<div dir="ltr">Thanks for the information. I have made some progress on this. Now it appears that when I start freeradius the load balancing works as expected for a short time, up to 10 minutes. Then the home servers are marked as zombies and then as dead. <div><br></div><div><span style="font-size:13px;font-family:arial,sans-serif">The clients are</span> multiple Cisco switches and the production RADIUS servers are 3 Cisco ACS RADIUS servers. <br></div><div><br></div><div>As suggested I have added the <span style="font-family:arial,sans-serif;font-size:13px">status-server for the home servers in the proxy.conf. </span></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><div style><font face="arial, sans-serif">proxy server {</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>default_fallback = no</font></div><div style><font face="arial, sans-serif">}</font></div><div style><font face="arial, sans-serif"><br></font></div><div style><font face="arial, sans-serif">home_server serverxnmx0007 {</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>type = auth+acct</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>ipaddr = 192.168.254.150</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>port = 1812</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>secret = secret</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>response_window = 45</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>response_timeouts = 5</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>status_check = status-server</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>username = "testuser"</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>password = "pass"</font></div><div style><font face="arial, sans-serif">}</font></div><div style><font face="arial, sans-serif">home_server serverxnmx0011 {</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>type = auth+acct</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>ipaddr = 192.168.254.152</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>port = 1812</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>secret = secret</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>response_window = 45</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>response_timeouts = 5</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>status_check = status-server</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>username = "testuser"</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>password = "pass"</font></div><div style><font face="arial, sans-serif">}</font></div><div style><font face="arial, sans-serif">home_server serverxnmx0012 {</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>type = auth+acct</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>ipaddr = 192.168.254.153</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>port = 1812</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>secret = secret</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>response_window = 45</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>response_timeouts = 5</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>status_check = status-server</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>username = "testuser"</font></div><div style><font face="arial, sans-serif"><span class="" style="white-space:pre"> </span>password = "pass"</font></div><div style><font face="arial, sans-serif">}</font></div></div><div><br></div><div>The radius.log file shows the servers being marked as zombie and then dead. The log below shows one server being marked dead and after some time another one will be marked the same. </div><div><br></div><div><div>Thu Sep 11 16:47:17 2014 : Info: Loaded virtual server <default></div><div>Thu Sep 11 16:47:18 2014 : Info: ... adding new socket proxy address * port 41379</div><div>Thu Sep 11 16:47:18 2014 : Info: ... adding new socket proxy address * port 47256</div><div>Thu Sep 11 16:47:18 2014 : Info: ... adding new socket proxy address * port 60777</div><div>Thu Sep 11 16:47:18 2014 : Info: ... adding new socket proxy address * port 37802</div><div>Thu Sep 11 16:47:18 2014 : Info: ... adding new socket proxy address * port 51392</div><div>Thu Sep 11 16:47:18 2014 : Info: ... adding new socket proxy address * port 37221</div><div>Thu Sep 11 16:47:18 2014 : Info: ... adding new socket proxy address * port 53560</div><div>Thu Sep 11 16:47:18 2014 : Info: Ready to process requests.</div><div>Thu Sep 11 16:53:12 2014 : Auth: Login OK: [host/HOSTXWKX0050.foo/<no User-Password attribute>] (from client 2150a_ port 36 cli 00-24-1D-AB-CA-83)</div><div>Thu Sep 11 16:54:53 2014 : Auth: Login OK: [host/HOSTXWKX0116.foo/<no User-Password attribute>] (from client 2030c_ port 5 cli 00-24-1D-AC-B4-8B)</div><div>Thu Sep 11 16:54:56 2014 : Error: Discarding duplicate request from client 2030c_ port 1645 - ID: 88 due to unfinished request 15</div><div>Thu Sep 11 16:54:59 2014 : Error: Discarding duplicate request from client 2030c_ port 1645 - ID: 88 due to unfinished request 15</div><div>Thu Sep 11 16:55:11 2014 : Auth: Login OK: [host/HOSTXWKX0116.foo/<no User-Password attribute>] (from client 2030c_ port 5 cli 00-24-1D-AC-B4-8B)</div><div>Thu Sep 11 16:56:31 2014 : Auth: Login incorrect (Home Server says so): [NA\\SVC./<no User-Password attribute>] (from client 2030c_ port 10 cli 00-24-1D-AD-FF-DF)</div><div>Thu Sep 11 17:02:30 2014 : Auth: Login OK: [host/HOSTXWKX0267.foo/<no User-Password attribute>] (from client 2030c_ port 38 cli 90-B1-1C-72-C2-AC)</div><div>Thu Sep 11 17:02:48 2014 : Auth: Login OK: [host/HOSTXWKX0105.foo/<no User-Password attribute>] (from client 2030c_ port 17 cli 00-24-1D-AD-FE-AF)</div><div>Thu Sep 11 17:02:49 2014 : Auth: Login OK: [host/HOSTXWKX0107.foo/<no User-Password attribute>] (from client 2030c_ port 21 cli 00-24-1D-AD-F8-8B)</div><div>Thu Sep 11 17:02:49 2014 : Auth: Login OK: [host/HOSTXWKX0111.foo/<no User-Password attribute>] (from client 2030c_ port 23 cli 00-24-1D-AD-FE-8E)</div><div>Thu Sep 11 17:02:52 2014 : Auth: Login OK: [host/HOSTXWKX0103.foo/<no User-Password attribute>] (from client 2030c_ port 15 cli 00-24-1D-AD-F8-99)</div><div>Thu Sep 11 17:03:06 2014 : Auth: Login OK: [host/HOSTXWKX0104.foo/<no User-Password attribute>] (from client 2030c_ port 16 cli 00-24-1D-AD-FF-01)</div><div>Thu Sep 11 17:03:08 2014 : Auth: Login OK: [host/HOSTXWKX0102.foo/<no User-Password attribute>] (from client 2030c_ port 19 cli 00-24-1D-AD-F9-A3)</div><div>Thu Sep 11 17:03:15 2014 : Auth: Login OK: [host/HOSTXWKX0101.foo/<no User-Password attribute>] (from client 2030c_ port 18 cli 00-24-1D-AD-F9-21)</div><div>Thu Sep 11 17:07:00 2014 : Proxy: Marking home server 192.168.254.152 port 1812 as zombie (it looks like it is dead).</div><div>Thu Sep 11 17:07:04 2014 : Error: No response to status check 132 for home server 192.168.254.152 port 1812</div><div>Thu Sep 11 17:07:04 2014 : Proxy: Marking home server 192.168.254.152 port 1812 as dead.</div><div>Thu Sep 11 17:07:34 2014 : Error: No response to status check 133 for home server 192.168.254.152 port 1812</div><div>Thu Sep 11 17:08:08 2014 : Error: No response to status check 134 for home server 192.168.254.152 port 1812</div><div>Thu Sep 11 17:08:42 2014 : Error: No response to status check 135 for home server 192.168.254.152 port 1812</div><div><br></div></div><div><br></div><div><br></div><div>During this time I am able to use radtest to get a response from all of the servers:</div><div><br></div><div><br></div><div><br></div><div><div>server (root@serverxb6x5121 radius)# radtest testuser pass 192.168.254.150 10 secret</div><div>Sending Access-Request of id 116 to 192.168.254.150 port 1812</div><div> User-Name = "testuser"</div><div> User-Password = "pass"</div><div> NAS-IP-Address = 192.168.105.34</div><div> NAS-Port = 10</div><div> Message-Authenticator = 0x00000000000000000000000000000000</div><div>rad_recv: Access-Reject packet from host 192.168.254.150 port 1812, id=116, length=38</div><div> Message-Authenticator = 0xd1ba4f1a6028b42436dd2f5ebea322b9</div><div>server (root@serverxb6x5121 radius)# radtest testuser pass 192.168.254.152 10 secret</div><div>Sending Access-Request of id 216 to 192.168.254.152 port 1812</div><div> User-Name = "testuser"</div><div> User-Password = "pass"</div><div> NAS-IP-Address = 192.168.105.34</div><div> NAS-Port = 10</div><div> Message-Authenticator = 0x00000000000000000000000000000000</div><div>rad_recv: Access-Reject packet from host 192.168.254.152 port 1812, id=216, length=38</div><div> Message-Authenticator = 0x2872a2f5177592f69d007406a4a89999</div><div>server (root@serverxb6x5121 radius)# radtest testuser pass 192.168.254.153 10 secret</div><div>Sending Access-Request of id 124 to 192.168.254.153 port 1812</div><div> User-Name = "testuser"</div><div> User-Password = "pass"</div><div> NAS-IP-Address = 192.168.105.34</div><div> NAS-Port = 10</div><div> Message-Authenticator = 0x00000000000000000000000000000000</div><div>rad_recv: Access-Reject packet from host 192.168.254.153 port 1812, id=124, length=38</div><div> Message-Authenticator = 0xef0ac9fdee194cd6a455b3bf0574d0a</div></div><div><div><br></div></div><div><br></div><div>I have read the documentation and am unable to determine why the servers are being marked as dead. Am I missing something in my configuration or are the ACS servers discarding packets and that is causing the zobie/dead state?</div><div><br></div><div>If more logs are needed please let me know. Any help would be greatly appreciated.</div><div><br></div><div>Thanks</div><div><br></div><div>Neil</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 2, 2014 at 11:44 AM, Alan DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">Neil Carter wrote:<br>
> I'm working to setup a proxy load balance to 3 production RADIUS servers<br>
> from a CentOS server running freeradius 2.1.12. I believe I have the<br>
> proxy.conf file setup correctly but there seems to be no load balancing.<br>
> All the requests are going to one of the three servers. I have<br>
> attached the proxy.conf file and also the radius debug. I don't see any<br>
> errors, it just appears the client-balance is not working. Clients are<br>
> using MAB and are matching the NULL realm. I have looked through all<br>
> the past posts and can't seem to find an answer. Am I missing something<br>
> in my configuration?<br>
<br>
</span> Maybe.<br>
<span class=""><br>
> FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on<br>
> Oct 3 2012 at 01:22:51<br>
<br>
</span> And... no packets.<br>
<br>
That's not useful.<br>
<br>
If you want to know what the server is doing, read the debug output.<br>
And be sure that it receives packets, too.<br>
<span class="HOEnZb"><font color="#888888"><br>
Alan DeKok.<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</font></span></blockquote></div><br></div>