diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index b1c531d..2108bbc 100644
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -243,6 +243,18 @@ listen {
 	#    		client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
 		}
 	}
+
+	# Unless you are doing P2P radsec meshes, or you are a federation
+	# level server, you likely want a long life on connections from
+	# federation servers that are proxying to you.  These limits are
+	# applied to each connection on this socket.  You should also set
+	# limits for clients as well.  Both limits will apply.
+	limit {
+		max_connections = 16
+		lifetime = 7200
+		idle_timeout = 3600
+	}
+
 }
 
 clients radsec {
@@ -250,6 +262,19 @@ clients radsec {
 		ipaddr = 127.0.0.1
 		proto = tcp
 		secret = testing123
+
+		# Unless you are doing P2P radsec meshes, or you are a
+		# federation level server, you likely want a long life
+		# on connections from federation servers that are proxying
+		# to you.  These limits are applied to each connection from
+		# this client.  They will be enforced alongside the
+		# limits defined in the listen directive(s) for the socket(s)
+		# where connections arrive.
+		limit {
+			max_connections = 16
+			lifetime = 7200
+			idle_timeout = 3600
+		}
 	}
 }
 
diff --git a/src/lib/dhcp.c b/src/lib/dhcp.c
index 1b2a73c..012b7f6 100644
--- a/src/lib/dhcp.c
+++ b/src/lib/dhcp.c
@@ -1551,7 +1551,7 @@ int fr_dhcp_add_arp_entry(int fd, const char *interface,
 			  VALUE_PAIR *macaddr, VALUE_PAIR *ip)
 {
 #ifdef SIOCSARP
-	struct sockaddr_in *sin
+	struct sockaddr_in *sin;
 	struct arpreq req;
 
 	if (macaddr->length > sizeof (req.arp_ha.sa_data)) {
diff --git a/src/main/process.c b/src/main/process.c
index f641e5f..c16e81d 100644
--- a/src/main/process.c
+++ b/src/main/process.c
@@ -3769,6 +3769,10 @@ finish:
 		}
 #endif
 
+		if (sock->client != NULL) {
+			sock->client->limit.num_connections--;
+		}
+
 		/*
 		 *	Remove any pending cleanups.
 		 */
