FR 3.0.13 - fail-over in proxy with radsec doesn't work
Alan DeKok
aland at deployingradius.com
Tue May 23 19:07:48 CEST 2017
On May 23, 2017, at 12:04 PM, Fikais Ladislav <fikais at cuni.cz> wrote:
> I'm trying to setup a new FR 3.0.13 server as a proxy with radsec. I'm using two "main" radius servers (cuni-tls1, cuni-tls2 - FRv2 + RadSecProxy) to authenticate users and the new server should act only as a proxy (plus logging and VLAN rewrite) for a remote site. Currently I'm using for this FRv2 and RadSecProxy and it works fine (including fail-over) for a few years.
>
> Now if I try to use only FR 3.0.13 with radsec for this proxy, it only works if the first main server (cuni-tls1) is reachable. If not (a DROP rule in the main servers FW) the proxy will not even try the secondary server (verified by tcpdump) and I get timeout.
The short answer is "don't do that".
The server doesn't know if a site is unreachable, or just very slow.
If a site is reachable but down, it should return ICMP "port unreachable", which signals the underlying network stack to return that the connection has failed.
The underlying issue is that in v3, the server has a select() loop around reading sockets, but not around writing sockets. So if a socket is open but unwritable (as in this case), it will block forever.
I can add a timeout to v3 which works around the issue. That should help.
Alan DeKok.
More information about the Freeradius-Users
mailing list