Session-Timeout anomalies

Alan DeKok aland at deployingradius.com
Fri Feb 8 16:02:10 CET 2013 

Bill Isaacs wrote:
> Here is an example of one such account, a development test account which
> I created for debugging purposes. It's value is 30 days (2592000 seconds)
> 
> Radclient result:
> ===============
> # echo User-Name="cgitest",User-Password="cgitest" | radclient -c 1 -n 3
> -r 3 -t 3 -x 127.0.0.1:1812 auth -S shared
> Sending Access-Request of id 24 to 127.0.0.1 port 1812
> User-Name = "cgitest"
> User-Password = "cgitest"
> rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=24,
> length=26
> Session-Timeout = 2366393

  2,366,393 < 2,592,000

  So that seems OK.

> sql query:
> 
> SELECT IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(), MIN(AcctStartTime))),0) FROM
> radacct WHERE UserName='cgitest' ORDER BY AcctStartTime LIMIT 1 \g
> +-------------------------------------------------------------------------------------+
> 
> | IFNULL(TIME_TO_SEC(TIMEDIFF(NOW(), MIN(AcctStartTime))),0) |
> +-------------------------------------------------------------------------------------+
> 
> | 1447012 |
> +-------------------------------------------------------------------------------------+

  OK... that's not the same as above.

> ===============
> 
> Ok, the problem here should be obvious but I'll explain these results
> for those who are impatient. The "Session-Timeout" number is way too
> large. As I stated previously, this is a 30 day account. It was counting
> down with no problems until a few days ago. It then mysteriously began
> reporting in the popup window which I was working on that it had 29.9
> days left on it, after it had already counted down to something like 15
> days. It simply seems to have reloaded itself, even though the sql query
> reports the accurate number of seconds which have actually expired.
> (1447012). So if we do the math: 2592000-1447012=1144988 (or roughly
> 13.25 days) should be the remaining time on this account. Not 27.38 days.

  OK...

> Here is the sql counter from sqlcounter.conf:

  And what about debug output?

> Ok so the question then is: where the hell is radclient getting the
> notion that the account has 2366393 seconds left?

  That is *entirely* the wrong question.  It's why you haven't solved
the problem yet.

  Look at the *radius server* debug output.  It's the one sending the
Session-Timeout.  You should be able to figure out where the
session-timeout is coming from.

> Where is
> "Session-Timeout" getting this information? Why is it only doing it on
> some accounts and not others?

  Look at the debug output.

  Honestly.

  We say this DAILY on this list.  There is no excuse for refusing to do
that.

  Alan DeKok.

More information about the Freeradius-Users mailing list