Client sync error, logout/login solves sync error, but changed passwords get lost

[paulastronaut]

Hi,

I've been using Vaultwarden (currently version 1.32.7 hosted as docker container on vanilla debian, updated irregularly, behind a haproxy reverse proxy) with Linux, Windows and Android clients for several years now. I think the overall concept is really great.

However, I came to realize over time that I have sometimes lost passwords. (Most annoying is the lost admin password for my printer which cannot be reset, so I can't make any changes to the printer setup anymore.) I initially thought that the error was on my side, but digging deeper, I am not so sure anymore.

When I use the Bitwarden client, I discovered that from time to time, the client can't sync anymore. It doesn't seem to matter which operating system the client is running on, the client version currently showing this behavior is running on linux and has the version 2024.6.4. This is not obvious when using the client, i. e. it provides full functionality, and no error is displayed while using the client, except when I manually trigger a sync. Then, a generic "syncing failed" is shown. Another, even less obvious symptom is that changes to the vault on a different system are not shown in the client with the sync error.

What i discovered on the server side is a log entry which refers to an incomplete 2FA:

[2025-01-25 15:50:53.473][vaultwarden::api::core::two_factor][INFO] User xxx did not complete a 2FA login within the configured time limit. IP: x.x.x.102

What's surprising is that the last octet of the IP is not correct, it should be 120 instead of 102.

I can sort of resolve this issue by logging out and logging in again. However, I realized that by logging out, all changes done on the local client (with the sync error) then get lost immediately and without any warning or error message.

1. Has anybody else experienced this issue?
2. What could be the cause for this issue? Please note that in general, the setup is working fine, so there doesn't seem to be a very fundamental error.
3. Is there a solution?

Thanks,

Paul

P.S. I know that the client is not part of this repository, but I would expect that I get at least a warning when passwords are at risk of getting lost. Does it make sense to report this request to the bitwarden repo?

[BlackDex]

I doubt that the IP is incorrect. If that is the case, that either you have some sort of dynamic IP somehow, going via a proxy, incorrectly configured the reverse proxy to send the correct IP to Vaultwarden.

I would suggest to first check the /admin/diagnostics page and check if that reports some issues.

[paulastronaut]

Nothing catches my eye in the diagnostics page:

I doubt that the seemingly wrong IP address is caused by a configuration error, as the IP address from my Windows machine (which can successfully sync at the moment) is displayed correctly.

[BlackDex]

I would suggest to check your reverse proxy logs and validate the X-Real-IP setting if that is correct.

[paulastronaut]

I did some more testing.

I don't think that the reverse proxy is to blame for the following reasons:

1. Bitwarden clients on other systems in the same network are running without a problem.
2. After logging out and logging in on the linux machine (where the Bitwarden client can't sync), the client syncs successfully and the correct IP address shows up in the log. (However, the local changes to the vault are lost, so no real solution for my issue.)

The source of the incorrect IP address is a mystery to me. The only occurence of the incorrect IP address is in the vaultwarden log line quoted above which I can consistently trigger by trying to sync the client with the sync error. (BTW, there is no interface with this specific IP in my network, at least to my knowledge.)

Because of the tests I have done, now I don't have a Bitwarden client anymore which doesn't sync. I can't reproduce the "bad" setup, testing is therefore limited. However, on the bright side of life, I discovered some of the lost passwords in the local Bitwarden client on the machine which couldn't sync (e. g. for the printer, yay!). Only this time, I took a backup of the file before logging out and logging in again.

I still think that something is fishy here. And again, I would at least expect a warning on the client side if vault data is in danger of disappearing.

[BlackDex]

And how would the server know if things are not supposed to disappear?

It almost sounds like you have two Vaultwarden instances running. Which might explain the lost changes and not being able to login.

Or maybe some strange dual database setup or something.

[paulastronaut]

And how would the server know if things are not supposed to disappear?

I know, that's why I wrote above that I am aware that this would necessarily be implemented on the client side. Technically, it shouldn't be too hard, I think. However, I am not sure how willing Bitwarden is to implement error checks for Vaultwarden users. Would it make sense to report this to the Bitwarden guys anyway?

It almost sounds like you have two Vaultwarden instances running. Which might explain the lost changes and not being able to login.

Unlikely. There is just one docker container running. However, if that were the case, shouldn't then the client be able to sync nevertheless, just to a different vaultwarden instance? In my case, every sync of the client produced a "syncing failed" message.

My interpretation is the following: Something (possibly related to 2FA) prevents a client to sync. This is the root cause. Any changes to the vault made in this state (while no sync is possible) are buffered in the local client only. If I then log out, the changes are lost, and if I login again, I can sync again, but I get the state delivered by vaultwarden (without the changes made on the local client).

Or maybe some strange dual database setup or something.

I doubt that, but I'll check.

Thanks for your support!