Copy-acct-to-home-server Issue

Alan DeKok aland at deployingradius.com
Wed Jul 8 14:35:36 CEST 2015 

On Jul 7, 2015, at 7:32 AM, Ricardo LarraƱaga <ricardo.larranaga at gmail.com> wrote:
> Right now, all my NAS are only pointing to one server (Lets call it
> server1). So server2 and server3 do not receive authentication requests,
> they just receive accounting packets from server1.

  That's simple.

> Now, with some NAS i also see issues where i miss accounting stop packets,
> and i end up with stale sessions. I am working on solving that, but in the
> mean time i run a script on all three servers that queries all NAS for
> active sessions and marks the stale sessions as Terminated.

  Why?  Just run the script once, and have it write RADIUS packets to a detail file.  Those can be replicated to every server.

> My script logs the stale sessions, so i can compare them between servers.
> My problem is that the stale sessions between the servers are different.

  Since you're doing RADIUS replication, packets can be lost.  If you were doing database replication, this wouldn't happen.

> Usually, server 2 and 3 have more stale sessions than server 1. This would
> tell me that there are accounting packets not processed or missing between
> server 1 and server 2 and 3.

  Or, they're received in a different order, and that causes problems.

> First thing i did was looking at the networking side of things. All
> interfaces between the servers run clean, they are all connected to the
> same switch.

  So that should be fine.

> So i am trying to troubleshoot what is happeing with these packets. The
> questions i have are:
> 
> 1) My copy acct-to-home-server for each server configuration is as follows:
> - log all the incoming packets to a detail file.
> -copy-acct-to-home-server server reads the detail file and updates the
> proxy-to-realm control attribute so the packet gets proxied to the other
> server. Acct always returns ok.

  That should work.

> If i understand this correctly, in this configuration the packets are "Sent
> and forgotten".

  No.  See the debug output.  The packets are retransmitted until the server receives a reply.

> So if a packet fails to be received or processed by server2
> or server3, it wont be retried. The fact that all the detail files are
> empty makes me think that this is the way the server is working right now.

  i.e. all packets have received replies.

> Any ideas on how could i implement a simple "retry 3 times" policy?

  The server does this already.

> My
> issue is that since i proxy the packet, and and always return ok on
> accounting, i am not sure where to put the "IF packet failed to ACK, return
> fail". From what i see, it cannot be done   in the proxy section, unless i
> do something like:
> realm SERVER1 {
> 
> }

  It's put into the Post-Proxy-Type Fail section.

> 2) I dont see anything in the logs that would indicate there is a problem
> with packets being sent to the other to servers. How can i catch these
> issues from the logs or debug perspective?

  If there's an error, it will be logged to radius.log.

> the only thing i can think of is
> to turn debug on for all the packets with packet-source-destination equals
> "server 2" and server 3" in server one, and go from there, but any
> suggestions would be appreciated, as that would basically be my whole
> radius acct traffic.

  It's RADIUS... it's imperfect.  If you want more reliable replication, use database replication.  But that has it's own set of issues.

  Alan DeKok.

More information about the Freeradius-Users mailing list