misbehaving nas's send accounting to both primary and secondary servers

Joe Maimon jmaimon at ttec.com
Thu Oct 1 15:24:07 CEST 2009



Alan DeKok wrote:
> Joe Maimon wrote:
>> What is the best way to deal with misbehaving nas's that send accounting
>> to both the primary and secondary server, even while receiving replies
>> to both queries.
> 
>   Throw it away, and buy a real NAS.

The customer uses this nas for a product that is in its endoflife. It 
has been in place for quite some time. Previously, this "feature" was 
unwittingly used to have accounting sent to two different unrelated 
systems, where it was needed on both.

So long as it works, there will be no more capital investments, which 
have been investigated to an extent.

> 
>   I guess I should learn to *not* be shocked by how bad the NAS
> equipment is.

The nas has a concept of server groups, primary and secondary. Each 
group can be configured with up to three ip address 
destination/ports/secrets.

However, failover when using just one group seems to be problematic. On 
the other hand, with both server groups enabled, duplicate accounting.

> 
>> This results in multiple accounting records in sql, with duplicate
>> acctsessionid and acctuniqueid values.
> 
>   The NAS sends *different* Acct-Session-Id values for the same session?

No, those values are identical. Two rows in mysql are created with those 
identical values.

> 
>   It's definitely a piece of garbage.  What the heck would it do if it
> failed over from one RADIUS server to another?  Change the session Id?

I think it could use a software update. Unfortunately, I cant find 
anywhere anyone offering official support, product line was sold, 
discontinued, it is EOL, something.

> 
>> Assuming the NAS cannot be properly configured, either for technical or
>> other reasons, these are the potential options.
>>
>> - configure only one of the primary or secondary on the NAS
> 
>   That MIGHT work.  See above.

It would work fine, and since this setup uses anycast (sticky) not lose 
all that much in the way of redundancy. Its more or less how it is setup 
now - but I dont like it.

The device is a 3com hiper arc, used for analog modem dialup.

> 
>> - get the server to recognize the existing record and update it instead
>> of inserting a new one
> 
>   What are the contents of the accounting packets?  How could you use
> those contents to determine that two packets were about the "same" session?

No, each server gets ONE start packet.

> 
>   i.e. post some packet contents here.  Odds are that you can look at
> NAS-IP-Address, NAS-Port, and maybe User-Name.  If those all match, odds
> are it's for the same session, even if Acct-Session-Id is different.

They are the same.

> 
>> Now there is account_start_query_alt, but that appears to only be called
>> if the account_start_query fails.
>>
>> With the default mysql schema, I dont think there is anything to cause
>> that query to ever fail.
>>
>> Tips and advice are greatly appreciated.
> 
>   Tell the NAS vendor that their product is horrible.  Get THEM to fix
> the problem.
> 
>   Having all of their customers deploy "work-arounds" just encourages
> idiots.  If all of their customers called, complained, and threatened to
> return the equipment, you can bet it would get fixed in a hurry.
> 
>   Alan DeKok.

I agree with you but that time has passed, at least for this equipment.

I suppose my question is when and how is the account_start_query_alt 
used, and can I use that to prevent duplicate accounting rows in sql?






More information about the Freeradius-Users mailing list