Copy-acct-to-home-server Issue
Ricardo LarraƱaga
ricardo.larranaga at gmail.com
Tue Jul 7 13:32:58 CEST 2015
Hello Guys, i was wondering if you could give me some pointers on how to
troubleshoot an issue.
I am running freeradius 3.0.4 on Centos 7, and i am using
copy-acct-to-home-server in order to replicate the accounting database
between the 3 servers.
Right now, all my NAS are only pointing to one server (Lets call it
server1). So server2 and server3 do not receive authentication requests,
they just receive accounting packets from server1.
Now, with some NAS i also see issues where i miss accounting stop packets,
and i end up with stale sessions. I am working on solving that, but in the
mean time i run a script on all three servers that queries all NAS for
active sessions and marks the stale sessions as Terminated.
My script logs the stale sessions, so i can compare them between servers.
My problem is that the stale sessions between the servers are different.
Usually, server 2 and 3 have more stale sessions than server 1. This would
tell me that there are accounting packets not processed or missing between
server 1 and server 2 and 3.
First thing i did was looking at the networking side of things. All
interfaces between the servers run clean, they are all connected to the
same switch.
So i am trying to troubleshoot what is happeing with these packets. The
questions i have are:
1) My copy acct-to-home-server for each server configuration is as follows:
- log all the incoming packets to a detail file.
-copy-acct-to-home-server server reads the detail file and updates the
proxy-to-realm control attribute so the packet gets proxied to the other
server. Acct always returns ok.
If i understand this correctly, in this configuration the packets are "Sent
and forgotten". So if a packet fails to be received or processed by server2
or server3, it wont be retried. The fact that all the detail files are
empty makes me think that this is the way the server is working right now.
Any ideas on how could i implement a simple "retry 3 times" policy? My
issue is that since i proxy the packet, and and always return ok on
accounting, i am not sure where to put the "IF packet failed to ACK, return
fail". From what i see, it cannot be done in the proxy section, unless i
do something like:
realm SERVER1 {
}
2) I dont see anything in the logs that would indicate there is a problem
with packets being sent to the other to servers. How can i catch these
issues from the logs or debug perspective? the only thing i can think of is
to turn debug on for all the packets with packet-source-destination equals
"server 2" and server 3" in server one, and go from there, but any
suggestions would be appreciated, as that would basically be my whole
radius acct traffic.
I am copying here the contents of copy-acct-to-home-server, for reference
(They are identical for all servers):
server copy-acct-to-SERVER2 {
listen {
type = detail
filename = /buffer_disk/SERVER2/detail_SERVER2
load_factor = 10
}
preacct {
update control {
Proxy-To-Realm := "SERVER2"
}
}
accounting {
ok
}
pre-proxy {
}
post-proxy {
}
}
My proxy.conf section only contains a realm section from it server, in the
old configuration fashion (I probably should change it to the new one):
realm "SERVER1" {
nostrip
authhost = 192.168.1.1:1812
accthost = 192.168.1.1:1813
secret=itssecret
}
As always, thank you very much for your help!.
Regards
More information about the Freeradius-Users
mailing list