--- canonical: https://safekit.evidian.com/wp-content/uploads/downloads_safekit/version-82/safekituserguidehtml/documentation/safekituserguideen.htm --- ## 7.19          Problem with the size of SafeKit databases SafeKit uses SQLite3 storage to save: 1.    The log and the status of the node ·         SAFEVAR/log.db contains the commands log ·         SAFEVAR/resource.db contains the list of installed modules and its history These are referred to as node databases. 2.    The log and the resources of the module ·         SAFEUSERVAR/log.db contains the module log ·         SAFEUSERVAR/resource.db contains the state of the module resources and its history These are referred to as module databases. The size of the logs and histories increases as events occur on the SafeKit node and modules. Therefore, they should be purged regularly by deleting the oldest entries. This is automatically done thanks to a periodic job (task scheduler in Windows; crontab in Linux) that is controlled by the safeadmin service. The clean of the node databases is always active. The clean of the module databases is active only when the module is running. To check that the jobs are ready: 1.    Job for cleaning node databases ·         In Windows, run schtasks /QUERY /TN safelog\_clean ·         In Linux, run crontab -u safekit -l The output of this command must contain the safelog\_clean entry 2.    Job for cleaning *AM* module databases (where *AM* is the module name) ·         In Windows, run schtasks /QUERY /TN safelog\_*AM* ·         In Linux, run crontab -u safekit -l The output of this command must contain the safelog\_clean\_*AM* entry  The clean-up is implemented by a script located in SAFEBIN (in Linux, SAFEBIN=/opt/safekit/private/bin; in Windows, SAFE=C:\safekit\private\bin - if %SYSTEMDRIVE%=C:): | | | | --- | --- | | dbclean.ps1 in Windows and dbclean.sh in Linux | Clean the log and history in the node databases | | dbclean.ps1 *AM* in Windows and dbclean.sh *AM* in Linux | Clean the log and history in the databases of the module named *AM* |   If necessary, you can run this script outside the scheduled period to force the databases clean-up. ## 7.20          Problem for retrieving the certification authority certificate from an external PKI When using an external PKI, you must provide the certificate of the certification authority CA used to issue server certificates (cacert.crt file containing the chain of certificates for the root and intermediates Certification Authorities) If you have trouble retrieving these files from an external PKI, you can build them using the procedure described below. ### 7.20.1      Export CA certificate(s) from public certificates The following procedure explains how to build from a public certificate, the chain of certificates for the root and intermediates Certification Authorities, into the file combined.cer. When you have the public certificate (.crt or .cer file in Base-64 encoded X.509 format) generated by the PKI: 1.    Copy the .crt (or .cer) file on a Windows workstation 2.    Double click on this file to open it with “Crypto Shell Extensions” 3.    Select the “Certification Path” tab to view the tree of certification authorities 4.    Select an entry (from top to down except the leaf) ![](safekituserguideen_fichiers/image289.jpg) 5.    Click on “View Certificate”. A new window is opened with details for the selected certificate 6.    In this new window, select the “Details” tab and click “Copy to File” ![](safekituserguideen_fichiers/image290.jpg) 7.    It opens the Certificate Export Wizard: a.    Click on “Next” to continue b.    On the “Export File Format” page, select “Base-64 encoded X.509 (.CER).”, and then click “Next” ![](safekituserguideen_fichiers/image291.jpg) c.    For “File to Export”, “Browse” to the location to which you want to export the certificate. Fill “File name” with the name of the certificate file. Then, click “Next” d.    Click “Finish” to export the certificate e.    Your certificate is successfully exported ![](safekituserguideen_fichiers/image292.jpg) 8.    Now repeat steps 4-7 for all entries (except the last one) to export all intermediate CA certificates in the Base-64 encoded X.509(.CER) format. For the example, you would repeat steps 4-7 on SSSL.com RSA subCA intermediate CA to extract it as its own certificate. 9.    Concatenate all your CA certificates into one file combined.cer Run the following command with all the CA certificates you extracted earlier: ·         In Windows type intermediateCA.cer rootCA.cer > combined.cer ·         In Linux cat intermediateCA.cer rootCA.cer >> combined.cer The resulting combined certificate should look something like the following: ![](safekituserguideen_fichiers/image293.jpg) This file can be used as the SAFE/web/conf/cacert.crt ## 7.21          Issue with email sending by the SafeKit notification agent Since SafeKit 8.2.4, SafeKit offers a notification agent that sends emails for major events on modules. It is described in section 10.10. This section describes how to troubleshoot the SafeKit notification agent thanks to the e-mail sending test command: 1.    Open a PowerShell/shell window as administrator/root 2.    Change directory to SAFE where SAFE=C:\safekit in Windows (if %SYSTEMDRIVE%=C:), and SAFE=/opt/safekit in Linux 3.    Run ./private/bin/safenotif -testemail   This command may fail due the issues described below. If the email test is successful and you still encounter issues, please check the SafeKit notification agent log for further investigation. The log is located at SAFEVAR/notifications/safenotif.log. This file has a limited size and is truncated in case the limit size is reached. Consequently, it is recommended to make a copy of it if you analyze it, or if you want the SafeKit support to analyze it. ### 7.21.1      Failed to read or parse the configuration file The e-mail sending test command may fail with the following error: Failed to read or parse the configuration file. Please verify the "SAFE/conf/notifications/safenotif\_conf.json" file exists and is properly formatted as a JSON file. This is due either to: ·         SAFE/conf/notifications/safenotif\_conf.json file does not exist You need to configure the agent as described in section 10.10.1 ·         SAFE/conf/notifications/safenotif\_conf.json file is not properly formatted in the JSON format Use a tool (in your machine or online) to verify the JSON syntax. ·         SAFE/conf/notifications/safenotif\_conf.json contains paths For instance, smtp.expert.caCertificateFile property accepts a path. In Windows, paths contain backslashes (`\`); they must be escaped with another backslash (`\\`, e.g. `C:\\Users\\Administrator\\certfile.pem`). ### 7.21.2      Email sending test blocked The e-mail sending test may hang, and not terminate at all, after the following line has been displayed: Sending email from name@my.host to name@my.host with no SMTP authentication... This can be due to a protocol mismatch. To resolve this problem, edit SAFE/conf/notifications/safenotif\_conf.json file, to set the appropriate value for smtp.protocol property. Note that other behaviors can occur in case of a protocol mismatch (see the next section section). ### 7.21.3      Curl errors The notification agent uses the curl SMTP client. Consequently, when an email sending error occurs, examining the curl error is the key to understanding the cause of the failure. The following non-trivial curl errors may occur. For other errors, refer to the curl documentation. ·         Recipient address rejected The recipient's address is rejected by the SMTP server with the following error: curl error: curl: (55) RCPT failed: 550 To resolve this issue, modify the file SAFE/conf/notifications/safenotif\_conf.json to set the correct recipient address in emailNotifications.recipients. ·         Protocol mismatch When the protocol used by the notification agent does not align with the one required by the SMTP server, you may have the following curl errors: curl: (35) OpenSSL/3.2.1: error:0A00010B:SSL routines::wrong version number curl: (55) MAIL failed: 530 curl: (64) STARTTLS not supported To resolve these problems, edit SAFE/conf/notifications/safenotif\_conf.json file, to set the appropriate value for smtp.protocol property. Note that other behaviors can occur in case of a protocol mismatch (see the previous section section). ·         Authentication mismatch o     curl: (35) OpenSSL/3.2.1: error:0A0000C6:SSL routines::packet length too long The notification agent tried to connect to the SMTP server by being authenticated, whereas no authentication is required.  To resolve this issue, reset the SMTP client credentials as described in section 10.10.2. o     curl: (55) RCPT failed: 554 The notification agent attempted to connect to the SMTP server without authentication, whereas authentication is required. To resolve this issue, set the SMTP client credentials as described in section 10.10.2. ·         Certificate issue curl: (60) SSL certificate problem: self-signed certificate This error can occur when the SMTP server is configured for SMTPS or SMTP+STARTTLS. It means that the server uses a self-signed certificate, rather than a certificate signed by a trusted certification authority (CA). The Certificate Authority (CA) certificate that issued the SMTP server's certificate is needed to verify it. To resolve this issue: 1.    ask your PKI provider to supply the CA certificate, which must include the certificate chain for the root and intermediate CAs. It should be Base-64 encoded X.509 certificate file (PEM format), with a .pem or .crt suffix 2.    copy it to your SafeKit server 3.    edit SAFE/conf/notifications/safenotif\_conf.json file to fill in the smtp.expert.caCertificateFile property to the path of the CA certificate using ‘\\’ in the string, e.g. "C:\\Users\\Administrator\\cacert.crt". ## 7.22          Issue with antivirus Some antivirus may interfere with the proper functioning of SafeKit. For example, Windows Defender may quarantine SafeKit processes (such as the safeadmin service or the safekit command), or block access to SafeKit databases. As a result, this can lead to SafeKit command-line failures or module shutdowns. Since this issue may occur sporadically but not consistently with Windows Defender, it is recommended to configure the antivirus to prevent such malfunctions. Additionally, on both Linux and Windows, all replicated folders defined in mirror modules should be excluded from antivirus scanning to avoid disruptions in SafeKit replication and synchronization. For instance, on Windows, this issue is identified by the following message in the verbose log: | 2025-08-27 16:49:33:662000 |  nfsboxv3 | D | WARNING : Process 2980 [ MsSense.exe ] access may interfer with replication, possible stopstart ahead Refer to section 10.6 for the list of legitimate SafeKit directories and processes that should not be affected by the antivirus. ## 7.23          Issue with SafeKit kernel modules ### 7.23.1      Mirror module with rfs filter in Windows The mirror module failed to start due to a module conflict: nfsboxv3 | E | Kernel filter configuration failed for E:\replicated\_dir. Check for module conflicts. This error may occur in the following situations: 1.    Duplicate replicated directories in multiple mirror modules Two mirror modules are configured with the same replicated directories. This configuration is not supported. To fix it, assign distinct replicated directories to each module and reconfigure them 2.    Outdated rfs filter internal configuration The kernel configuration for replicated directories was not properly updated, even though no directories are currently configured. To reload the correct configuration into the kernel, stop all modules and run the following command: net stop rfsfilter ### 7.23.2      Farm module with vip kernel module in Linux The mirror module failed to start due to a load error: | vipplug | E | Unable to load vip kernel extension Moreover, when trying to load the vip module with the modprobe command, you get one of the following errors: modprobe: ERROR: could not insert 'vip': Required key not available or modprobe: could not insert 'vip': Key was rejected by service This problem occurs when Secure Boot is enabled, and the solution is described in section 10.5. ## 7.24          Troubleshooting VIP ↔ MAC resolution This section helps diagnose issues related to IP ↔ MAC address resolution, which may cause connectivity loss, failover delays, or incorrect traffic routing to a VIP. ### 7.24.1      Check cache entries Clients keep an IP ↔ MAC mapping in their local cache. To verify that the cache contains the VIP, use the following commands. | | | | --- | --- | | IPv4 | arp -a | | IPv6 | ·         On Windows Get-NetNeighbor -AddressFamily IPv6 or netsh interface ipv6 show neighbors ·         On Linux:  ip neighbour The entry should be in the Reachable state. |   ### 7.24.2      Force a new resolution If the cache entry seems suspicious, delete it using the following commands (replace the italic values with your own). | | | | --- | --- | | IPv4 | arp -d *192.168.10.100* | | IPv6 | ·         On Windows Remove-NetNeighbor -IPAddress *fd00:1234:5678:1::222* -InterfaceAlias "*Ethernet 2*" or netsh interface ipv6 delete neighbors "*Ethernet 2*" *fd00:1234:5678:1::222* ·         On Linux ip neigh del *fd00:1234:5678:1::222* dev *ens224* |   If necessary, use the ping command (with the -6 option for IPv6) to trigger the resolution. ### 7.24.3      Observe Resolution Requests To observe address resolution requests on the network, use the following commands. | | | | --- | --- | | IPv4 | ·         On Windows Wireshark ·         On Linux tcpdump -i *eth0* -nn arp The capture contains messages such as: ARP, Request who-has 192.168.10.100 tell 192.168.10.10 ARP, Reply 192.168.10.100 is-at 00:50:56:aa:bb:cc | | IPv6 | ·         On Windows Wireshark ·         On Linux tcpdump -i *ens224* -nn icmp6 The capture contains messages such as: ICMP6, neighbor solicitation ICMP6, neighbor advertisement |   ## 7.25          Still in trouble ![*](safekituserguideen_fichiers/image001.png)       See Messages Index ![*](safekituserguideen_fichiers/image001.png)       To get support assistance, create an incident via the Support portal, making sure to attach the snapshots