timeouts through a firewall?
Hi All We are seeing the following error: Error: rlm_ldap: ldap_search() failed: Timed out while waiting for server to respond. Please increase the timeout. Our radius server talks to our LDAP server through a firewall. I'm wondering if this has to do with the session lifetime setting on the firewall? If there are no authentications taking place (we're in testing mode, and it was at least 2-3 hours between client authentications), then I guess this connection/session could be timed out by the firewall? I just want to know if that makes sense before approaching the firewall guys and asking to increase the timeout. Thanks Matt mda@unb.ca
Matt Ashfield wrote:
Our radius server talks to our LDAP server through a firewall.
Don't do that. It's wrong. It breaks the network, as you're discovering.
I'm wondering if this has to do with the session lifetime setting on the firewall?
Yes.
If there are no authentications taking place (we're in testing mode, and it was at least 2-3 hours between client authentications), then I guess this connection/session could be timed out by the firewall?
Yes.
I just want to know if that makes sense before approaching the firewall guys and asking to increase the timeout.
Don't. Put the RADIUS server on the same segment as the LDAP server. If the security people don't like that, explain that the other choice is to have the connection to LDAP go down... and then no one can use the wireless network. Why anyone thinks it's a good idea to put a firewall between two servers that need a reliable connection is beyond me. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
I saw some email threads about HUP. Can we use kill -HUP pid in the latest version or is it still not stable? Thanks, Kevin --------------------------------- Ahhh...imagining that irresistible "new car" smell? Check outnew cars at Yahoo! Autos.
Can we use kill -HUP pid in the latest version or is it still not stable?
from my observations: it somehow works, but the next EAP-TLS conversation causes a segfault. In short, no. Read the past recent threads, there are suggestions for alternatives
participants (4)
-
Alan DeKok -
inverse -
Kevin J -
Matt Ashfield