Problems with freeradius accounting proxy

Alan DeKok aland at deployingradius.com
Tue Feb 16 10:19:50 CET 2010 

Phil Pierotti wrote:
> Yes, I have no idea what to look for. If I did, I'd have been looking
> for it, rather than asking the list.

  Maybe my messages haven't been clear enough.  The people on this list
know what to look for.  But if you insist on giving *no* information for
us to work with... we can't look.

  It's a puzzle, really.

Q: I have a problem, can you help me?
A: here are some steps you can take to debug it
Q: Why the heck would I do that?
A: Because you want to solve the problem?
Q: Why are you being so mean to me?
A: <sigh>

> Not withstanding your replies, I *still* am no closer to knowing *what*
> to look for. (which is odd, because that was my original question)

  My original response stands: post the debug log, and let *us* look.

  You seem to have a problem with doing that.

> Exactly how does freeradius identify a downstream radius as 'dead' ?

  It doesn't respond *correctly* to packets.

> Clearly that's not as trivial as "no replies are received" because there
> clearly are replies being received; tcpdump shows replies coming back
> (ie the network stack sees acct-reply packets coming back from the
> downstream server), the log shows replies coming back (so freeradius
> sees them too).

  Can you explain why you're stuck on tcpdump?  It's nearly irrelevant
to the process.  There are a *lot* of additional steps necessary for the
packet to be deemed a "correct" response.

  And no, those steps aren't relevant for you.  If the packet fails an
additional step, the debug log will show it.  Since you don't know what
to look for, you could very likely miss it in the debug log.

  Hence.. the request for you to post the debug log so that *we* can
read it.

> Is a server declared 'dead' because one single request did not get a reply?
> 
> More than one?
> 
> More than two?
> 
> Should I keep counting?

  How about reading the documentation in proxy.conf?  This *is* documented.

> Is there any  way to find out how many 'missed' replies a downstream
> server has?

  Read raddb/sites-available/status.  This *is* documented.

> Is there any way to tell freeradius to log in the debug messages *when*
> it has given up and decided "ok, we've obviously missed that request".
> (because there's no messages showing that with -X -xx)

  It does that already.

  If you're not seeing it, it's likely because you have home servers in
a fail-over pool, and they are sporadically down.  The proxy tries to
fail over from one server to another.  Since the packet is still "live",
it's not considered to be "missed".

  Either post the debug log for us to look at, or stop pretending that
you want the problem solved.

  Alan DeKok.

More information about the Freeradius-Users mailing list