Discarding Duplicate Request
John Douglass
john.douglass at oit.gatech.edu
Fri Oct 3 15:53:40 CEST 2014
You have to be using Samba 3.6+ or higher.
- JohnD
On 10/02/2014 08:12 PM, Rando Nakarmi wrote:
> when I set winbind max domain connections = 12
>
> I get following message
>
> Ignoring unknown parameter "winbind max domain connections"
>
> On Thu, Oct 2, 2014 at 4:56 PM, John Douglass
> <john.douglass at oit.gatech.edu <mailto:john.douglass at oit.gatech.edu>>
> wrote:
>
>
> On 10/02/2014 12:35 PM, Rando Nakarmi wrote:
>> Hello John,
>>
>> Thanks
>>
>> you increased max_request = 16384 (so you have only 64 clients ?)
>
> That was a cut/paste from Phil Huxley who responded to my
> question. I'm still figuring out how to optimize. I can say that
> the max domain connections helped A LOT. However, the faster you
> churn, the more you might hit the Cisco WLC bug. We've seen _less_
> but we've added radius servers and moved some controllers to their
> own radius server pairs. I hate adding radius servers as I feel it
> masks the real problem and it doesn't solve peak (change of
> classes) issues.
>
>> you set winbind max domain connections = 12 (how do I know which
>> value is right ) (we have around 300 clients (WAPs)
> It's really mainly about handling peak connections. With 300 WAPs
> you probably won't go that high. I have about 500 aps/controller
> but we have 30k users online at once spread across maybe 20
> controllers with multiple controllers on each radius server.
>
> Actually I increased winbind max domain connections to 128. The
> way I kind of felt that out was to (on the linux/unix server)
>
> lsof | grep winbind | grep TCP
>
> You can see the number of TCP connections to the AD server. We
> were hitting or initial limit of 50 during peak times. I just
> increased it to a high enough number so that I probably won't
> reach it. The number of connections goes up and down. On a radius
> failover we might be generating a lot of connections but they
> eventually close and die off.
>>
>> so I set the max_request= 300*256 (I use 256 the value which is
>> in the radious.conf file)
>>
>> winbind max clients = 1200 ( has anybody used this parameter ? is
>> this mean how many winbind client can connect to AD ?
>
> I'm actually not 100% sure on that stat/setting. :) I don't think
> I really care about it enough. No really sure how to determine
> this one. The documentation isn't really pointing out what that
> means (on samba.org <http://samba.org>)
>
>>
>> --cheers
>> Rando
>>
>>
>>
>> On Thu, Oct 2, 2014 at 3:27 PM, John Douglass
>> <john.douglass at oit.gatech.edu
>> <mailto:john.douglass at oit.gatech.edu>> wrote:
>>
>> :) Rando,
>>
>> There has been much discussion on this list about that
>> problem. IF you are using Cisco WLC, there is a flaw in the
>> way radius is processed which could lead to these log
>> messages. Here is the previous set of threads that have some
>> pointers as to what to look at.
>>
>> Cisco WLCs use the same source port and the 8-bit ID that is
>> used to track radius conversations during peak times, gets
>> cycled so fast that it creates duplicates where there really
>> shouldn't be. We are pushing Cisco hard to fix this flaw in
>> their design especially since they are creating controllers
>> with more and more capacity. The problem is only going to get
>> worse.
>>
>> I highly suggest you move to radius 2.2.5 and enable the
>> ntlm_auth timeout and upgrade your samba to 3.6 where you can
>> add some additional parameters. Here are some hints that Phil
>> Huxley shared with us that have been helpful in making our
>> services better. The issues haven't been handled 100%, and
>> there are other things to consider like if using a Cisco WLC,
>> enabling client exclusion, etc, etc but I don't have a ton of
>> info on that as I just run the radius servers.
>>
>> http://lists.freeradius.org/pipermail/freeradius-users/2014-September/073929.html
>>
>> - John Douglass @ Georgia Tech
>>
>> PS: I really need to write up a blog post about this :)
>> PSS: Yes we know AD is slow and it sucks as a backend but for
>> a lot of us, it's what we have to deal with :)
>>
>>
>>
>> On 10/02/2014 11:10 AM, Rando Nakarmi wrote:
>>> I been seeing quite a large number of message like below
>>> logged in radius.log lately.
>>>
>>> Discarding duplicate request from client classroom98 port
>>> 32880 - ID: 131 due to unfinished request 241848
>>>
>>> I read some thread, this might be the case when back-end
>>> server (i.e auth servers) are too slow to respond.
>>>
>>> My back-end is AD, using ntlm_auth.
>>> radius version 2.1.12-4
>>> samba version 3.5.8-68
>>>
>>> Any hints or suggestion how to resolve this would be very
>>> helpful.
>>>
>>> Most of the users get authenticated ( I don't think
>>> ntlm_auth is responding slow), I could not figure this out
>>>
>>> --cheers,
>>> Rando
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141003/f054ecd3/attachment-0001.html>
More information about the Freeradius-Users
mailing list