Source-IP on server status packets

Stefan Düring duering at zib.de
Mon Aug 9 14:57:43 CEST 2021 

We have 2 identical radius servers (FreeRADIUS 3.0.21)
On the same servers radsecproxies are running. (radsecproxy 1.8.2)

The servers have 2 IP adresses (1 as secondary which should be used for 
radius and radsecproxy).

After freeradius restart everything works fine.
Freeradius sends server status packets to the internal radsecproxy and 
to external radius servers (eduroam)
with the correct source (secondary ip address).
It works for a long time but suddenly one of these freeradius sends the 
server status packets with
a wrong source ip (primary) to the internal radsecproxy.
Radsecproxy ignores these packets of course.

We followed the instructions in FAQ ("Is there a way to bind FreeRADIUS 
to a specific IP address?")

Any ideas how to trace / correct this?

thanks
Stefan

Here are the configuration details:

### Server Network Config
$ ip address
...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
state UP group default qlen 1000
     link/ether 00:50:56:82:9b:a3 brd ff:ff:ff:ff:ff:ff
     inet 10.173.120.23/23 brd 10.173.121.255 scope global eth0
        valid_lft forever preferred_lft forever
     inet 10.173.120.11/23 brd 10.173.121.255 scope global secondary eth0
        valid_lft forever preferred_lft forever


### site default
server default {
listen {
         type = auth
         ipaddr = 10.173.120.11
         port = 1812
...
}

### proxy.conf
home_server RadSecProxy {
         type                            = auth
         ipaddr                          = 10.173.120.11
         port                            = 11812
         status_check                    = status-server
         check_interval                  = 30
         check_timeout                   = 4
         num_answers_to_alive            = 3
...
}


### RadSecProxy Log
...
# successful server status from/to corresponding radius
Aug  9 08:28:19 2021: replyh: got status server response from 
tld2.eduroam.de
Aug  9 08:28:22 2021: replyh: got status server response from 
tld1.eduroam.de
Aug  9 08:28:22 2021: Access-Accept (response to Status-Server) from 
_self_ to tld1.eduroam.de (193.174.75.134)
Aug  9 08:28:22 2021: Access-Accept (response to Status-Server) from 
_self_ to tld3.eduroam.de (194.95.245.98)
Aug  9 08:28:30 2021: Access-Accept (response to Status-Server) from 
_self_ to tld2.eduroam.de (193.174.75.138)
# successful server status from/to local radsecproxy
Aug  9 08:28:37 2021: replyh: got status server response from radius-local
# suddenly wrong source ip in server status packet freeradius-to-radsecproxy
Aug  9 08:28:47 2021: radudpget: got packet from wrong or unknown UDP 
peer 10.173.120.23, ignoring



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5926 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20210809/4bc62557/attachment.bin>

More information about the Freeradius-Users mailing list