Zombie proxies with RadSec

Alan DeKok aland at deployingradius.com
Thu Nov 9 23:30:33 CET 2017


On Nov 9, 2017, at 4:49 PM, Neuton Martins <notuenmc at gmail.com> wrote:
> I only have the default log of the zombie message, as follow:
> Mon Nov  6 18:31:03 2017 : Proxy: Marking home server 10.X.Y.Z port 2083 as
> zombie (it has not responded in 30.000000 seconds).
> Mon Nov  6 18:31:03 2017 : ERROR: (20792) ERROR: Failing proxied request
> for user "xxxx at mpf.mp.br", due to lack of any response from home server
> 10.X.Y.z port 2083

  That's a problem then.

> And when i tried to use status-server with RadSec i got the following error:
> Error: /usr/local/etc/raddb/sites-enabled/tls[145]: Only 'status_check =
> none' is allowed for home servers with 'proto = tcp'

  Ah yes, I had forgotten about that.

> My true problem is that my home_server is up, but for some reason the proxy
> client thinks its down and marked it as zombie. I think this is related to
> have two firewalls between proxy client and home server. However, i need
> the proxy client to detect the connection error quickly and restart the
> connection.

  The problem is that if the TCP connection goes away, no amount of poking FreeRADIUS will fix the problem.

  It's a network problem.  The only solution is to fix the network.

   Honestly, if the firewalls are breaking TCP, then the firewalls are broken.

  Alan DeKok.




More information about the Freeradius-Users mailing list