sqlippool IP conflict problem
kes-kes at yandex.ru
Tue Dec 20 10:15:39 CET 2011
Вы писали 20 декабря 2011 г., 9:37:41:
FAN> 2011/12/20 Коньков Евгений <kes-kes at yandex.ru>:
>> I see that expire_time keep updated while radiusd will receive
>> interim-update packets. BUT radius listen on UPD port and this
>> mean that: no garantee that server will receive interim-update packet. So there
>> is a chance to lose two interim packets for current user.
>> Therefore IP leased for current user will be countered as expired and may be
>> leased for other user causing IP conflict error.
FAN> That's why I suggested two times Acct-Interim-Interval would be a good
FAN> choice. If one packet goes missing hopefully we'll be able to get the
FAN> next one. If you're feeling paranoid you could use a big timeout value
FAN> (e.g. 10x Acct-Interim-Interval), with the consequence that it will
FAN> take longer before IP addresses used by stale sessions can be reused.
I have Acct-Interim-Interval = 300
And I have script that ckeck zombie sessions once per 15min
Date: Sun, 18 Dec 2011 21:15:01 +0000 (UTC)
$VAR1 = [
'NASPORT' => 193,
'ID' => 1221104,
'USERNAME' => '10228',
'TERMINATECAUSE' => 'OnLine',
'FRAMEDIPADDRESS' => '192.168.16.195',
'SESSIONID' => 'dfe6caf212e8f842',
'BILL' => undef,
'BYTESOUT' => '53208742',
'STARTTIME' => '2011-12-18 19:02:49',
'CALLTO' => '10.5.0.17',
'STOPTIME' => '2011-12-18 20:49:03',
'BYTESIN' => '9158505',
'CALLFROM' => '10.7.30.58 / 00:24:54:5d:1a:b5 / vlan76',
'ONLINETIME' => 6375
It check 'OnLine' and STOPTIME more that 15min (3times AcctInterimInterval)
As you see 20:49:03 was last acct-interim-interval was received
script was runned at 21:15:01 so 25min are passed from last AcctInterimInterval
it is 5times. Per day I get about from 5 to 10 such sessions. It is noising (
NAS server and freeradius both are on localhost and there is about
50%Idle on CPU there are about 200-300users online with 5min
Is it possible to force FreeRadius to listen on TCP port?
>> I think there must be a mechanism to force check that IP is *really*
>> unused before freeing or 're lease' it.
FAN> It's a tradeoff, really. In theory, you COULD write your own module
FAN> that verifies whether a user is online. Kinda like what simultaneous
FAN> use using radutmp & checkrad does, which performs checking using
FAN> snmp/telnet/ssh to the NAS. However that would inflict heavy
FAN> performance penalty. It might be acceptable if you only handle (for
FAN> example) 10 AAA/minute, but it won't be feasible if you need to handle
FAN> 10 AAA/second.
FAN> For most practical purposes, the current sqlippool is good enough. Not
FAN> perfect, but good enough.
Коньков mailto:kes-kes at yandex.ru
More information about the Freeradius-Users