response_window and zombie_period problem

Tim Sylvester tim.sylvester at networkradius.com
Thu Jun 25 09:39:07 CEST 2009


Ana,

 

The notes in the proxy.conf file describe how proxying works when you do not
receive a response from a home server.

 

        #

        #  If the home server doesn't respond to the request within

        #  this time, this server will consider the request dead, and

        #  respond to the NAS with an Access-Reject.

        #

        #  If NO responses are received to any requests sent within this

        #  time period, the home server will be marked "zombie", as below.

        #

        #  Useful range of values: 5 to 60

        response_window = 20

 

        #

        #  If the home server does not respond to ANY packets for

        #  a certain time, consider it dead.  This time period is

        #  called the "zombie" period, because the server is neither

        #  alive nor dead.

        #

        #  If "status_check" below is something other than "none", then

        #  the server will start sending status checks at the start of

        #  the zombie period.  It will continue sending status checks

        #  until the home server is marked "alive".

        #

        #  Useful range of values: 20 to 120

        zombie_period = 40

 

When a home server does not respond to an Access-Request, the proxy process
has failed and the default behavior is to reject the users Access-Request.
The proxy server marks the home server as a zombie and after another 40
seconds has passed, the proxy server marks the home server as dead. Once a
server is marked dead, the proxy server will not send requests to that
server. Access-Requests that are sent to the proxy server after the home
server is marked dead, will skip the dead home server and fail-over to the
next home server.

 

Since an Access-Reject is sent to the NAS, the NAS will deny the user/device
access. This will happen to all users/devices that try to authenticate when
the proxy server was marked alive but it is actually dead. You can lessen
the impact of a dead server by using type=load-balance instead of fail-over
for the home server pool.

 

In 2.1.6 the server can be configured to not respond when it does not
receive a response from a home server. This will cause the NAS to retry the
request multiple times, which will eventually cause the proxy server to send
the request to the alive home server. Let me know if you want to try this
and I can send an example configuration.

 

Tim

 

 

 

From:
freeradius-users-bounces+tim.sylvester=networkradius.com at lists.freeradius.or
g
[mailto:freeradius-users-bounces+tim.sylvester=networkradius.com at lists.freer
adius.org] On Behalf Of Ana Gallardo
Sent: Wednesday, June 24, 2009 11:40 PM
To: freeradius-users at lists.freeradius.org
Subject: response_window and zombie_period problem

 

Hello, first of all, sorry for my english.

I'm testing Freeradius 2.0.4+dfsg-6 in Debian. I want to configure proxy
like this (proxy.conf):

# radiusxx authentication
home_server radiusxx_auth {
    type = auth
    ipaddr = 1.2.3.4
    port = 1812
    secret = secret
    response_window = 50
    zombie_period = 20
    status_check = request
    username = "user"
    password = "pass"
    check_interval = 30
    num_answers_to_alive = 3
}

# radiusxx accounting
home_server radiusxx_acct {
    type = acct
    ipaddr = 1.2.3.4
    port = 1813
    secret = secret
    response_window = 50
    zombie_period = 20
    status_check = request
    username = "user"
    password = "pass"
    check_interval = 30
    num_answers_to_alive = 3
}

# radiusyy authentication
home_server radiusyy_auth {
    type = auth
    ipaddr = 1.2.3.5
    port = 1812
    secret = secret
    response_window = 50
    zombie_period = 20
    status_check = request
    username = "user"
    password = "pass"
    check_interval = 30
    num_answers_to_alive = 3
}

# radiusyy accounting
home_server radiusyy_acct {
    type = acct
    ipaddr = 1.2.3.5
    port = 1813
    secret = secret
    response_window = 50
    zombie_period = 20
    status_check = request
    username = "user"
    password = "pass"
    check_interval = 30
    num_answers_to_alive = 3
}

#authentication pool
home_server_pool my_auth {
    type = fail-over
    home_server = radiusxx_auth
    home_server = radiusyy_auth
}

#accounting pool
home_server_pool my_acct {
    type = fail-over
    home_server = radiusxx_acct
    home_server = radiusyy_acct
}


realm myrealm.my {
    auth_pool = my_auth
    acct_pool = my_acct
    # nostrip
}


My problem is when I'm going to test failover: I stop Freeradius in xx
server and I send a authentication request. 

Sending Access-Request of id 143 to 1.2.3.4 port 1812
    User-Name = "mmmm"
    User-Password = "111"
    Calling-Station-Id = "00:11:22:33:44:55"
    NAS-IP-Address = 1.2.2.2
    Proxy-State = 0x3238
Proxying request 0 to home server 1.2.3.4 port 1812
Sending Access-Request of id 143 to 1.2.3.4 port 1812
    User-Name = "mmmm"
    User-Password = "111"
    Calling-Station-Id = "00:11:22:33:44:55"
    NAS-IP-Address = 1.2.2.2
    Proxy-State = 0x3238
Going to the next request
Waking up in 0.9 seconds.
Waking up in 28.9 seconds.
rad_recv: Access-Request packet from host 1.2.2.2 port 39710, id=28,
length=75
Sending duplicate proxied request to home server 1.2.3.4 port 1812 - ID: 143
Sending Access-Request of id 143 to 1.2.3.4 port 1812
    User-Name = "mmmm"
    User-Password = "111"
    Calling-Station-Id = "00:11:22:33:44:55"
    NAS-IP-Address = 1.2.2.2
    Proxy-State = 0x3238
Waking up in 26.9 seconds.
rad_recv: Access-Request packet from host 1.2.2.2 port 39710, id=28,
length=75
Sending duplicate proxied request to home server 1.2.3.4 port 1812 - ID: 143
Sending Access-Request of id 143 to 1.2.3.4 port 1812
    User-Name = "mmmm"
    User-Password = "111"
    Calling-Station-Id = "00:11:22:33:44:55"
    NAS-IP-Address = 1.2.2.2
    Proxy-State = 0x3238
Waking up in 23.9 seconds.
. . .
WARNING: Marking home server 1.2.3.4 port 1812 as zombie (it looks like it
is dead).

After 30 seconds I always get an accept_reject the first time. But if my
zombie_period = 20, don't must mark radiusxx as zombie after 20 seconds and
proxy my request to radiusyy. My response_window = 50  and Freeradius must
wait 50 seconds before consider the request dead. 

Then, when I send another authentication request:

Sending Access-Request of id 129 to 1.2.3.4 port 1812
    User-Name = "mmmm"
    User-Password = "111"
    Calling-Station-Id = "00:11:22:33:44:55"
    NAS-IP-Address = 1.2.2.2
    Proxy-State = 0x31
Proxying request 1 to home server 1.2.3.4 port 1812
Sending Access-Request of id 129 to 1.2.3.4 port 1812
    User-Name = "mmmm"
    User-Password = "111"
    Calling-Station-Id = "00:11:22:33:44:55"
    NAS-IP-Address = 1.2.2.2
    Proxy-State = 0x31
Going to the next request
Waking up in 0.9 seconds.
Waking up in 28.9 seconds.
rad_recv: Access-Request packet from host 1.2.2.2 port 59850, id=1,
length=75
FAILURE: Marking home server 1.2.3.4 port 1812 as dead.
Sending Access-Request of id 118 to 1.2.3.5 port 1812
    User-Name = "mmmm"
    User-Password = "111"
    Calling-Station-Id = "00:11:22:33:44:55"
    NAS-IP-Address = 1.2.2.2    
    Proxy-State = 0x31
Proxying request 1 to home server 1.2.3.5 port 1812
Sending Access-Request of id 118 to 1.2.3.5 port 1812
    User-Name = "mmmm"
    User-Password = "111"
    Calling-Station-Id = "00:11:22:33:44:55"
    NAS-IP-Address = 1.2.2.2    
    Proxy-State = 0x31
Waking up in 26.9 seconds.
rad_recv: Access-Accept packet from host 1.2.3.5 port 1812, id=118,
length=23
    Proxy-State = 0x31


I don't know why Freeradius doesn't send me an acces-accept, when I send the
first request, after mark radiusxx (zombie_period = 20) as zombie and proxy
the request to radiusyy.

Thank you and sorry for my english.








-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090625/6b164258/attachment.html>


More information about the Freeradius-Users mailing list