Zombie proxies with RadSec
Neuton Martins
notuenmc at gmail.com
Sat Nov 18 12:53:08 CET 2017
Thanks for the feedback Alan and Winfield.
I will tweak the firewalls to ensure the timeout for port 2083 to be higher
than the default short timeout.
Em Seg, 13 de nov de 2017 09:26, Winfield, Alister <Alister.Winfield at sky.uk>
escreveu:
> I’m going hazard a guess there is an idle timeout on one of those
> firewalls. What you want is to make the TCP keep-alive interval in the
> servers TCP kernel settings less than the firewalls timeout or ensure idle
> timeout is low enough on the connections from RADIUS (I’m guessing it’s a
> parameter somewhere but might be wrong).
>
> As stated its essentially “fix the network”.
> --
> Alister
>
>
> On 09/11/2017, 22:30, "Freeradius-Users on behalf of Alan DeKok"
> <freeradius-users-bounces+alister.winfield=sky.uk at lists.freeradius.org on
> behalf of aland at deployingradius.com> wrote:
>
> On Nov 9, 2017, at 4:49 PM, Neuton Martins <notuenmc at gmail.com> wrote:
> > I only have the default log of the zombie message, as follow:
> > Mon Nov 6 18:31:03 2017 : Proxy: Marking home server 10.X.Y.Z port
> 2083 as
> > zombie (it has not responded in 30.000000 seconds).
> > Mon Nov 6 18:31:03 2017 : ERROR: (20792) ERROR: Failing proxied
> request
> > for user "xxxx at mpf.mp.br", due to lack of any response from home
> server
> > 10.X.Y.z port 2083
>
> That's a problem then.
>
> > And when i tried to use status-server with RadSec i got the
> following error:
> > Error: /usr/local/etc/raddb/sites-enabled/tls[145]: Only
> 'status_check =
> > none' is allowed for home servers with 'proto = tcp'
>
> Ah yes, I had forgotten about that.
>
> > My true problem is that my home_server is up, but for some reason
> the proxy
> > client thinks its down and marked it as zombie. I think this is
> related to
> > have two firewalls between proxy client and home server. However, i
> need
> > the proxy client to detect the connection error quickly and restart
> the
> > connection.
>
> The problem is that if the TCP connection goes away, no amount of
> poking FreeRADIUS will fix the problem.
>
> It's a network problem. The only solution is to fix the network.
>
> Honestly, if the firewalls are breaking TCP, then the firewalls are
> broken.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> Information in this email including any attachments may be privileged,
> confidential and is intended exclusively for the addressee. The views
> expressed may not be official policy, but the personal views of the
> originator. If you have received it in error, please notify the sender by
> return e-mail and delete it from your system. You should not reproduce,
> distribute, store, retransmit, use or disclose its contents to anyone.
> Please note we reserve the right to monitor all e-mail communication
> through our internal and external networks. SKY and the SKY marks are
> trademarks of Sky plc and Sky International AG and are used under licence.
>
> Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited
> (Registration No. 2067075) and Sky Subscribers Services Limited
> (Registration No. 2340150) are direct or indirect subsidiaries of Sky plc
> (Registration No. 2247735). All of the companies mentioned in this
> paragraph are incorporated in England and Wales and share the same
> registered office at Grant Way, Isleworth, Middlesex TW7 5QD.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list