Problem with proxying request
BALSIANOK, Peter
Peter.Balsianok at orange.sk
Wed Dec 19 09:59:41 CET 2012
Maybe i found where is the problem ( please see tcpdump logs, which shows that udp port is unreachable ), but i don`t know why ?
[radiusd at tdrad1 test]$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.8 (Tikanga)
[radiusd at tdrad1 test]$ uname -a
Linux tdrad1.vas.orange.sk 2.6.18-308.8.2.el5 #1 SMP Tue May 29 11:58:36 EDT 2012 i686 i686 i386 GNU/Linux
I have only one interface eth0
[radiusd at tdrad1 ggsn]$ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:50:56:A4:52:1F
inet addr:10.14.131.103 Bcast:10.14.131.111 Mask:255.255.255.240
inet6 addr: fe80::250:56ff:fea4:521f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1585334449 errors:0 dropped:0 overruns:0 frame:0
TX packets:1371218148 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2959253629 (2.7 GiB) TX bytes:1175980083 (1.0 GiB)
Interrupt:59 Base address:0x2024
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:99806730 errors:0 dropped:0 overruns:0 frame:0
TX packets:99806730 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:67149682 (64.0 MiB) TX bytes:67149682 (64.0 MiB)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Part of radiusd.conf ( listen section, also you can see it in debug output ):
listen {
type = acct
ipaddr = *
port = 2813
}
listen {
ipaddr = *
port = 2646
type = acct
}
Proxy configuratiion ( proxy.conf ):
realm realm_orangewap {
type = radius
# MVAS BA
#accthost = 213.151.250.21:1813
# MVAS BB
accthost = 213.151.250.149:1813
secret = testing123
}
Configuration in acct_users file ( only one line ):
DEFAULT Called-Station-Id == "orangewap", Proxy-To-Realm := realm_orangewap
Configuration in preproxy_users file ( but is not important for this situation ):
DEFAULT Called-Station-Id == "orangewap"
Called-Station-Id := "%{Called-Station-Id}.%{3GPP-SGSN-Address}"
Debug output of radiusd:
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "acct"
ipaddr = *
port = 2813
max_pps = 0
}
listen {
type = "acct"
ipaddr = *
port = 2646
max_pps = 0
}
Listening on accounting address * port 2813
Listening on accounting address * port 2646
Opening new proxy address 255.255.255.255 port 0
Listening on proxy address 255.255.255.255 port 50773
Ready to process requests.
rad_recv: Accounting-Request packet from host 127.0.0.1 port 38984, id=186, length=202
X-Ascend-Dial-Number != "<U+0557>\331\025"
Acct-Session-Id != "d597d91572f51ab3"
Service-Type != Framed-User
Called-Station-Id != "orangewap"
Acct-Link-Count != 1
X-Ascend-Metric != 1928665779
Acct-Authentic != Local
Acct-Status-Type != Start
NAS-IP-Address != 10.64.192.1
X-Ascend-PRI-Number-Type != 8
3GPP-SGSN-Address != 213.151.252.35
Calling-Station-Id != "421905012405"
X-Ascend-IPX-Alias != 4294967295
Framed-Protocol != GPRS-PDP-Context
User-Name != "421905012405"
NAS-Identifier != "ggsn-01-bb1.orange.sk"
Acct-Multi-Session-Id != "d597d9153962de6b"
Framed-IP-Address != 10.10.1.1
(0) # Executing section preacct from file /app/radius/raddb/ggsn//sites-enabled/default
(0) group preacct {
(0) - entering group preacct {...}
(0) [preprocess] = ok
(0) linelog : escape: 'Start' -> 'Start'
(0) linelog : expand: '%{Acct-Status-Type}' -> 'Start'
(0) linelog : expand: 'Accounting-Request.%{%{Acct-Status-Type}:-unknown}' -> 'Accounting-Request.Start'
(0) linelog : expand: '/app_log/radius/ggsn/ggsn-acct.dat' -> '/app_log/radius/ggsn/ggsn-acct.dat'
(0) linelog : escape: 'Start' -> 'Start'
(0) linelog : escape: '421905012405' -> '421905012405'
(0) linelog : escape: '10.10.1.1' -> '10.10.1.1'
(0) linelog : escape: 'orangewap' -> 'orangewap'
(0) linelog : escape: '10.64.192.1' -> '10.64.192.1'
(0) linelog : escape: '213.151.252.35' -> '213.151.252.35'
(0) linelog : escape: 'd597d9153962de6b' -> 'd597d9153962de6b'
(0) linelog : expand: '%{Acct-Status-Type}:%{Calling-Station-Id}:%{Framed-IP-Address}:%{Called-Station-Id}:%{NAS-IP-Address}:%{3GPP-SGSN-Address}:%{Acct-Multi-Session-Id}:%l' -> 'Start:421905012405:10.10.1.1:orangewap:10.64.192.1:213.151.252.35:d597d9153962de6b:1355906687'
(0) [linelog] = ok
(0) suffix : No '@' in User-Name = "421905012405", looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
(0) files : acct_users: Matched entry DEFAULT at line 25
(0) [files] = ok
(0) # Executing section accounting from file /app/radius/raddb/ggsn//sites-enabled/default
(0) group accounting {
(0) - entering group accounting {...}
(0) attr_filter.accounting_response : expand: '%{User-Name}' -> '421905012405'
(0) attr_filter.accounting_response : Matched entry DEFAULT at line 103
(0) [attr_filter.accounting_response] = updated
(0) # Executing section pre-proxy from file /app/radius/raddb/ggsn//sites-enabled/default
(0) group pre-proxy {
(0) - entering group pre-proxy {...}
(0) files : preproxy_users: Matched entry DEFAULT at line 33
(0) files : expand: '%{Called-Station-Id}.%{3GPP-SGSN-Address}' -> 'orangewap.213.151.252.35'
(0) [files] = ok
(0) Proxying request to home server 213.151.250.149 port 1813
Sending Accounting-Request of id 160 from 255.255.255.255 port 50773 to 213.151.250.149 port 1813
X-Ascend-Dial-Number != "<U+0557>\331\025"
Acct-Session-Id != "d597d91572f51ab3"
Service-Type != Framed-User
Called-Station-Id = "orangewap.213.151.252.35"
Acct-Link-Count != 1
X-Ascend-Metric != 1928665779
Acct-Authentic != Local
Acct-Status-Type != Start
NAS-IP-Address != 10.64.192.1
X-Ascend-PRI-Number-Type != 8
3GPP-SGSN-Address != 213.151.252.35
Calling-Station-Id != "421905012405"
X-Ascend-IPX-Alias != 4294967295
Framed-Protocol != GPRS-PDP-Context
User-Name != "421905012405"
NAS-Identifier != "ggsn-01-bb1.orange.sk"
Acct-Multi-Session-Id != "d597d9153962de6b"
Framed-IP-Address != 10.10.1.1
Event-Timestamp != "Dec 19 2012 09:44:47 CET"
Proxy-State != 0x313836
Waking up in 0.3 seconds.
Waking up in 0.4 seconds.
(0) Expecting proxy response no later than 14 seconds from now
Waking up in 13.1 seconds.
(0) No proxy response, giving up on request and marking it done
Marking home server 213.151.250.149 port 1813 as zombie (it has not responded in 14 seconds).
(0) Failing request due to lack of any response from home server 213.151.250.149 port 1813
No Post-Proxy-Type Fail: ignoring
(0) Cleaning up request packet ID 186 with timestamp +9
Ready to process requests.
Tcpdump for this situation:
[radiusd at tdrad1 ~]$ sudo /usr/sbin/tcpdump -nn -e -s1500 -i eth0 -vv host 213.151.250.149
09:44:47.703564 00:50:56:a4:52:1f > 00:00:0c:07:ac:2b, ethertype IPv4 (0x0800), length 270: (tos 0x0, ttl 64, id 16544, offset 0, flags [none], proto: UDP (17), length: 256) 10.14.131.103.50773 > 213.151.250.149.1813: [bad udp cksum 1bdf!] RADIUS, length: 228
Accounting Request (4), id: 0xa0, Authenticator: 6cab5c4a6efd58bf369491687a4e5b92
Unknown Attribute (227), length: 12, Value:
0x0000: 3c55 2b30 3535 373e d915
Accounting Session ID Attribute (44), length: 18, Value: d597d91572f51ab3
0x0000: 6435 3937 6439 3135 3732 6635 3161 6233
Service Type Attribute (6), length: 6, Value: Framed
0x0000: 0000 0002
Called Station Attribute (30), length: 26, Value: orangewap.213.151.252.35
0x0000: 6f72 616e 6765 7761 702e 3231 332e 3135
0x0010: 312e 3235 322e 3335
Accounting Link Count Attribute (51), length: 6, Value: 1
0x0000: 0000 0001
Unknown Attribute (225), length: 6, Value:
0x0000: 72f5 1ab3
Accounting Authentication Attribute (45), length: 6, Value: Local
0x0000: 0000 0002
Accounting Status Attribute (40), length: 6, Value: Start
0x0000: 0000 0001
NAS IP Address Attribute (4), length: 6, Value: 10.64.192.1
0x0000: 0a40 c001
Unknown Attribute (226), length: 6, Value:
0x0000: 0000 0008
Vendor Specific Attribute (26), length: 12, Value: Vendor: 3GPP (10415)
Vendor Attribute: 6, Length: 4, Value: ...#
0x0000: 0000 28af 0606 d597 fc23
Calling Station Attribute (31), length: 14, Value: 421905012405
0x0000: 3432 3139 3035 3031 3234 3035
Unknown Attribute (224), length: 6, Value:
0x0000: ffff ffff
Framed Protocol Attribute (7), length: 6, Value: #7
0x0000: 0000 0007
Username Attribute (1), length: 14, Value: 421905012405
0x0000: 3432 3139 3035 3031 3234 3035
NAS ID Attribute (32), length: 23, Value: ggsn-01-bb1.orange.sk
0x0000: 6767 736e 2d30 312d 6262 312e 6f72 616e
0x0010: 6765 2e73 6b
Accounting Multilink Session ID Attribute (50), length: 18, Value: d597d9153962de6b
0x0000: 6435 3937 6439 3135 3339 3632 6465 3662
Framed IP Address Attribute (8), length: 6, Value: 10.10.1.1
0x0000: 0a0a 0101
Event Timestamp Attribute (55), length: 6, Value: Wed Dec 19 09:44:47 2012
0x0000: 50d1 7e7f
Proxy State Attribute (33), length: 5, Value: 186
0x0000: 3138 36
09:44:47.708970 00:1b:8f:25:fb:40 > 00:50:56:a4:52:1f, ethertype IPv4 (0x0800), length 67: (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto: UDP (17), length: 53) 213.151.250.149.1813 > 10.14.131.103.50773: [udp sum ok] RADIUS, length: 25
Accounting Response (5), id: 0xa0, Authenticator: 241255115d7b576c1ccec4a975a99cce
Proxy State Attribute (33), length: 5, Value: 186
0x0000: 3138 36
09:44:47.709000 00:50:56:a4:52:1f > 00:00:0c:07:ac:2b, ethertype IPv4 (0x0800), length 95: (tos 0xc0, ttl 64, id 16545, offset 0, flags [none], proto: ICMP (1), length: 81) 10.14.131.103 > 213.151.250.149: ICMP 10.14.131.103 udp port 50773 unreachable, length 61
(tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto: UDP (17), length: 53) 213.151.250.149.1813 > 10.14.131.103.50773: [udp sum ok] RADIUS, length: 25
Accounting Response (5), id: 0xa0, Authenticator: 241255115d7b576c1ccec4a975a99cce
Proxy State Attribute (33), length: 5, Value: 186
0x0000: 3138 36
-----Original Message-----
From: freeradius-users-bounces+peter.balsianok=orange.sk at lists.freeradius.org [mailto:freeradius-users-bounces+peter.balsianok=orange.sk at lists.freeradius.org] On Behalf Of Phil Mayers
Sent: Tuesday, December 18, 2012 5:50 PM
To: freeradius-users at lists.freeradius.org
Subject: Re: Problem with proxying request
On 18/12/12 15:29, BALSIANOK, Peter wrote:
> No iptables, ipfw, pf, etc. . When i use radclient and sends
> accounting request ( from server were freeradius is placed ) to
> 3rdparty radius i got correct answer.
Then use ordinary system diagnostic tools (strace, etc.) to determine why the packet isn't being received.
FreeRADIUS prints out a message every time it receives a packet in debug mode. If it's not printing anything, it didn't receive it.
What OS are you on, and how do you have your proxying configured? The tcpdump output you show has name resolution turned on, so it's hard to check, but are you the server "listen" config is setup correctly?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list