Re: Zombie Infestation of Log file‏

Benjamin Marvin benjinm at hotmail.com
Wed Apr 21 20:37:08 CEST 2010


Thank you both for your thoughts.  I will implement the status_check =
request option (in proxy.conf, sorry I mis-remembered it as
client.conf) per your recommendations.  I've also balanced out the
response_window and max_request_time.

Any other suggestions on where I should look to see why the servers
are marking the upstream servers as Zombie?  I failed to mention that
the servers are marking only the accounting port on those servers as
Zombie. Please let me know if you want the 9MB debug or if you have
recommendations for making a smaller debug file.

-Benjamin


Josip Rodin wrote:
>On Tue, Apr 20, 2010 at 10:59:04PM -0800, Benjamin Marvin wrote:
>> I've also turned off the status_check feature as 1.1.7 and Cisco ACS do
>> not appear to support it.

 You can configure a fake username && password for status checks.

 This *is* documented in raddb/proxy.conf.

> Without status_check, you rely on the timeouts - revive_interval and
> zombie_period.

 Which is much worse than status checks.

> But, if you're talking to FR 1.1.7, that should be able to make it respond
> negatively to a single fake user/domain, and then you can use that for
> status_check = request on its clients.
>
> *Any* status_check is better on FR 2.x than none... speaking from horrible
> experience...

 Yup.  It's not that 2.x is bad without status checks, it's that there
is *no way* for anyone to do "the right thing" without status checks.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list