R: Postgress SQL connections

Alan DeKok aland at deployingradius.com
Sun Dec 14 19:54:16 CET 2008

Massimiliano Tarquini wrote:
> We are using the same freeradius as a proxy and it works fine running onto a
> different machine.
> The proxy auth the outer EAP-TTLS then asks to the radius to auth the inner.

  That still isn't a very clear description of the network configuration.

> There is a firewall between the radius and the database (not between the
> proxy and the database). May the firewall cause the problem?


  I've never understood why people put firewalls between critical
network services.  And *then* configure the firewalls to time out
inactive connections.

  In this case, what's happening is this:

 - FreeRADIUS asks the Postgresql client library to open a socket to the
 - it does
 - 10 minutes later, the firewall decides that the TCP connection is
unused, and discards all knowledge of it
 - FreeRADIUS receives a new request, and asks the postgresql client
library to do an SQL query.
 - the postgresql library believes that the connection is still up, and
tries to use it.
 - the firewall discards ALL packets for the connection
 - the kernel blocks all reads && writes that the postgresql client
library tries to do..
 - which then blocks FreeRADIUS.

  In short, configuring the firewall to discard sessions after 10
minutes or so of idle time is bad.  *Especially* because the connections
between FreeRADIUS && the DB are idle for longer than that.

  This is *not* a problem with FreeRADIUS.  You have configured your
firewall so that *it* is blocking the server.  Fix your firewall, or
remove it.

  Nothing else will solve the problem.

  Alan DeKok.

More information about the Freeradius-Users mailing list