COA server times out

Mark Antony mark.antony.4 at protonmail.com
Tue May 11 09:58:06 CEST 2021 

Hello,

I have setup freeradius to disconnect the NAS when certain conditions are met.
However the COA server can't be reached or doesn't react, so the requests get duplicated and sent over and over again, until it times out.

(3) Received Accounting-Request Id 220 from 127.0.0.1:36559 to 127.0.0.1:1813 length 158

(3) User-Name = "mark"

(3) NAS-IP-Address = 127.0.0.1

(3) NAS-Port = 1

(3) Service-Type = Outbound-User

(3) Framed-Protocol = PPP

(3) Framed-IP-Address = 10.8.0.2

(3) Calling-Station-Id = "89.32.xxx.xxx"

(3) NAS-Identifier = "OpenVpn"

(3) Acct-Status-Type = Interim-Update

(3) Acct-Input-Octets = 103730

(3) Acct-Output-Octets = 356871

(3) Acct-Session-Id = "A7E4B3803D0E4A87C8CC76B5C0E1910B"

(3) Acct-Session-Time = 20

(3) Acct-Input-Gigawords = 0

(3) Acct-Output-Gigawords = 0

(3) NAS-Port-Type = Virtual

(3) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default

(3) preacct {

(3) update control {

(3) EXPAND %l

(3)--> 1620718410

(3) &Current-Timestamp := 1620718410

(3) } # update control = noop

(3) update request {

rlm_sql (sql): Reserved connection (0)

rlm_sql (sql): Released connection (0)

Need 2 more connections to reach 10 spares

rlm_sql (sql): Opening additional connection (8), 1 of 24 pending slots used

rlm_sql_mysql: Starting connect to MySQL server

rlm_sql_mysql: Connected to database 'radius_db' on 3.64.143.170 via TCP/IP, server version 8.0.24, protocol version 10

(3) EXPAND %{User-Name}

(3)--> mark

(3) SQL-User-Name set to 'mark'

rlm_sql (sql): Reserved connection (5)

(3) Executing select query: SELECT COALESCE((SELECT UNIX_TIMESTAMP(expires_at) FROM master_db.device d WHERE d.id='mark'), 0)

rlm_sql (sql): Released connection (5)

(3) EXPAND %{sql:SELECT COALESCE((SELECT UNIX_TIMESTAMP(expires_at) FROM master_db.device d WHERE d.id='%{User-Name}'), 0)}

(3)--> 1589143717

(3) &Expires-Timestamp := 1589143717

rlm_sql (sql): Reserved connection (1)

rlm_sql (sql): Released connection (1)

(3) EXPAND %{User-Name}

(3)--> mark

(3) SQL-User-Name set to 'mark'

rlm_sql (sql): Reserved connection (7)

(3) Executing select query: SELECT COALESCE(MAX(is_banned), 0) as banned FROM master_db.device d WHERE d.id = 'mark'

rlm_sql (sql): Released connection (7)

(3) EXPAND %{sql:SELECT COALESCE(MAX(is_banned), 0) as banned FROM master_db.device d WHERE d.id = '%{User-Name}'}

(3)--> 0

(3) &Banned := 0

(3) } # update request = noop

(3) if (&request:Banned == 1) {

(3) if (&request:Banned == 1)-> FALSE

(3) if (&control:Current-Timestamp > &request:Expires-Timestamp) {

(3) if (&control:Current-Timestamp > &request:Expires-Timestamp)-> TRUE

(3) if (&control:Current-Timestamp > &request:Expires-Timestamp){

(3) update disconnect {

(3) EXPAND %{User-Name}

(3)--> mark

(3) &User-Name = mark

(3) } # update disconnect = noop

(3) } # if (&control:Current-Timestamp > &request:Expires-Timestamp)= noop

(3) [preprocess] = ok

(3) policy acct_unique {

(3) update request {

(3) &Tmp-String-9 := "ai:"

(3) } # update request = noop

(3) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {

(3) EXPAND %{hex:&Class}

(3)-->

(3) EXPAND ^%{hex:&Tmp-String-9}

(3)--> ^61693a

(3) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i))-> FALSE

(3) else {

(3) update request {

(3) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}

(3)--> 47a7883f04b4faeba08349f153a68b6b

(3) &Acct-Unique-Session-Id := 47a7883f04b4faeba08349f153a68b6b

(3) } # update request = noop

(3) } # else = noop

(3) } # policy acct_unique = noop

(3) suffix: Checking for suffix after "@"

(3) suffix: No '@' in User-Name = "mark", looking up realm NULL

(3) suffix: No such realm "NULL"

(3) [suffix] = noop

(3) } # preacct = ok

(3) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default

(3) accounting {

(3) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d

(3) detail:--> /var/log/freeradius/radacct/127.0.0.1/detail-20210511

(3) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/detail-20210511

(3) detail: EXPAND %t

(3) detail:--> Tue May 11 07:33:30 2021

(3) [detail] = ok

(3) [unix] = noop

(3) sql: EXPAND %{tolower:type.%{%{Acct-Status-Type}:-%{Request-Processing-Stage}}.query}

(3) sql:--> type.interim-update.query

(3) sql: Using query template 'query'

rlm_sql (sql): Reserved connection (6)

(3) sql: EXPAND %{User-Name}

(3) sql:--> mark

(3) sql: SQL-User-Name set to 'mark'

(3) sql: EXPAND UPDATE radacct SET acctupdatetime= (@acctupdatetime_old:=acctupdatetime), acctupdatetime= FROM_UNIXTIME(%{%{integer:Event-Timestamp}:-%l}), acctinterval= %{%{integer:Event-Timestamp}:-%l} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', framedipv6address = '%{Framed-IPv6-Address}', framedipv6prefix = '%{Framed-IPv6-Prefix}', framedinterfaceid = '%{Framed-Interface-Id}', delegatedipv6prefix = '%{Delegated-IPv6-Prefix}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'

(3) sql:--> UPDATE radacct SET acctupdatetime= (@acctupdatetime_old:=acctupdatetime), acctupdatetime= FROM_UNIXTIME(1620718410), acctinterval= 1620718410 - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '10.8.0.2', framedipv6address = '', framedipv6prefix = '', framedinterfaceid = '', delegatedipv6prefix = '', acctsessiontime = 20, acctinputoctets = '0' << 32 | '103730', acctoutputoctets = '0' << 32 | '356871' WHERE AcctUniqueId = '47a7883f04b4faeba08349f153a68b6b'

(3) sql: Executing query: UPDATE radacct SET acctupdatetime= (@acctupdatetime_old:=acctupdatetime), acctupdatetime= FROM_UNIXTIME(1620718410), acctinterval= 1620718410 - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '10.8.0.2', framedipv6address = '', framedipv6prefix = '', framedinterfaceid = '', delegatedipv6prefix = '', acctsessiontime = 20, acctinputoctets = '0' << 32 | '103730', acctoutputoctets = '0' << 32 | '356871' WHERE AcctUniqueId = '47a7883f04b4faeba08349f153a68b6b'

rlm_sql_mysql: Rows matched: 1Changed: 1Warnings: 1

(3) sql: SQL query returned: success

(3) sql: 1 record(s) updated

rlm_sql (sql): Released connection (6)

(3) [sql] = ok

(3) [exec] = noop

(3) attr_filter.accounting_response: EXPAND %{User-Name}

(3) attr_filter.accounting_response:--> mark

(3) attr_filter.accounting_response: Matched entry DEFAULT at line 12

(3) [attr_filter.accounting_response] = updated

(3) } # accounting = updated

(3) Sent Disconnect-Request Id 155 from 0.0.0.0:57659 to 127.0.0.1:3799 length 28

(3) User-Name = "mark"

(3) Sent Accounting-Response Id 220 from 127.0.0.1:1813 to 127.0.0.1:36559 length 0

(3) Finished request

(3) Cleaning up request packet ID 220 with timestamp +44

Waking up in 2.3 seconds.

(3) Sending duplicate CoA request to home server 127.0.0.1 port 3799 - ID: 155

Waking up in 4.5 seconds.

(5) Sending duplicate CoA request to home server 127.0.0.1 port 3799 - ID: 211

Waking up in 0.3 seconds.

(6) Sending duplicate CoA request to home server 127.0.0.1 port 3799 - ID: 79

Waking up in 3.5 seconds.

...

(4) ERROR: Failing request - originate-coa ID 83, due to lack of any response from coa server 127.0.0.1 port 3799 within 30 seconds

This is the coa section defined in the /etc/freeradius/3.0/proxy.conf
home_server my-coa {
type = coa
ipaddr = 127.0.0.1
port = 3799
secret = coa123
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}

Do I also have to set it in /etc/freeradius/3.0/clients.conf:
client localhost {
...
coa_server = my-coa
}

Is there anything else I need to do to setup the COA server?

My NAS is OpenVPN and I'm using openvpn-auth-radius plugin from Debian:
https://packages.debian.org/buster/openvpn-auth-radius

/etc/openvpn/radiusplugin.cnf

NAS-Identifier=OpenVpn

Service-Type=5

Framed-Protocol=1

NAS-Port-Type=5

NAS-IP-Address=127.0.0.1

OpenVPNConfig=/etc/openvpn/server.conf

subnet=255.255.255.0

overwriteccfiles=true

server

{

authport=1812

name=127.0.0.1

retry=1

wait=1

sharedsecret=${CLIENT_SECRET}

}

Thanks

More information about the Freeradius-Users mailing list