[SOLVED] Why does Apply Config take forever with no internet access?

Why does Apply Config take forever when the internet is down?

TM1000 previously advised me that, on the very first Apply Config, the system verifies the modules using the Web of Trust. Obviously, if I have no internet, then the very first Apply Config will take forever (or until the system times out waiting for a response).

But, I’m finding that with FreePBX 12, EVERY Apply Config takes forever when the internet is down, even if the first Apply Config had already succeeded while internet was working (and thus the modules were presumably already verified).

This is a big issue for me because I often do configuration work on VMs when my laptop is offline, with the expectation that I’ll move them back into production sometime later. With these long delays, it’s now almost impossible for me to get this work done without internet access.

Is there any setting that I can change to reduce the time it takes to do an Apply Config when I have no internet access? I already DISABLED the advanced settings options to verify module signatures, but with no effect.

As I tried to previously explain in the previous ticket. This is due to GPG Key Checking, through refreshing keys. Which means checking to make sure all of the keys that are stored locally are still valid, if we don’t do this no one would ever know that a key was compromised, if that happened. This thread seems rhetorical as you ask a question but then answer it. I think the real purpose of this thread is then “How do we make apply config go faster without internet on FreePBX 12”

In regards to “DISABLED” verifying modules. All that does is hide the notices and it will be re-enabled when you go check online or upload a module. Why? because if we made it that easy for someone to turn it off then a hacker could do the same thing and the whole process is negated.

Bottom line. The solution is not disabling signature checking, the solution is making it go quicker when there is no internet involved.

Hi Andrew,

Thanks for taking the time to respond.

I did not update the modules. I just installed the Distro, did an apply config with internet working, and then moved the machine to a location without internet. Every Apply Config takes forever. When I moved the machine back to an internet connection, Apply Config took 5 seconds or less…

It looks like you edited your response after I read the version that I received in the email, so my initial message, above, was related to your initial response.

Are the signatures verified every time we do an apply config? I was under the impression that it was only on the very first apply config.

If so, yes, the question is: How can I make the Apply Config go faster when I don’t have internet? Any ideas?

Perhaps the better approach is to have the timeout shorter, or allow us to modify the timeout in the Advanced Settings module?

Yes but that is not the slow part. The slow part is when the keys are re-verified during retrieve_conf. Let me discuss with @xrobau on how to make this any faster.

Perhaps you could verify internet access somehow before verifying the keys and if there is none, then skip the key verification. Alternatively, have a pop-up: No internet detected! Skip key verification (faster but less secure)?

Verifying internet would still take time. It would be completely timeout based. Therefore not giving you much speed improvement?

It seems to me that you could verify internet in a few seconds - certainly no more than five, and then skip the more lengthy key verification process (which seems to take many minutes).

Perhaps after the first key verification failed, you could have a pop-up that says:

“Unable to reach key verification server! Should I keep trying to verify the keys, or skip verification and complete the apply changes?”

Note my revision above.

Apply Changes is not written to be interactive so that won’t work. There will be no prompt. If we timeout then we timeout and continue along with life.

Well, IMHO you should find a solution. 2.5 minutes to apply changes on a brand new install with no extensions and no trunks is way too long.

Is there a way that I can manually modify the code to shorten the timeout??

Good afternoon FreePBX community, might there be any updates to this issue? I just upgraded to FreePBX 12.0.43, and I suffer for about 5 minutes every time I make the smallest change. Thanks!

I’m also seeing this issue in the FreePBX Distro version 6.12.65-24 even though it IS connecting to the Internet. For some reason, clicking “Apply Config” takes much longer than it has ever taken on any other FreePBX system I have ever used. Even an older model Raspberry Pi using RasPBX is much faster performing this task. And it seems to be getting worse as time goes on; last might it took over five minutes, and this is on a very fast Internet connection. On the Raspberry Pi this might take 45 seconds on the outside.

Just for clarification, I am running FreePBX Distro 6.12.65-25 and Asterisk 11.16.0. Sorry for the misleading statement above, that is what the GUI shows on login.

Being in the Heathcare industry we have 50+ systems out there, 500+ Clinics and Hospitals, many clinics are within one facility or on a campus. We have over 36,000 employees. We have elected to not put our systems on the Internet to protect our patent’s information. To protect our networks and systems. The liability in doing this is to great in a very highly regulated and mandated industry. We respect the privacy of others. We also do all we can to keep healthcare cost down. Thus we use Asterisk, it’s simply amazing.

This 2.5 minute wait time after the first “APPLY” being pressed, then about 30 seconds on every “APPLY” thereafter is killing us in labor time to be as efficient as we can. Can anyone tell us, or has figured out a way, or point us in the right direction to get this back to a few seconds? We have got to be able to remove this internet check, or fake out the system someway, that it thinks it has Internet. Thus it will speed up this “APPLY” process to a second or two.

Thank you in advance for any help and time you can share in resolving this issue.

/corkuck

Are you sure you can’t let your FreePBX server ‘just’ check for updates ? (like, put it behind a dedicated SOHO gateway, enterprise grade firewall, maybe NAT and whatnot, put a dedicated network card in, and configure it to NOT have Asterisk listen to the ‘internet’ interface / have fail2ban or other form of dedicated blocker if you’re that paranoid / for SIP/whatever transport you’re using - which should be then pretty quiet anyway - have it alert you of any unsolicited inward traffic - and then actually DO use the FreePBX as intended with (almost) perfect OTA package updates

(bottom line: select good established SOHO gateway vendor with good security guarantees & updates, it may be simply worth the money for the size of system(s) you described)

(also, if you’re this paranoid, you will have an option to simply… pull the plug off the gateway if you’re not 100% sure about it)

The “timeout” from GPG is set to 5 seconds (down from 15 after this discussion). It checks 3 servers. Thus the total timeout from GPG is around 15 seconds. To give some flexibility there lets say 25 seconds total for GPG if you don’t have internet.

That is not causing you to have 2.5 minute reloads. How many extensions do you have? Whats your hardware?

Thank you el_es, for your response, effort and time, along with your great suggestion. (We love it, but)

Internet access is not an option for this type of telephony usage (We see it as a server pinging out for some unknown or needed reason). Corporate standards and direction are “to keep all we can off the Internet”, this is our direction.

There is a whole committee that over sees this, not just a few as you might think (An act of Congress it’s seems at times). This committee is made up of many different great corporate groups and persons: Perimeter Network, Web Team, Security, Architecture Group, Desk Top Support, etc. etc…

We are fortunate we follow the telecom industry in installing SIP Trunking rather then PRI as in the past. We have been able to install a few “Private Port” DS1’s (Non-Internet carrying circuits) SIP Trunking into our network from our telecom provider as it is today. This is the closest we have come to having Internet into the network. But with private port the telco provider takes on this risk to stop the Internet not the healthcare provider.

Don’t get us wrong, we do have internet within our Corporate Network. But it’s very tight on what is allowed in or out. This is one thing we don’t care to add into our network do to the possible risk in keeping patient care information secure. We do know that to most reading this, it looks to be excessive but the public has demanded it. The liability we (the public and others) have create comes at a cost.

Having FreePBX (Asterisk Server, or any part of it), wanting or waiting to reach out to the internet on every “APPLY” or anything else, does create a risk we don’t need to take, or put our selves into. It also has no real need for us in preforming patient care. This is the service we are here to preform. This “Asterisk Internet connection” is not a priority for healthcare nor for others were sure. We just need our 30 second back we are losing on every “APPLY” that is being spent today. Thus we can become more efficient again.

Again Thank you so much for your thought’s and suggestion el_es this is exactly what we were looking for. We do see it, love it, but it’s not a viable option for us.

Anyone else have a way to speed up the “APPLY” button push, to a second or two? We would love your help and thought’s as el_es has provided.

/corkuck

I provided questions to you, you seemed to have completely skipped my post. You will NEVER get it to a second. EVER.

Andrew,

Older version of FreePBX could easily apply changes within one second.

You could easily speed up the apply changes process by simply giving us an option to disable the module verification process in the Advanced Settings Module. For installations that are not connected to the internet, there’s no reason to have a module verification process.

For that matter, I still think that the Distro should be capable of installation without internet access. Right now, the install will not complete without it.