<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
I finally got this figured out. It did not have anything do do with
freeradius, but since others using the program might run into it, I
figured I should post it here.<br>
<br>
The arp cache of the server was limited by default to 128 addresses,
which was running out pretty quickly. So I inserted and applied the
values below in sysctl.conf and everything works great now.<br>
<pre>net.ipv4.neigh.default.gc_thresh3 = 4096
net.ipv4.neigh.default.gc_thresh2 = 2048
net.ipv4.neigh.default.gc_thresh1 = 1024
</pre>
Dan<br>
<br>
On 05/04/2011 01:51 AM,
<a class="moz-txt-link-abbreviated" href="mailto:freeradius-users-request@lists.freeradius.org">freeradius-users-request@lists.freeradius.org</a> wrote:
<blockquote
cite="mid:mailman.283334.1304491914.33630.freeradius-users@lists.freeradius.org"
type="cite">
<pre wrap="">Message: 3
Date: Tue, 3 May 2011 20:56:12 +0100
From: Alexander Clouter <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:alex@digriz.org.uk"><alex@digriz.org.uk></a>
Subject: Re: ldap server connection timeout
To: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>
Message-ID: <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:s73698-k73.ln1@chipmunk.wormnet.eu"><s73698-k73.ln1@chipmunk.wormnet.eu></a>
Daniel Davidson <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:danield@igb.uiuc.edu"><danield@igb.uiuc.edu></a> wrote:
</pre>
<blockquote type="cite" style="color: rgb(0, 0, 0);">
<pre wrap=""><span class="moz-txt-citetags">></span>
<span class="moz-txt-citetags">> </span>My new wireless network tested great, but now that I have rolled it out
<span class="moz-txt-citetags">> </span>to the entire building, I get error messages like:
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>Mon May 2 15:15:06 2011 : Error: rlm_ldap: ldap_search() failed: Timed
<span class="moz-txt-citetags">> </span>out while waiting for server to respond. Please increase the timeout.
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>And when these trigger, nearly everyone gets disconnected for about 5
<span class="moz-txt-citetags">> </span>seconds. Possible relevant code from ldap module:
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>ldap {
<span class="moz-txt-citetags">> </span> #private stuff <-- BUT CRUCIAL!
<span class="moz-txt-citetags">> </span> ldap_connections_number = 15
<span class="moz-txt-citetags">> </span> timeout = 10
<span class="moz-txt-citetags">> </span> timelimit = 10
<span class="moz-txt-citetags">> </span> net_timeout = 5
<span class="moz-txt-citetags">> </span>}
<span class="moz-txt-citetags">> </span>
<span class="moz-txt-citetags">> </span>The only existing firewalls are on the machines themselves and the ip
<span class="moz-txt-citetags">> </span>range of the servers are open with each other. Any ideas?
<span class="moz-txt-citetags">> </span>
</pre>
</blockquote>
<pre wrap="">I am guessing your LDAP server is <b class="moz-txt-star"><span class="moz-txt-tag">*</span>way<span class="moz-txt-tag">*</span></b> too slow when processing the
queries are making it munch through. Typical 'first-timer' mistakes are
that you are not indexing the important attribtues. For example our
filter looks like:
filter = "(&(objectClass=Person)(|(businessCategory=staff)(businessCategory=student)(cn=avg*))(|(!(loginDisabled=*))(loginDisabled=FALSE))(cn=%{Stripped-User-Name}))"
This takes ~0.02s to respond for us, how long does it take to process
the query at your end (test with the following and remember to test
the server when it is under load, which is probably why it worked
before you widely deployed it):
----
time ldapsearch -h ldap-server.example.com -x -LLL '<query>'
----
Where <query> is what you see FreeRADIUS make in the output of 'radiusd
-X'.
Cheers
</pre>
</blockquote>
<br>
</body>
</html>