Zombie proxies with RadSec

Winfield, Alister Alister.Winfield at sky.uk
Mon Nov 13 12:26:05 CET 2017


I’m going hazard a guess there is an idle timeout on one of those firewalls. What you want is to make the TCP keep-alive interval in the servers TCP kernel settings less than the firewalls timeout or ensure idle timeout is low enough on the connections from RADIUS (I’m guessing it’s a parameter somewhere but might be wrong).

As stated its essentially “fix the network”.
--
Alister


On 09/11/2017, 22:30, "Freeradius-Users on behalf of Alan DeKok" <freeradius-users-bounces+alister.winfield=sky.uk at lists.freeradius.org on behalf of aland at deployingradius.com> wrote:

    On Nov 9, 2017, at 4:49 PM, Neuton Martins <notuenmc at gmail.com> wrote:
    > I only have the default log of the zombie message, as follow:
    > Mon Nov  6 18:31:03 2017 : Proxy: Marking home server 10.X.Y.Z port 2083 as
    > zombie (it has not responded in 30.000000 seconds).
    > Mon Nov  6 18:31:03 2017 : ERROR: (20792) ERROR: Failing proxied request
    > for user "xxxx at mpf.mp.br", due to lack of any response from home server
    > 10.X.Y.z port 2083

      That's a problem then.

    > And when i tried to use status-server with RadSec i got the following error:
    > Error: /usr/local/etc/raddb/sites-enabled/tls[145]: Only 'status_check =
    > none' is allowed for home servers with 'proto = tcp'

      Ah yes, I had forgotten about that.

    > My true problem is that my home_server is up, but for some reason the proxy
    > client thinks its down and marked it as zombie. I think this is related to
    > have two firewalls between proxy client and home server. However, i need
    > the proxy client to detect the connection error quickly and restart the
    > connection.

      The problem is that if the TCP connection goes away, no amount of poking FreeRADIUS will fix the problem.

      It's a network problem.  The only solution is to fix the network.

       Honestly, if the firewalls are breaking TCP, then the firewalls are broken.

      Alan DeKok.


    -
    List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky plc and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of Sky plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.



More information about the Freeradius-Users mailing list