Error: Ignoring duplicate packet, LDAP performance

uj2.hahn at posteo.de uj2.hahn at posteo.de
Fri Feb 28 10:53:11 CET 2020


Hi, freeradius team!
I know, this "Ignoring duplicate packet" topic has been discussed for a 
long time again and again.
I see that in a special configuration:
- FreeRADIUS Version 3.0.17 on Ubuntu
- ActiveDirectory on Winserver 2012 R2
- authentication via ntlm_auth
- post-auth via LDAP (group ownership etc)
- 15 brand-new Cisco/Meraki-WLAN-APs in network
- all Cisco/Meraki-WLAN-APs are controlled by a central web-based Meraki 
dashboard

Everything works fine, there are no user complaints so far.
BUT: The central Meraki dashboard has a built-in test function to check 
all managed NAS if they are able to communicate
with radius server. So I have to provide an existing user/password and 
the dashboard triggers each NAS to check for
freeradius authentication with same credentials.
In this scenario I run into the "Ignoring duplicate packet" issue (see 
freeradius log part below)
which let the Meraki dashboard reports some NAS as failing. The count of 
failing NASs and the failing NASs are varying .
However when I disable the LDAP post-auth section everything is fine.

Wed Feb 26 14:21:05 2020 : Info: rlm_ldap (ldap): Opening additional 
connection (17641), 1 of 30 pending slots used
Wed Feb 26 14:21:05 2020 : Info: rlm_ldap (ldap): Deleting connection 
(17640) - Was referred to a different LDAP server
Wed Feb 26 14:21:05 2020 : Info: Need 1 more connections to reach min 
connections (3)
Wed Feb 26 14:21:05 2020 : Info: rlm_ldap (ldap): Opening additional 
connection (17642), 2 of 31 pending slots used
Wed Feb 26 14:21:05 2020 : Error: (69437) Ignoring duplicate packet from 
client ZI-110 port 54766 - ID: 8 due to unfinished request in component 
post-auth module ldap
Wed Feb 26 14:21:05 2020 : Error: (69438) Ignoring duplicate packet from 
client ZI-112 port 42248 - ID: 8 due to unfinished request in component 
post-auth module ldap
Wed Feb 26 14:21:05 2020 : Info: rlm_ldap (ldap): Deleting connection 
(17638) - Was referred to a different LDAP server
Wed Feb 26 14:21:07 2020 : Info: rlm_ldap (ldap): Opening additional 
connection (17643), 1 of 30 pending slots used
Wed Feb 26 14:21:07 2020 : Error: (69446) Ignoring duplicate packet from 
client ZI-120 port 58022 - ID: 6 due to unfinished request in component 
authenticate module eap_peap
Wed Feb 26 14:21:07 2020 : Error: (69453) Ignoring duplicate packet from 
client ZI-216 port 37434 - ID: 6 due to unfinished request in component 
authenticate module eap_peap
Wed Feb 26 14:21:08 2020 : Error: (69460) Ignoring duplicate packet from 
client ZI-012 port 49893 - ID: 6 due to unfinished request in component 
authenticate module eap_peap
Wed Feb 26 14:21:08 2020 : Info: rlm_ldap (ldap): Deleting connection 
(17642) - Was referred to a different LDAP server
Wed Feb 26 14:21:08 2020 : Info: Need 1 more connections to reach min 
connections (3)
Wed Feb 26 14:21:08 2020 : Info: rlm_ldap (ldap): Opening additional 
connection (17644), 1 of 30 pending slots used
Wed Feb 26 14:21:08 2020 : Info: rlm_ldap (ldap): Deleting connection 
(17641) - Was referred to a different LDAP server
Wed Feb 26 14:21:08 2020 : Info: rlm_ldap (ldap): Opening additional 
connection (17645), 1 of 30 pending slots used
Wed Feb 26 14:21:09 2020 : Info: rlm_ldap (ldap): Deleting connection 
(17643) - Was referred to a different LDAP server

I'm pretty sure the root cause is related to general network and/or LDAP 
performance.
Actions I will take are:
- let network admin check the network and DC/AD server performance
- review my freeradius LDAP queries if they are specific enough 
(reducing the amount of data they generate)

But I have some questions to freeradius team related to that:
I have a single freeradius server and a single DC/AD server.
1) Why does freeradius open and close LDAP connections pretty often? 
Isn't one permanently open connection good enough?
2)  What does this message mean: Info: rlm_ldap (ldap): Deleting 
connection (17640) - Was referred to a different LDAP server
      There is just one LDAP server!
      I started  a debug session and found this matching part in debug log:

     (25) ldap: User object found at DN "CN=jasmin 
hahn,OU=Schueler,DC=moritz,DC=local"
     (25) ldap: EXPAND (samaccountname=%{mschap:User-Name})
     (25) ldap:    --> (samaccountname=jasmin-hahn)
     (25) ldap: Waiting for bind result...
     (25) ldap: Bind successful
     (25) ldap: Performing search in "DC=moritz,DC=local" with filter 
"(samaccountname=jasmin-hahn)", scope "sub"
     (25) ldap: Waiting for search result...
     rlm_ldap (ldap): Rebinding to URL 
ldap://ForestDnsZones.moritz.local/DC=ForestDnsZones,DC=moritz,DC=local
     rlm_ldap (ldap): Waiting for bind result...
     rlm_ldap (ldap): Rebinding to URL 
ldap://DomainDnsZones.moritz.local/DC=DomainDnsZones,DC=moritz,DC=local
     rlm_ldap (ldap): Waiting for bind result...
     rlm_ldap (ldap): Rebinding to URL 
ldap://moritz.local/CN=Configuration,DC=moritz,DC=local
     rlm_ldap (ldap): Waiting for bind result...
     rlm_ldap (ldap): Bind successful
     rlm_ldap (ldap): Bind successful
     rlm_ldap (ldap): Bind successful
     (25) ldap: Adding cacheable group object memberships
     (25) ldap:   &control:LDAP-Group += "OU=Schueler"
     (25) ldap: Processing user attributes
     (25) ldap: WARNING: No "known good" password added. Ensure the 
admin user has permission to read the password attribute
     (25) ldap: WARNING: PAP authentication will *NOT* work with Active 
Directory (if that is what you were trying to configure)
*rlm_ldap (ldap): Deleting connection (3) - Was referred to a different 
LDAP server*

     (I'm aware I cannot get passwd from AD, that's why I use ntlm_auth. 
This is not the topic I want to ask here. Or is it related??)

3) In my special case (self test by Meraki dashboard) I check same user 
from all NASs within a short timeframe.
     So freeradius should provide always same feedback. Could the 
freeradius flow be shortened by a cache mechanism?

Thanks a lot!
Uwe



More information about the Freeradius-Users mailing list