Proxy realms and home_server_pool fallback not working

Peter Lambrechtsen peter at crypt.co.nz
Mon Mar 7 00:54:41 CET 2016


Hi

I'm looking to add more robustness into my proxy architecture and noticed
in the home_server_pool there is the option for "fallback = virtualrealm"
so if all home servers fail then a last resort home_server is used with
some config locally to always accept / reject customers based on the realm
they are coming from. I'm not using the status_check as some of the
downstream clients don't support status-server, but I will look into that
to see if it makes a difference. However for this situation I would expect
if you are using or not using Status server checks shouldn't have any
impact on how the fallback server works.

In the proxy.conf I have configured:

home_server ProxyDest {
        type = auth+acct
        ipaddr = 192.168.1.113
        port = 1812
        secret = password
        response_window = 1
        require_message_authenticator = no
        zombie_period = 5
        revive_interval = 10
        status_check = none
        #status_check = status-server
        # username = "test_user_please_reject_me"
        # password = "this is really secret"
        check_interval = 10
        num_answers_to_alive = 3
        max_outstanding = 65536
}

home_server cacheuser {
        virtual_server = cacheuser
}

#  Main server pool
#
home_server_pool ProxyDestPool {
        type = fail-over
        home_server = ProxyDest
#       home_server = cacheuser
        fallback = cacheuser
}

Then in my virtual server I have configured:

server cacheuser {
authorize {
   accept
}

So when the Destination server is up life is good.

(0) Proxying request to home server 192.168.1.113 port 1812 timeout 1.000000
(0) Sent Access-Request Id 26 from 0.0.0.0:58512 to 192.168.1.113:1812
length 337
...
Waking up in 0.3 seconds.
(0) Marking home server 192.168.1.113 port 1812 alive
(0) Clearing existing &reply: attributes
(0) Received Access-Accept Id 26 from 192.168.1.113:1812 to
192.168.1.116:58512 length 55

But if the server is down the first request I get a reject as expected due
to the home server being down.

(2) Proxying request to home server 192.168.1.113 port 1812 timeout 1.000000
(2) Sent Access-Request Id 17 from 0.0.0.0:47755 to 192.168.1.113:1812
length 337
...
Waking up in 0.3 seconds.
(2) Expecting proxy response no later than 0.669753 seconds from now
Waking up in 0.4 seconds.
(2) No proxy response, giving up on request and marking it done
Marking home server 192.168.1.113 port 1812 as zombie (it has not responded
in 1.000000 seconds).
(2) ERROR: Failing proxied request for user "peter", due to lack of any
response from home server 192.168.1.113 port 1812
(2) Clearing existing &reply: attributes

But the second and subsequent request I would expect to get proxied to the
local fallback virtual server as the home_server has been marked as zombie.
But that never seems to happen. It keeps on rejecting the requests and
fallback never seems to be used.

If I configure a second home server in the pool.

home_server_pool ProxyDestPool {
        type = fail-over
        home_server = ProxyDest
        home_server = cacheuser
        fallback = cacheuser
}

Then the second server is failed over to when the first fails. Which is all
good if I wanted to use the type fail-over, but if I wanted to use
load-balance then I can't have my fallback server as a home server
otherwise a percentage of requests will always be local which isn't ideal.

The other interesting thing with the failover is I set the check_interval
to 10 seconds, or 30 seconds. But it only seems that the first client is
re-checked after 60 seconds and assumed to be back up.

Waking up in 0.2 seconds.
Marking home server 192.168.1.113 port 1812 alive again... we have no idea
if it really is alive or not.
Waking up in 1.0 seconds.

I would have thought that

        zombie_period = 5
        revive_interval = 10
        check_interval = 10

Would mean that the client would be re-checked in 10 seconds.

Am I mis-understanding how fallback is supposed to work?

Cheers

Peter


More information about the Freeradius-Users mailing list