Initial access requests getting dropped, successive requests succeed

Alan DeKok aland at deployingradius.com
Fri Mar 31 16:27:08 CEST 2017 

On Mar 31, 2017, at 10:01 AM, Jeremy Stretch via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> As an isolated test, I have a Juniper switch configured to authenticate to
> one of the FreeRADIUS servers, which in turn authenticates against one
> backend LDAP server. When I try to log into the switch, tcpdump on the
> RADIUS server confirms that it receives an Access-Request packet. I've
> stopped the normal daemon and am running `freeradius -X` on the server, but
> it prints only a single line in response to the Access-Request:
> 
>    Ready to process requests.
> 
> It prints this same line each time a request is dropped.

  That means that the OS told FR there was a packet, but when it tried to read the packet, there was no RADIUS packet.

  If it was from an unknown client, it would print that.  If it was a malformed packet, it would print that.  So something else is going on.

> I can't find any
> information about what's actually happening. tcpdump confirms that
> FreeRADIUS is receiving the Access-Request packet, but it does not even
> attempt to contact the LDAP server.

  If it doesn't get a RADIUS packet, it doesn't run that through the virtual server, and it doesn't contact LDAP.

> However, when I attempt to authenticate again a few seconds later (after
> the switch's first request has timed out), the RADIUS server responds
> normally with a successful authentication, with no indication (AFAICT) of
> any error. I can log out and immediately log back in with no problems, but
> if I wait for more than a few seconds, the request gets dropped again. Even
> stranger, this only appears to affect the primary and secondary server;
> forcing authentication requests to the tertiary server succeeds.

  Honestly, it sounds like an OS problem.

> To rule out LDAP as a problem,

  It's not an LDAP problem.

> The three servers were originally all running v2.1.12. We upgraded the
> primary to v2.2.9 but it still has the same issue.

  Which sounds like an OS issue.

> I'm really at a loss for what to try next, other than blowing them away and
> rebuilding all three servers. Any pointers are much appreciated.

  Try using a new machine.  If that works, it's a machine / OS issue.

  Alan DeKok.

More information about the Freeradius-Users mailing list