Re: [RADIATOR] Unexpected behavior with UseStatusServerForFailureDetect in AuthBy LOADBALANCE
On 05/10/2013 05:55 PM, Todor Genov wrote: Excerpts from Heikki Vatiainen's message of Fri May 10 15:55:22 +0200 2013: Since you have not specified FailureBackoffTime it defaults to 0 and might be the cause of the problem you see. Even with a FailureBackoffTime 300 the problem is reproducible. For now I'll revert to using the default failure detection mechanism. Here's logs of a packet stuck in re-transmit with UseStatusServerForFailureDetect: Thanks for taking a look at this and providing more input. I will take a look at the Status-Server handling. Heikki *** Sending to 127.0.0.1 port 1824 Code: Accounting-Request Identifier: 169 Authentic: 215135238164229163`r82912E6c8186 Attributes: User-Name = a Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Identifier = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Timestamp = 1368196514 Proxy-State = OSC-Extended-Id=169 Fri May 10 16:43:39 2013: INFO: AuthRADIUS : No reply after 505 seconds and 3 retransmissions to 127.0.0.1:1824 for a (135) and without UseStatusServerForFailureDetect: Fri May 10 16:52:12 2013: WARNING: ProxyAlgorithm LOADBALANCE Could not find a working host to proxy to Fri May 10 16:52:12 2013: INFO: AuthRADIUS : Could not find a working host to forward a (4) after 4 seconds. Ignoring Fri May 10 16:52:12 2013: INFO: AuthRADIUS : No reply after 4 seconds and 3 retransmissions to 127.0.0.1:1824 for a (129). Now have 1 consecutive failures over 0 seconds. Backing off for 300 seconds -- todor -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Unexpected behavior with UseStatusServerForFailureDetect in AuthBy LOADBALANCE
On 05/10/2013 02:33 AM, Todor Genov wrote: I have found an issue where the Retries clause is ignored when using UseStatusServerForFailureDetect with AuthBy LOADBALANCE. Hello Todor, We have recently received reports about Status-Server probing and there appears to be some issues that require a further look from us. However, before doing anything else, please check the reference manual for 'FailureBackoffTime' and especially this note: Caution: with most types of load balancing modules, the default of 0 will mean endless retransmission of each request until a reply is received. Since you have not specified FailureBackoffTime it defaults to 0 and might be the cause of the problem you see. Thanks, Heikki In a scenario where a downstream proxy becomes unresponsive requests enter a re-transmit loop until the next Status-Server keepalive detects the host has failed and only then requests are ignored. To replicate use the following config: Realm DEFAULT AuthBy LOADBALANCE Retries 3 RetryTimeout 1 UseStatusServerForFailureDetect KeealiveTimeout 300 NoreplyTimeout 1 Host localhost AuthPort 1822 AcctPort 1823 /Host /AuthBy /Realm A single Access-Request is re-transmitted 300 ( KeepaliveTimeout/RetryTimeout ) times instead of 3. Once the request is eventually ignored the following can be seen in the logs: Fri May 10 01:19:33 2013: INFO: AuthRADIUS : Could not find a working host to forward a (76) after 301 seconds. Ignoring Fri May 10 01:19:33 2013: INFO: AuthRADIUS : No reply after 301 seconds and 3 retransmissions to 127.0.0.1:1822 for a (227) When using the same config with AuthBy RADIUS the behavior is as expected and the request is re-transmitted only three times then ignored: Fri May 10 01:08:41 2013: INFO: AuthRADIUS : Could not find a working host to forward a (1) after 4 seconds. Ignoring Fri May 10 01:08:41 2013: INFO: AuthRADIUS : No reply after 4 seconds and 3 retransmissions to 127.0.0.1:1822 for a (129) Thanks. -- todor ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Unexpected behavior with UseStatusServerForFailureDetect in AuthBy LOADBALANCE
Hi, I have found an issue where the Retries clause is ignored when using UseStatusServerForFailureDetect with AuthBy LOADBALANCE. In a scenario where a downstream proxy becomes unresponsive requests enter a re-transmit loop until the next Status-Server keepalive detects the host has failed and only then requests are ignored. To replicate use the following config: Realm DEFAULT AuthBy LOADBALANCE Retries 3 RetryTimeout 1 UseStatusServerForFailureDetect KeealiveTimeout 300 NoreplyTimeout 1 Host localhost AuthPort 1822 AcctPort 1823 /Host /AuthBy /Realm A single Access-Request is re-transmitted 300 ( KeepaliveTimeout/RetryTimeout ) times instead of 3. Once the request is eventually ignored the following can be seen in the logs: Fri May 10 01:19:33 2013: INFO: AuthRADIUS : Could not find a working host to forward a (76) after 301 seconds. Ignoring Fri May 10 01:19:33 2013: INFO: AuthRADIUS : No reply after 301 seconds and 3 retransmissions to 127.0.0.1:1822 for a (227) When using the same config with AuthBy RADIUS the behavior is as expected and the request is re-transmitted only three times then ignored: Fri May 10 01:08:41 2013: INFO: AuthRADIUS : Could not find a working host to forward a (1) after 4 seconds. Ignoring Fri May 10 01:08:41 2013: INFO: AuthRADIUS : No reply after 4 seconds and 3 retransmissions to 127.0.0.1:1822 for a (129) Thanks. -- todor ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator