lifetime and idle_timeout in clients.conf

Jason Rohm jason.rohm at
Fri Apr 13 16:55:54 CEST 2012

I've been having some issues with proxy authentications failing in a
federated TCP/TLS configuration. Investigation shows that the connections
are failing with an error on the server end of "Info: Ignoring new
connection due to client max_connections". A little more digging seems to
show that the connections are not being gracefully closed. I suspect this
is due to a firewall cleaning up idle TCP translation slots since there
are currently few authentication attempts.

I've seen the lifetime keyword in a number of sample configurations here
and the configuration parser seems to take it when I run the service in
debug mode. However, the idle_timeout keyword is silently ignored and the
server doesn't seem to be cleaning up old connections based on either the
idle_timeout or the max lifetime. I can't find references to either
lifetime or idle_timeout in the sample configurations or a quick review of
the documentation as it relates to clients.conf.

So my questions areŠ

1.) Are the keywords lifetime and idle_timeout supported in clients.conf?
2.) If they are, is there a known bug that would cause them to not work?
3.) If they aren't, would there be value to someone other than me to add
this feature? (Yes, I know this means I volunteer, lol).)
4.) In addition to lifetime and idle_timeout, would something like a keep
alive be reasonable?

Thanks. Any and all feedback is welcome.

Jason Rohm 
Communication Architect
jason.rohm at

More information about the Freeradius-Users mailing list