intermittent auth issue (proxy: request is no longer in proxy hash)

Alan DeKok aland at deployingradius.com
Thu Jul 3 18:30:47 CEST 2014


Chris Knipe wrote:
> Ok.  So what is the value of the timeout? Is it configurable, and if
> not, can we get a option to configure the timeout value? I don't see
> anything in proxy.conf, so my apologies if I missed this.

  Then you deleted it.  The configuration items are in the default
proxy.conf file, with documentation.

  Also, the client may time out.  You can't control that.

>  All the
> requests also generally come back to me at the same time (as posted
> previously in the logs).  Why is post_proxy then executed for one
> request, but not the other?  They arrive back at FR at the same time,
> baring a few us...

  That's what the debug log is for.

> If you read the two responses posted to the packets, you will also see
> that both responses gave the proxy hash error, yet the one is still
> passed through post_proxy, and the other is not..

  That shouldn't happen.  Please try the v3.0.x branch from git.

> Unfortunately, again, the speed of light is a constant.  I *cannot*
> process a proxied packet faster than what it takes to transmit the
> packet half way around the world - I get my responses generally sub
> 250ms.

  That should be fine.

> With all due respect Alan, and I say this with the UTMOST respect,
> Freeradius is being anal about timeouts, IF, this is indeed a timeout
> issue.  The fact that the first response is sent through post_proxy,
> and the other responses received virtually at the same time is not...

  It may be a bug.  And yes, the server is SUPPOSED to be anal about
timeouts.  That's what timeouts are for.  The alternative is to lie to
people.  "This timeout is for situation X, but if something happens
after the timeout, that's OK, too"

  There is no reason in heaven or earth for FR to ignore documented
timeouts.

  Alan DeKok.


More information about the Freeradius-Users mailing list