R: Postgress SQL connections
Alan DeKok
aland at deployingradius.com
Sun Dec 14 19:54:16 CET 2008
Massimiliano Tarquini wrote:
> We are using the same freeradius as a proxy and it works fine running onto a
> different machine.
> The proxy auth the outer EAP-TTLS then asks to the radius to auth the inner.
That still isn't a very clear description of the network configuration.
> There is a firewall between the radius and the database (not between the
> proxy and the database). May the firewall cause the problem?
Yes.
I've never understood why people put firewalls between critical
network services. And *then* configure the firewalls to time out
inactive connections.
In this case, what's happening is this:
- FreeRADIUS asks the Postgresql client library to open a socket to the
server.
- it does
- 10 minutes later, the firewall decides that the TCP connection is
unused, and discards all knowledge of it
- FreeRADIUS receives a new request, and asks the postgresql client
library to do an SQL query.
- the postgresql library believes that the connection is still up, and
tries to use it.
- the firewall discards ALL packets for the connection
- the kernel blocks all reads && writes that the postgresql client
library tries to do..
- which then blocks FreeRADIUS.
In short, configuring the firewall to discard sessions after 10
minutes or so of idle time is bad. *Especially* because the connections
between FreeRADIUS && the DB are idle for longer than that.
This is *not* a problem with FreeRADIUS. You have configured your
firewall so that *it* is blocking the server. Fix your firewall, or
remove it.
Nothing else will solve the problem.
Alan DeKok.
More information about the Freeradius-Users
mailing list