Re: 2FA prevents TWS restarts without human authorisation
Brian ? That explains a lot! ? First, my advice would be to not take ‘advantage’ of ib_insync’s ability to auto-start IBC/TWS, and just run IBC separately. I don’t use ib_insync at all, so I really don’t know how well it’s integrated with IBC , whether it would support auto-restart and 2FA etc. Ewald is a top-notch developer so more than likely he’s got it licked, but keeping them separate may be advantageous. For example, what happens if you want to run more than one API client program? Anyway, perhaps something to consider.. ? Regarding Ubuntu Server, being not a fan of Linux (my negative attitude to all things Unix goes back to the mid 1980s!) I found it a bit of a struggle to get my server up and running, but it is still running, sitting there unloved because after getting it all to work on Ubuntu I moved TWS back onto my Windows Server. And now I can’t actually remember what I have to do to even get a terminal session running on the Ubuntu Server via VNC! I’m sure I’d get the hang of it again if I spent a while trying, but I don’t feel much motivation to do so. ? So I really can’t remember what libraries I had to install to make it work, apart from the libnss3.so, and at the moment I can’t even poke around inside it see what’s what. I’ll sleep on it, and perhaps a way forward will penetrate into my skull. ? [Some time later…] ? Aha, I’ve remembered how to get a terminal window visible in VNC. So I can get things like xeyes running, and I’ve still got the crontab I set up for starting IBC automatically (relevant lines commented out since I don’t wat it running there). But I’ve no idea how to discover what extra installs I had to do. So I’m not really any further forward. Any suggestions? ? And now I really have to go to bed. ? Richard ? ?
toggle quoted message
Show quoted text
From: [email protected] <[email protected]> On Behalf Of Brian Barnett
Sent: Wednesday, October 25, 2023 10:58 PM
To: [email protected]
Subject: Re: [ibc] 2FA prevents TWS restarts without human authorisation? Hi Richard,
Apologies for the delay. Yes we are using ib_insync on a ubuntu AWS server. Since we initiated it from ib_insync we don't have the logs requested. Your previous comment triggered the idea in our minds that there was a conflict with watchdog and IBC and the auto-restart by TWS. In the meantime we have been researching discussion threads here and on the ib_insync group to understand that before responding further. We have discovered that a clean install of TWS on the ubuntu AWS box results in the freezing/crashing behavior with no involvement with IBC so clearly IBC is not related to our problem.
We see your comments on this thread:?/g/ibcalpha/topic/98487448#2079?that makes us think that perhaps the AWS box has a limited ubuntu installation and we need additional libraries. You mention installing those libraries on AWS, but any chance you can point us to a resource on what libraries would be beneficial to try installing in our ubuntu instance? Any other recommendations?
Best regards,
Brian
|
Re: 2FA prevents TWS restarts without human authorisation
Hi Richard, Apologies for the delay. Yes we are using ib_insync on a ubuntu AWS server. Since we initiated it from ib_insync we don't have the logs requested. Your previous comment triggered the idea in our minds that there was a conflict with watchdog and IBC and the auto-restart by TWS. In the meantime we have been researching discussion threads here and on the ib_insync group to understand that before responding further. We have discovered that a clean install of TWS on the ubuntu AWS box results in the freezing/crashing behavior with no involvement with IBC so clearly IBC is not related to our problem. We see your comments on this thread:? /g/ibcalpha/topic/98487448#2079?that makes us think that perhaps the AWS box has a limited ubuntu installation and we need additional libraries. You mention installing those libraries on AWS, but any chance you can point us to a resource on what libraries would be beneficial to try installing in our ubuntu instance? Any other recommendations?  Best regards, Brian
|
Re: does IB block API connections when there have been too many missed authentication attempts?
Ok, I think you’re confirming what I’ve observed, ie that merely setting TrustedIPs in jts.ini is not enough to allow remote API connections, but ‘Allow connections from localhost only’ also has to be cleared. ? What I’m aiming for is a way of establishing this configuration without any user intervention. I think what I proposed in my previous post should do the trick, so I intend to implement that some time soon. ? By the way, you say that your config.ini has settings stored on the server, but as I said yesterday there is no point in this. For Gateway, IBC completely ignores that setting, since Gateway doesn’t offer that functionality. ? Richard ? ?
toggle quoted message
Show quoted text
From: [email protected] <[email protected]> On Behalf Of Bart D via groups.io
Sent: Monday, October 23, 2023 11:47 PM
To: [email protected]; Richard L King via groups.io <rlking@...>
Subject: Re: [ibc] does IB block API connections when there have been too many missed authentication attempts?? "Can you try with a fresh instance of Gateway (ie no prior configuration except the jts.ini) and see if it still works? I don’t see how it possibly can from what I’m observing, so I suspect that yours is working because at some point you’ve cleared the ‘Allow connections from localhost only’ checkbox."
I repeatedly start dockerized IBGW+IBC (basically a fresh install from the docker image) and it always works now without manual UI intervention. But yes I unchecked that checkbox in the IBGW UI in the past. My config is that settings are stored on server in config.ini, and both 127.0.0.1 and the fixed container IP address as trusted IPs in jts.ini.
|
Re: does IB block API connections when there have been too many missed authentication attempts?
"Can you try with a fresh instance of Gateway (ie no prior configuration except the jts.ini) and see if it still works? I don’t see how it possibly can from what I’m observing, so I suspect that yours is working because at some point you’ve
cleared the ‘Allow connections from localhost only’ checkbox."
I repeatedly start dockerized IBGW+IBC (basically a fresh install from the docker image) and it always works now without manual UI intervention. But yes I unchecked that checkbox in the IBGW UI in the past. My config is that settings are stored on server in
config.ini, and both 127.0.0.1 and the fixed container IP address as trusted IPs in jts.ini.
rgds, Bart
On Oct 23, 2023 at 1:02?PM -0700, Richard L King via groups.io <rlking@...>, wrote:
toggle quoted message
Show quoted text
Can you try with a fresh instance of Gateway (ie no prior configuration except the jts.ini) and see if it still works? I don’t see how it possibly can from what I’m observing, so I suispect that yours is working because at some point
you’ve cleared the ‘Allow connections from localhost only’ checkbox.
|
Re: does IB block API connections when there have been too many missed authentication attempts?
I was misguidedly thinking that storing the settings periodically would help with the ensuring the settings stored on the server are up to date, but in fact it turns out that Gateway doesn’t support storing settings on the server at all. This stuff all works fine in TWS, but not Gateway. ? I’m still puzzled by your ?use of TrustedIPs in the jts.ini file. I’ve been experimenting with this, and I agree that it does result in the specified ip addresses appearing in the Gateway’s API configuration (not sure why this never seemed to work for me before). However, it also sets ‘Allow connections from localhost only’, so it still doesn’t allow connections from these clients. Of course as soon as I clear this checkbox, it all springs to life, but at present this will only happen via manual intervention. ? Can you try with a fresh instance of Gateway (ie no prior configuration except the jts.ini) and see if it still works? I don’t see how it possibly can from what I’m observing, so I suispect that yours is working because at some point you’ve cleared the ‘Allow connections from localhost only’ checkbox. ? Even if it doesn’t work completely via jts.ini, I’m proposing to change IBC’s ?implementation of the TrustedTwsApiClientIPs setting in config.ini so that it will set these ip’s in jts.ini, and also automatically clear that flag. ? Richard ?
toggle quoted message
Show quoted text
From: [email protected] <[email protected]> On Behalf Of Bart D via groups.io
Sent: Monday, October 23, 2023 12:27 AM
To: [email protected]; Richard L King via groups.io <rlking@...>
Subject: Re: [ibc] does IB block API connections when there have been too many missed authentication attempts?? "are you aware that you can configure IBC to save the TWS/Gateway settings at times of your choosing? See SaveTwsSettingsAt in config.ini."
It would not help when the container restarts: any update to the file system is not preserved between container runs since they start from the file content in the Docker image. However, as mentioned in my earlier email, you could configure the container to set a Docker volume for a given path, and then any files in that path inside the container are accessible on the host and preserved between Docker runs.??(has nothing to do with paying for more storage).?So that's one way to do it. The other is, as I have done, to just edit in the jts.ini file inside the Docker image.
"I was under the impression that the TrustedIPs in jts.ini was only used by the FIX Gateway. So I just tried it and indeed it doesn’t seem to work for me with TWS or the standard Gateway. Are you sure it worked for you?"
Yes it works for me: my client can connect on the IP address I added to TrustIPs in jts.ini using API connection. They also show both in the IBGW Settings UI (which doesn't say it would only apply to FIX). Using IBGW 10.25.1k under Linux Ubuntu22.04. On Oct 22, 2023 at 4:00?PM -0700, Richard L King via groups.io <rlking@...>, wrote:
Thanks for that. A couple of points that might be of interest: ? First, are you aware that you can configure IBC to save the TWS/Gateway settings at times of your choosing? See SaveTwsSettingsAt in config.ini. ? This difficulty of configuring Docker images has been an issue for a long time. I’m not a Docker user (though I’ve toyed with it), but I presume it would be possible to pay for persistent storage on the Docker host machine and store settings on that volume. But it seems people don’t want that extra cost (or maybe there is some reason I’m not aware of why that is not a viable option?). ? One thing ‘ve suggested in the past is to configure your TWS/Gateway locally (ie on a computer under your control), then build the settings folder into the Docker image. That would at least give you a predictable starting configuration when you run the image. But any change needed to the configuration would require rebuilding the image. And of course any changes made during the session would not be persisted between sessions. ? Somewhat better is something I’ve been considering, but haven’t got round to trying to implement. This is where you, again, configure TWS/Gateway locally and save those settings somewhere they can be downloaded over the internet using curl. Then config.ini would have a new setting that contains the URL for this data, and IBC would simply download the whole lot before running TWS/Gateway. Changes could be made ‘offline’ between sessions. This still doesn’t enable changes during the session to be saved, and has the overhead of having to download it all every time you start TWS/Gateway (though that’s pretty much what happens if you use the ‘StoreSettingsOnServer’ option does). An enhancement to this would allow the settings to be stored back in the specified location, but that’s sounding like a lot of hard work. ? Finally, I was under the impression that the TrustedIPs in jts.ini was only used by the FIX Gateway. So I just tried it and indeed it doesn’t seem to work for me with TWS or the standard Gateway. Are you sure it worked for you? ? Richard ? ? ? ? I found the root cause of this and it was something totally different.
When you run a dockerized multi-container app, each container gets an IP address from a local gateway on the docker host that allows communication between the containers (the default docker bridge network). You can set these IP addresses in the docker-compose.yml so they are fixed. So they communicate via this IP address on port 4000, not via localhost:4001.?
I knew this and had entered 'StoreSettingsOnServer=yes' in ibc.ini, and had manually entered the correct IP address for my client upon first startup of IBGW in the container (via a VNC UI connection) using IBGW's API settings, relying on the fact it would get stored on server for any subsequent startup.
However that is not the case for one or both of these reasons: - IBGW only stores settings when you close down the app gracefully. But when you stop the container from a docker command that is not the case and settings don't get saved.?
- Even if settings are saved, unless you have a docker volume mounted, the next startup will be from a clean slate i.e. without the saved settings file on prior run
Bottomline: it reverted each time to allow a localhost connection only, and so didn't work. Not quite clear how I got the 'client ID in use' error message but this was the reason it didn't connect.?
Solution is just to specify the IP address in the jts.ini file:
TrustedIPs=127.0.0.1;<your extra IP address>
|
Re: does IB block API connections when there have been too many missed authentication attempts?
Bart, you wrote as problem description as "repeatedly starting TWS/Gateway, logging in successfully, and then restarting after a short time". In the past I have had that issue myself, without using Docker or something similar. I then asked IBKR for their advice. They mentioned to me that after stopping TWS/Gateway (or after a crash) you should give IBKR's servers some time for their housekeeping. It takes time for them to recognize that the client ID is no longer active. And then the server needs to "clean up". If you restart your software too quickly this clean up is not yet completed. The server will then think that your client ID is still in use, resulting in the error message you received. As far as I know are there two solutions to this issue: either wait long enough (IBKR suggested a couple of minutes) before restarting. Or restart using a new client ID, not identical to the previous one.
|
Re: does IB block API connections when there have been too many missed authentication attempts?
"are you aware that you can configure IBC to save the TWS/Gateway settings at times of your choosing? See SaveTwsSettingsAt in config.ini."
It would not help when the container restarts: any update to the file system is not preserved between container runs since they start from the file content in the Docker image. However, as mentioned in my earlier email, you could configure the container to
set a Docker volume for a given path, and then any files in that path inside the container are accessible on the host and preserved between Docker runs.??(has
nothing to do with paying for more storage).?So that's one way to do it. The other is, as I have done, to just edit in the jts.ini file inside the Docker image.
"I was under the impression that the TrustedIPs in jts.ini was only used by the FIX Gateway. So I just tried it and indeed it doesn’t seem to work for me with TWS or the standard Gateway. Are you sure it worked for you?"
Yes it works for me: my client can connect on the IP address I added to TrustIPs in jts.ini using API connection. They also show both in the IBGW Settings UI (which doesn't say it would only apply to FIX). Using IBGW 10.25.1k under Linux Ubuntu22.04.
rgds, Bart
On Oct 22, 2023 at 4:00?PM -0700, Richard L King via groups.io <rlking@...>, wrote:
toggle quoted message
Show quoted text
Thanks for that. A couple of points that might be of interest:
?
First, are you aware that you can configure IBC to save the TWS/Gateway settings at times of your choosing? See SaveTwsSettingsAt in config.ini.
?
This difficulty of configuring Docker images has been an issue for a long time. I’m not a Docker user (though I’ve toyed with it), but I presume it would be possible to pay for persistent
storage on the Docker host machine and store settings on that volume. But it seems people don’t want that extra cost (or maybe there is some reason I’m not aware of why that is not a viable option?).
?
One thing ‘ve suggested in the past is to configure your TWS/Gateway locally (ie on a computer under your control), then build the settings folder into the Docker image. That would at
least give you a predictable starting configuration when you run the image. But any change needed to the configuration would require rebuilding the image. And of course any changes made during the session would not be persisted between sessions.
?
Somewhat better is something I’ve been considering, but haven’t got round to trying to implement. This is where you, again, configure TWS/Gateway locally and save those settings somewhere
they can be downloaded over the internet using curl. Then config.ini would have a new setting that contains the URL for this data, and IBC would simply download the whole lot before running TWS/Gateway. Changes could be made ‘offline’ between sessions. This
still doesn’t enable changes during the session to be saved, and has the overhead of having to download it all every time you start TWS/Gateway (though that’s pretty much what happens if you use the ‘StoreSettingsOnServer’ option does). An enhancement to this
would allow the settings to be stored back in the specified location, but that’s sounding like a lot of hard work.
?
Finally, I was under the impression that the TrustedIPs in jts.ini was only used by the FIX Gateway. So I just tried it and indeed it doesn’t seem to work for me with TWS or the standard
Gateway. Are you sure it worked for you?
?
Richard
?
?
?
From:
[email protected] <[email protected]> On Behalf Of Bart D via groups.io
Sent: Sunday, October 22, 2023 10:40 PM
To: [email protected]; Richard L King via groups.io <rlking@...>; Bart D via groups.io <bart@...>
Subject: Re: [ibc] does IB block API connections when there have been too many missed authentication attempts?
?
I found the root cause of this and it was something totally different.
When you run a dockerized multi-container app, each container gets an IP address from a local gateway on the docker host that allows communication between the containers (the default docker bridge network). You can set these IP addresses in the docker-compose.yml
so they are fixed. So they communicate via this IP address on port 4000, not via localhost:4001.?
I knew this and had entered 'StoreSettingsOnServer=yes' in ibc.ini, and had manually entered the correct IP address for my client upon first startup of IBGW in the container (via a VNC UI connection) using IBGW's API settings, relying on the fact it would get
stored on server for any subsequent startup.
However that is not the case for one or both of these reasons:
-
IBGW only stores settings when you close down the app gracefully. But when you stop the container from a docker command that is not the case and settings don't get saved.?
-
Even if settings are saved, unless you have a docker volume mounted, the next startup will be from a clean slate i.e. without the saved settings file on prior run
Bottomline: it reverted each time to allow a localhost connection only, and so didn't work. Not quite clear how I got the 'client ID in use' error message but this was the reason it didn't connect.?
Solution is just to specify the IP address in the jts.ini file:
TrustedIPs=127.0.0.1;<your extra IP address>
|
Re: does IB block API connections when there have been too many missed authentication attempts?
Thanks for that. A couple of points that might be of interest: ? First, are you aware that you can configure IBC to save the TWS/Gateway settings at times of your choosing? See SaveTwsSettingsAt in config.ini. ? This difficulty of configuring Docker images has been an issue for a long time. I’m not a Docker user (though I’ve toyed with it), but I presume it would be possible to pay for persistent storage on the Docker host machine and store settings on that volume. But it seems people don’t want that extra cost (or maybe there is some reason I’m not aware of why that is not a viable option?). ? One thing ‘ve suggested in the past is to configure your TWS/Gateway locally (ie on a computer under your control), then build the settings folder into the Docker image. That would at least give you a predictable starting configuration when you run the image. But any change needed to the configuration would require rebuilding the image. And of course any changes made during the session would not be persisted between sessions. ? Somewhat better is something I’ve been considering, but haven’t got round to trying to implement. This is where you, again, configure TWS/Gateway locally and save those settings somewhere they can be downloaded over the internet using curl. Then config.ini would have a new setting that contains the URL for this data, and IBC would simply download the whole lot before running TWS/Gateway. Changes could be made ‘offline’ between sessions. This still doesn’t enable changes during the session to be saved, and has the overhead of having to download it all every time you start TWS/Gateway (though that’s pretty much what happens if you use the ‘StoreSettingsOnServer’ option does). An enhancement to this would allow the settings to be stored back in the specified location, but that’s sounding like a lot of hard work. ? Finally, I was under the impression that the TrustedIPs in jts.ini was only used by the FIX Gateway. So I just tried it and indeed it doesn’t seem to work for me with TWS or the standard Gateway. Are you sure it worked for you? ? Richard ? ? ?
toggle quoted message
Show quoted text
From: [email protected] <[email protected]> On Behalf Of Bart D via groups.io
Sent: Sunday, October 22, 2023 10:40 PM
To: [email protected]; Richard L King via groups.io <rlking@...>; Bart D via groups.io <bart@...>
Subject: Re: [ibc] does IB block API connections when there have been too many missed authentication attempts?? I found the root cause of this and it was something totally different.
When you run a dockerized multi-container app, each container gets an IP address from a local gateway on the docker host that allows communication between the containers (the default docker bridge network). You can set these IP addresses in the docker-compose.yml so they are fixed. So they communicate via this IP address on port 4000, not via localhost:4001.?
I knew this and had entered 'StoreSettingsOnServer=yes' in ibc.ini, and had manually entered the correct IP address for my client upon first startup of IBGW in the container (via a VNC UI connection) using IBGW's API settings, relying on the fact it would get stored on server for any subsequent startup.
However that is not the case for one or both of these reasons: - IBGW only stores settings when you close down the app gracefully. But when you stop the container from a docker command that is not the case and settings don't get saved.?
- Even if settings are saved, unless you have a docker volume mounted, the next startup will be from a clean slate i.e. without the saved settings file on prior run
Bottomline: it reverted each time to allow a localhost connection only, and so didn't work. Not quite clear how I got the 'client ID in use' error message but this was the reason it didn't connect.?
Solution is just to specify the IP address in the jts.ini file:
TrustedIPs=127.0.0.1;<your extra IP address>
|
Re: does IB block API connections when there have been too many missed authentication attempts?
I found the root cause of this and it was something totally different.
When you run a dockerized multi-container app, each container gets an IP address from a local gateway on the docker host that allows communication between the containers (the default docker bridge network). You can set these IP addresses in the docker-compose.yml
so they are fixed. So they communicate via this IP address on port 4000, not via localhost:4001.?
I knew this and had entered 'StoreSettingsOnServer=yes' in ibc.ini, and had manually entered the correct IP address for my client upon first startup of IBGW in the container (via a VNC UI connection) using IBGW's API settings, relying on the fact it would get
stored on server for any subsequent startup.
However that is not the case for one or both of these reasons:
- IBGW only stores settings when you close down the app gracefully. But when you stop the container from a docker command that is not the case and settings don't get saved.?
- Even if settings are saved, unless you have a docker volume mounted, the next startup will be from a clean slate i.e. without the saved settings file on prior run
Bottomline: it reverted each time to allow a localhost connection only, and so didn't work. Not quite clear how I got the 'client ID in use' error message but this was the reason it didn't connect.?
Solution is just to specify the IP address in the jts.ini file:
TrustedIPs=127.0.0.1;<your extra IP address>
On Oct 22, 2023 at 12:18?PM -0700, Bart D via groups.io <bart@...>, wrote:
toggle quoted message
Show quoted text
Richard, thanks for reply and the excellent IBC. It seems you're the sole person who has made unatttended operation with IB possible!
The situation was "repeatedly starting TWS/Gateway, logging in successfully, and then restarting after a short time" as I manually stopped and restarted the dockerized system (that has IBGW + IBC in 1 container, and my client in another, working together in
a multi-container app) during development, sometimes with and sometimes without completing login (always with 2FA).?
The strange thing is that when I did complete login, the error was a "client ID in use" error rather than a "too many failed login attempts" error, and the client got disconnected. The client does try to re-connect with 60s interval but it kept getting disconnected
with the same error msg.
I switched off the whole thing on Friday, and waited until this morning to re-start the application. Now it works normal again.
Anyway problem resolved, at least for now.
rgds, Bart
On Oct 22, 2023 at 11:16?AM -0700, Richard L King via groups.io <rlking@...>, wrote:
I’m a bit unclear about the situation here. In the subject, you mention ‘too many missed authentication attempts’, but you don’t explain what you mean by this in the message.
?
If you keep trying and failing to login to TWS/Gateway, eventually a dialog will pop up with a message like this: “Too many failed login attempts. Please wait 4 minutes & 47 seconds before
attempting to re-login again.”. ?This situation can occur if you’re handling 2FA via IBC and IBKR Mobile app, and IBC deals with it automatically. Note that during the specified wait, TWS/Gateway is just sitting there with the login dialog on display, waiting
for the next login attempt to be initiated, which IBC does after the specified delay. So during this period, if the API client program tries to connect, it will fail because it won’t accept API connections until login is completed successfully (obviously).
?
Even if you’re not doing 2FA, just repeatedly starting TWS/Gateway, logging in successfully, and then restarting after a short time, I suppose it’s possible that IB might put up the “Too
many failed login attempts”, because they might reasonably think that something fishy is going on, though if the logins are successful I don’t really see why they should complain.
?
Could this be your situation? If so, then you should consider modifying your API client so that if connection fails, it attempts again after a suitable delay. All my API clients are configured
to do this (this means I can start them at any time and it doesn’t matter If TWS/Gateway isn’t running at the time:when it is started later, they will soon connect again and succeed.
?
If not, then I don’t know what to suggest. I’ve certainly never seen anything to suggest that IB will ever block API connections after a successful login. In fact I think API connections
are purely local to TWS/Gateway, in the sense that the IB servers seem to have no knowledge of them: TWS/Gateway acts as a proxy for them in everything they do.
?
Come to think of it, the scenario described above would account for the fact that it works when you run manually: in this case, your Docker instance is sitting waiting for the next login
attempt after the requested delay, your API client has failed to connect because login hasn’t completed, but when you start a new instance manually login succeeds immediately, so the API client can now connect.
?
I hope all this makes sense!
?
Richard
|
Re: does IB block API connections when there have been too many missed authentication attempts?
Richard, thanks for reply and the excellent IBC. It seems you're the sole person who has made unatttended operation with IB possible!
The situation was "repeatedly starting TWS/Gateway, logging in successfully, and then restarting after a short time" as I manually stopped and restarted the dockerized system (that has IBGW + IBC in 1 container, and my client in another, working together in
a multi-container app) during development, sometimes with and sometimes without completing login (always with 2FA).?
The strange thing is that when I did complete login, the error was a "client ID in use" error rather than a "too many failed login attempts" error, and the client got disconnected. The client does try to re-connect with 60s interval but it kept getting disconnected
with the same error msg.
I switched off the whole thing on Friday, and waited until this morning to re-start the application. Now it works normal again.
Anyway problem resolved, at least for now.
rgds, Bart
On Oct 22, 2023 at 11:16?AM -0700, Richard L King via groups.io <rlking@...>, wrote:
toggle quoted message
Show quoted text
I’m a bit unclear about the situation here. In the subject, you mention ‘too many missed authentication attempts’, but you don’t explain what you mean by this in the message.
?
If you keep trying and failing to login to TWS/Gateway, eventually a dialog will pop up with a message like this: “Too many failed login attempts. Please wait 4 minutes & 47 seconds before
attempting to re-login again.”. ?This situation can occur if you’re handling 2FA via IBC and IBKR Mobile app, and IBC deals with it automatically. Note that during the specified wait, TWS/Gateway is just sitting there with the login dialog on display, waiting
for the next login attempt to be initiated, which IBC does after the specified delay. So during this period, if the API client program tries to connect, it will fail because it won’t accept API connections until login is completed successfully (obviously).
?
Even if you’re not doing 2FA, just repeatedly starting TWS/Gateway, logging in successfully, and then restarting after a short time, I suppose it’s possible that IB might put up the “Too
many failed login attempts”, because they might reasonably think that something fishy is going on, though if the logins are successful I don’t really see why they should complain.
?
Could this be your situation? If so, then you should consider modifying your API client so that if connection fails, it attempts again after a suitable delay. All my API clients are configured
to do this (this means I can start them at any time and it doesn’t matter If TWS/Gateway isn’t running at the time:when it is started later, they will soon connect again and succeed.
?
If not, then I don’t know what to suggest. I’ve certainly never seen anything to suggest that IB will ever block API connections after a successful login. In fact I think API connections
are purely local to TWS/Gateway, in the sense that the IB servers seem to have no knowledge of them: TWS/Gateway acts as a proxy for them in everything they do.
?
Come to think of it, the scenario described above would account for the fact that it works when you run manually: in this case, your Docker instance is sitting waiting for the next login
attempt after the requested delay, your API client has failed to connect because login hasn’t completed, but when you start a new instance manually login succeeds immediately, so the API client can now connect.
?
I hope all this makes sense!
?
Richard
|
Re: does IB block API connections when there have been too many missed authentication attempts?
I’m a bit unclear about the situation here. In the subject, you mention ‘too many missed authentication attempts’, but you don’t explain what you mean by this in the message. ? If you keep trying and failing to login to TWS/Gateway, eventually a dialog will pop up with a message like this: “Too many failed login attempts. Please wait 4 minutes & 47 seconds before attempting to re-login again.”. ?This situation can occur if you’re handling 2FA via IBC and IBKR Mobile app, and IBC deals with it automatically. Note that during the specified wait, TWS/Gateway is just sitting there with the login dialog on display, waiting for the next login attempt to be initiated, which IBC does after the specified delay. So during this period, if the API client program tries to connect, it will fail because it won’t accept API connections until login is completed successfully (obviously). ? Even if you’re not doing 2FA, just repeatedly starting TWS/Gateway, logging in successfully, and then restarting after a short time, I suppose it’s possible that IB might put up the “Too many failed login attempts”, because they might reasonably think that something fishy is going on, though if the logins are successful I don’t really see why they should complain. ? Could this be your situation? If so, then you should consider modifying your API client so that if connection fails, it attempts again after a suitable delay. All my API clients are configured to do this (this means I can start them at any time and it doesn’t matter If TWS/Gateway isn’t running at the time:when it is started later, they will soon connect again and succeed. ? If not, then I don’t know what to suggest. I’ve certainly never seen anything to suggest that IB will ever block API connections after a successful login. In fact I think API connections are purely local to TWS/Gateway, in the sense that the IB servers seem to have no knowledge of them: TWS/Gateway acts as a proxy for them in everything they do. ? Come to think of it, the scenario described above would account for the fact that it works when you run manually: in this case, your Docker instance is sitting waiting for the next login attempt after the requested delay, your API client has failed to connect because login hasn’t completed, but when you start a new instance manually login succeeds immediately, so the API client can now connect. ? I hope all this makes sense! ? Richard
|
does IB block API connections when there have been too many missed authentication attempts?
During development of an automated trading engine, I've experienced an interesting situation:
- using dockerized IB gateway+IBC I could connect from my client python software (using client ID 0) with no problem
- many times I stopped ?and restarted the Docker containers for development triggering a new auth flow
- suddenly on Friday I could no longer connect: my Python client was always disconnected. Error msg in IBGW logs: "client ID 0 already connected". However no other client was connected
- Interestingly when running IBGW direct, outside Docker, I was able to connect.?
- today, after the weekly Sat system reset, I am again able to connect with no issue with the dockerized setup. No change was made to the code.
Any insights on what may have caused this? Seems there may be a limit at IB of how many times a client can connect to an IBGW instance with a certain fingerprint (as it still worked when running IBGW outside Docker) until they do the weekly system reset?
?
|
Re: 2FA prevents TWS restarts without human authorisation
Chen, Brian, any progress, or questions, or further input on this? ? It occurs to me that perhaps you’re using ib_insync, which I believe will start TWS for you automatically (using IBC under the hood, if I recall correctly)? If that’s the case, please let me know. ? Otherwise, I can’t help you until you give me some information that I can use. ? Richard
|
Re: 2FA prevents TWS restarts without human authorisation
Look in twsstartmacos.sh. You’ll see the setting for the LOG_PATH variable. The log files themselves have names like this: ? ibc-3.18.0_TWS-1025_wednesday.txt ? Now read the descriptive comment further below. For your convenience, this is what it says: ? #?? LOG_PATH # #???? Specifies the folder where diagnostic information is to be logged while #???? this command file is running. This information is very valuable when #???? troubleshooting problems, so it is advisable to always have this set to #???? a valid location, especially when setting up IBC. You must #???? have write access to the specified folder. # #???? If no value is set, log information is sent to the terminal window. # #???? If the setting is removed entirely (or commented out), no log information #???? is captured at all (but this is not recommended). ? I presume you are using twsstartmacos.sh to start IBC? If you aren’t, then how are you starting it? ? ? ? ?
toggle quoted message
Show quoted text
From: [email protected] <[email protected]> On Behalf Of Chen Wang
Sent: Wednesday, October 18, 2023 8:06 AM
To: [email protected]
Subject: Re: [ibc] 2FA prevents TWS restarts without human authorisation? Hi Richard,
Thanks for pointing that out. I can see the Title "IbcTws" and if I click on About a small widow pops out.
Please see the image attached.
We appreciate your help and guidance immensely. Let me know how to look further to locate the actual log files.
Chen
|
Re: 2FA prevents TWS restarts without human authorisation
Hi Richard, Thanks for pointing that out. I can see the Title "IbcTws" and if I click on About a small widow pops out. Please see the image attached. We appreciate your help and guidance immensely. Let me know how to look further to locate the actual log files. Chen 
|
Re: 2FA prevents TWS restarts without human authorisation
I don’t want the launcher logs, I want the IBC logs. ? When you run IBC a prominent banner window is displayed telling you where the IBC log is. That’s what I need. The launcher logs are written by TWS and contain nothing relevant to IBC at all. ? Richard ? ? ?
toggle quoted message
Show quoted text
From: [email protected] <[email protected]> On Behalf Of Brian Barnett
Sent: Tuesday, October 17, 2023 10:41 PM
To: [email protected]
Subject: Re: [ibc] 2FA prevents TWS restarts without human authorisation? Hi Richard,
We really appreciate your help here. Your willingness to help directly with users like us is commendable.
The ubuntu box has already been on 3.18.0 and I've attached the launcher logs for the past 2 days from the ubuntu box. I'll be so happy when I can get this running flawlessly through the week until Sunday like it should. :-)
**Note we had IBC working flawlessly on a previous ubuntu box. We migrated to a box with more processor and RAM. After the migration to the new box is when the crashing behavior started. I'll state again just for clarification that TWS runs fine on the box without crashing behavior until its run by IBC and then it become crash prone. We've reinstalled TWS to see if that was a factor. We haven't yet attempted a complete redeployment of IBC to see if we just missed something during the initial setup of IBC.
Best regards,
Brian
|
Re: 2FA prevents TWS restarts without human authorisation
Hi Richard,
We really appreciate your help here. Your willingness to help directly with users like us is commendable.
The ubuntu box has already been on 3.18.0 and I've attached the launcher logs for the past 2 days from the ubuntu box. I'll be so happy when I can get this running flawlessly through the week until Sunday like it should. :-)
**Note we had IBC working flawlessly on a previous ubuntu box. We migrated to a box with more processor and RAM. After the migration to the new box is when the crashing behavior started. I'll state again just for clarification that TWS runs fine on the box without crashing behavior until its run by IBC and then it become crash prone. We've reinstalled TWS to see if that was a factor. We haven't yet attempted a complete redeployment of IBC to see if we just missed something during the initial setup of IBC.
Best regards,
Brian
|
Re: 2FA prevents TWS restarts without human authorisation
OK, the first thing to say is that if you are experiencing problems while using IBC, you should post here and attach the IBC logfile so that I can have a look at what’s going on. And I mean attach the logfile, don’t just quote its contents inline in your post. And also, include the whole logfile – don’t try to extract the bits that you might think are relevant, because invariably when people do this it just wastes time because I just have to go back to them and ask them for the whole thing. ? The next thing is that you should upgrade to the latest IBC version, which is 3.18.0. ? The third thing is that you seem to have some misunderstandings about what IBC does. It doesn’t do anything at all that influences the way TWS works. It just acts like a user so that certain things happen without the user having to initiate them. So when you say things like ‘…when it alters the TWS files during its initial run..’ that’s just completely wrong. It doesn’t alter any TWS files. TWS running under IBC is exactly the same as TWS running manually, with the exception that IBC doesn’t use the script (in Linux/macOS) or the tws.exe (on Windows) that the desktop shortcuts point to. ? And the final point is simply that you cannot avoid having to do the 2FA. The days when you could automate the whole thing and never need to have human involvement are long gone, and to be honest I’m astonished that you still seem to think that ought to be? a possibility. However if you set it up properly, all you need to do is once a week handle the alert from IB on your cell-phone or tablet: that’s about as minimal as you could ask for. ? So in my case, I start my live TWS on Sunday evening, I handle the alert some time later (depending on when I remember and whether I have my phone handy), and that’s it: it runs flawlessly for the rest of the week until Sunday. ? So get me the logfile please! I would appreciate it if you move to 3.18.0 before you do that – it might just make a difference; but that’s not essential. ? Richard ? (I’m the main developer of IBC) ? ?
toggle quoted message
Show quoted text
From: [email protected] <[email protected]> On Behalf Of Brian Barnett
Sent: Monday, October 16, 2023 10:46 PM
To: [email protected]
Subject: Re: [ibc] 2FA prevents TWS restarts without human authorisation? @All,
Chen and I have been working on this issue together prior to coming to this group for further insight and let me expound on what it seems is happening. We install TWS on both a ubuntu server and a macOS environment and if we run TWS manually it runs perfectly fine, however after the first run of TWS under IBC control TWS fires up, but has now become crash prone. Once TWS crashes then IBC does a hard restart of the application. It appears that its crashing during the daily restart hence the 2FA issue because of the hard restart it needs 2FA to relogin since if TWS was functioning properly it would only need 2FA once a week. In the macOS environment its more stable than in ubuntu, but in ubuntu once IBC has run TWS then TWS will crash during a number of actions on the application. It crashes not only during restart but it also crashes upon order submission, when changing the contract shown on the graph or on the order entry screen, etc.
Running TWS manually after the first run by IBC is still crash prone. Our theory is perhaps there are some settings in the IBC installation/configuration that we are missing so that when it alters the TWS files during its initial run it isn't altering the TWS files properly.
Hopefully this helps clarify what we are experiencing.
Thanks,
Brian
|
Re: 2FA prevents TWS restarts without human authorisation
@All,
Chen and I have been working on this issue together prior to coming to this group for further insight and let me expound on what it seems is happening. We install TWS on both a ubuntu server and a macOS environment and if we run TWS manually it runs perfectly fine, however after the first run of TWS under IBC control TWS fires up, but has now become crash prone. Once TWS crashes then IBC does a hard restart of the application. It appears that its crashing during the daily restart hence the 2FA issue because of the hard restart it needs 2FA to relogin since if TWS was functioning properly it would only need 2FA once a week. In the macOS environment its more stable than in ubuntu, but in ubuntu once IBC has run TWS then TWS will crash during a number of actions on the application. It crashes not only during restart but it also crashes upon order submission, when changing the contract shown on the graph or on the order entry screen, etc.
Running TWS manually after the first run by IBC is still crash prone. Our theory is perhaps there are some settings in the IBC installation/configuration that we are missing so that when it alters the TWS files during its initial run it isn't altering the TWS files properly.
Hopefully this helps clarify what we are experiencing.
Thanks,
Brian
|
Re: 2FA prevents TWS restarts without human authorisation
Sloppy wording on my part. "you only get a forced restart over the weekend" if you set the Gateway to auto restart
------ Original Message ------
Date 16/10/2023 18:31:04
Subject Re: [ibc] 2FA prevents TWS restarts without human authorisation
Hi Chen
I don't think there's a way round that with TWS. But it can be made reasonably painless with IBC and IB Gateway.
With Gateway you only get a forced restart over the weekend. I schedule my Gateway to shutdown early afternoon Saturday anyway and restart?early afternoon Sunday (UK time). IBC has a really useful setting that will keep retrying if you miss the first 2FA request.
Andy ?
------ Original Message ------
Date 16/10/2023 16:40:26
Subject [ibc] 2FA prevents TWS restarts without human authorisation
Hi,
For the last 2 years, I have kept TWS consistently and constantly running through daily scheduled and every odd unscheduled restart with the need for any human intervention.
This is achieved through the help of IBC and Watchdog.
Unfortunately, with the recently mandated 2FA security measure, no restart can be completed without a human acknowledgement through the IB Key on my iPhone.
I have been searching for a remedy/workaround for weeks. The closest I have come across is to set the Lock and Exit behaviour in TWS to "Restart" instead of "Logoff", which did not improve things. It still requires the IB Key authorisation.
I would be immensely grateful if someone in the community could offer me tips/suggestions, including switching to IB Gateway if absolutely necessary to restore the convenience I used to have.
Thanks very much in advance!
I am running IBC 3.16.2+ and TWS from 10.19+ on both Linux and macOS platforms.
Chen
|
