Marking proxy servers as zombie - odd behaviour

Alan DeKok aland at deployingradius.com
Thu Jun 17 17:54:16 CEST 2010


John Horne wrote:
> So what is being seen is that backend server 141.163.66.101 has sent an
> accept accept packet (to the local proxy server 195.250) and the log
> shows a user as having authenticated. About 10 seconds later, the server
> is marked as zombie, but tcpdump shows that a packet (access reject - we
> have status-server set up with an invalid userid, so the reject is
> correct) is received from that server.

  Yes, that can happen.

> So I think the question is why did FR think the server was zombie when
> it had received an access-accept just a few seconds before? Why does it
> think it looks like it is dead?

  Because the home server didn't respond to *another* request.

  Each request has a timer.  If the home server doesn't respond within
that time, then it is marked "zombie".

> The tcpdump shows no other packets being
> sent to/from the server for FR to think that. And why is it that when FR
> thinks the backend server is dead it receives a status check reply at
> the same time?

  Because the failure to respond gets it marked as zombie.  When it gets
marked zombie, FreeRADIUS starts pinging it.  It responds to the ping,
but that doesn't mean it's responsive.  It takes 3 pings before it's
marked "alive" again.

> Maybe I am wrong but I would not have expected FR to even consider the
> backend server as zombie/dead given that it had received a packet from
> it 10 seconds before.

  The "mark as zombie" code could be less aggressive, yes.

  Alan DeKok.




More information about the Freeradius-Users mailing list