post-proxy and detecting dead upstream realms
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jan 15 16:18:37 CET 2015
On 15/01/15 14:48, Matt Zagrabelny wrote:
> Why do you care if the realm doesn't respond?
Cleanliness, mainly. The outstanding response consumes a radius packet
ID on the proxy socket, and on the receive auth socket. On a busy NAS,
the latter is likely to get re-used while waiting, resulting in:
Error: Received conflicting packet from client xxx port 32770 - ID: 182
due to unfinished request 51899386. Giving up on old request
That is, the NAS sent a request, ID#182, which got proxied to a
blackhole realm. 15 seconds later it re-used that packet ID for
something else.
I'd like to eliminate sources of this message which are not local
problems; then if I see the message, I know I have to investigate it.
"Real" cause of this message are something to worry about. In
particular, on some current equipment (cough Cisco cough) those messages
might indicate you're very close to the "offered load of doom" threshold
where the NAS's single radius UDP socket has >255 legitimate packet IDs
in-flight and your wireless network is about to explode.
(Yes, Cisco should fix this)
More generally - such a mechanism would be useful for blacklisting
horribly mis-configured clients before even trying to proxy them, saving
a round-trip and various lookup/logging load.
More information about the Freeradius-Users
mailing list