Pre-release of Version 2.1.8
Josip Rodin
joy at entuzijast.net
Tue Dec 8 22:19:12 CET 2009
On Tue, Dec 08, 2009 at 03:43:14PM +0100, Alan DeKok wrote:
> Garber, Neal wrote:
> >> This limit is around 8K packets in 2.1.x, and will be 64K packets in
> >> 2.2.x. So if you're getting 500 packets/s for a home server, 16s after
> >> it goes down, all 8k "slots" will be used.
>
> In 2.1.x, there are a limited number of UDP sockets that can be used
> for proxied traffic. This number is limited to 32, in src/lib/packet.c,
> macro MAX_SOCKETS.
>
> Due to RADIUS limitations, it can only have 256 packets outstanding
> for any combination of (src/ds IP/port). So each socket can send 256
> packets to every home server.
>
> Packets are added to the "outstanding" list when proxied, and removed
> a short time after a response is received from the home server. If no
> response is received from the home server, the packets are removed 30s
> after they were received.
>
> Once a packet has been removed from the "outstanding" list, its place
> can be used by a new packet that is proxied using the same socket/id to
> the same home server.
Which reminds me - the other day I had a situation where a NAS was rebooted
and ~300 users immediately tried to reconnect and authenticated over a
FreeRADIUS 2.0.4 server, which in turn tried to authenticate them over its
two home_servers set up as fail-over, but neither of them with status_check.
Sadly, this started failing horribly - it seemed to overload the primary
home_server, entering a peculiar pattern - condensed for readability and
some private info obfuscation:
1 Auth: Login OK:
10 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Auth: Login OK:
2 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Auth: Login incorrect (Home Server says so):
4 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Auth: Login OK:
4 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Auth: Login OK:
2 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
2 Auth: Login OK:
2 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Auth: Login OK:
11 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Auth: Login OK:
86 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Proxy: No outstanding request was found for proxy reply from home server home_server_ip_5 port 1812 - ID 87
19 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Proxy: No outstanding request was found for proxy reply from home server home_server_ip_5 port 1812 - ID 252
7 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Error: Received Access-Accept packet from client home_server_ip_5 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) Dropping packet without response.
5 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Error: Received Access-Accept packet from client home_server_ip_5 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) Dropping packet without response.
33 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Proxy: No outstanding request was found for proxy reply from home server home_server_ip_5 port 1812 - ID 61
7 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Proxy: No outstanding request was found for proxy reply from home server home_server_ip_5 port 1812 - ID 120
4 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Proxy: No outstanding request was found for proxy reply from home server home_server_ip_5 port 1812 - ID 112
6 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Error: Received Access-Accept packet from client home_server_ip_5 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) Dropping packet without response.
2 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Error: Received Access-Accept packet from client home_server_ip_5 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) Dropping packet without response.
20 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Proxy: No outstanding request was found for proxy reply from home server home_server_ip_5 port 1812 - ID 161
12 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Error: Received Access-Accept packet from client home_server_ip_5 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) Dropping packet without response.
4 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Proxy: No outstanding request was found for proxy reply from home server home_server_ip_5 port 1812 - ID 243
11 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Proxy: No outstanding request was found for proxy reply from home server home_server_ip_5 port 1812 - ID 203
1 Proxy: No outstanding request was found for proxy reply from home server home_server_ip_5 port 1812 - ID 176
1 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Proxy: No outstanding request was found for proxy reply from home server home_server_ip_5 port 1812 - ID 6
10 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Error: Received Access-Accept packet from client home_server_ip_5 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) Dropping packet without response.
3 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Proxy: No outstanding request was found for proxy reply from home server home_server_ip_5 port 1812 - ID 248
2 Error: Rejecting request <number> due to lack of any response from home server home_server_ip_5 port 1812
1 Proxy: No outstanding request was found for proxy reply from home server home_server_ip_5 port 1812 - ID 69
[...]
This went on for a while, before I was alerted about the outage, came in and
started checking what is going on - using radtest showed that the primary
home_server was indeed ignoring my requests, but the secondary one was
replying as if there was nothing going on.
So I tried the poor man's solution - I shuffled them manually, restarted
FreeRADIUS, and then it started authenticating them, before it seemingly
DoSed that one and entered a very similar pattern of brokenness. I did the
manual shuffle a few more times, by which time most users were connected,
and the problem worked itself out.
Can any conclusions be drawn from this? I send over the detailed logs if
necessary.
--
2. That which causes joy or happiness.
More information about the Freeradius-Users
mailing list