlying BIO reported an I/O error (for socket I/O on Unix systems, consult errno for details).
openssl error queue:
empty error queue. ret=-1
errno: Bad file descriptor


I didn't change any firewall config between last week.
I tried deleting the link and setting it up again, but I keep on getting the same error.

I can connect to both servers properly using the domain name, using ssl on port 2222.

 

[DrWizzle]

Only thing I can think of here is it's being blocked by firewall or 2FA / MFA. I had something similar a little while back, and the problem was the fact I had enabled 2FA / MFA on the admin account I created solely for multiserver. I don't use IPv4 anymore and now do multiserver with IPv6 addresses. A couple of things to consider checking:

Try with an IPv6 address (if available)

Make sure the SSL box is ticked, and the TLS certificate is valid on destination server or it could fail.

Does NOT work if you are using an account with 2FA / MFA enabled. I use a separate admin account from the one I admin server with on each server.

Also, maybe try adding a firewall exception in csf?

# nano /etc/csf/csf.allow

tcp|in|d=2222|s=<IP> # use this for each source IP on the destination server
tcp|out|d=2222|d=<IP> # use this for each destination IP on the source server

# csf -r

 

[Ohm J]

For future issued, someone read here might put in the ignore list.
Please ensure you must put in the "allow IP", because ignore IP only work with bruteforce protection ( Scan logs and blocked ).

Example some filter like CT_LIMIT, SYN_FLOOD, PORTFLOOD still trigger the blocked even in the ignore list.

 

[Richard G]

I always use this setting in the csf.conf file:
IGNORE_ALLOW = "1"

Then only very trusted ip's I put in the csf.allow so they can bypass firewall and bruteforce.
And use trusted (but a bit less trusted) like from monitor tools, only in the csf.ignore file.

But everybody his/her own choice ofcourse.

enabled 2FA / MFA on the admin account I created solely for multiserver.

Maybe not known to some, but for Multi-server setup one can use *any* username (even non existing) and *any* password one would like.
This could be an addition to security. This way also you can keep your 2FA for admin, as the admin account is not used for the multi-server.

 

[Daniel-Doggy]

Or (what I do) to allow both 2FA/MFA and password only for multi server, create a Login key and bind it to the server IPs of the sever that will use the login key.
This also allows to block everything except the API calls multi server need to make. (And thus by extension gives the other server a different password for the same admin user with API restrictions.)

EDIT:
It only needs:

1. CMD_API_LOGIN_TEST
2. CMD_API_DNS_ADMIN
3. CMD_API_USER_EXISTS

Everything else can be blocked.