Difference between Received conflicting packet and Ignoring duplicate packet

Alan DeKok aland at deployingradius.com
Thu Nov 3 14:23:49 UTC 2022 

On Nov 3, 2022, at 1:56 PM, norbert.kunth at now-it.de wrote:
> we recently updated from 2.1.1 to 3.0.25 (we use still 3.0.25 because it 
> is build in our SLES distribution).

  That's good.

> Freeradius uses LDAP to check users. If many users login at a time we see 
> some error messages.
> 
> To track this down we installed an internal test system that can send a 
> lot of requests to the radius server (with radtest).
> 
> We do see some problems, but the messages (and the behavior) are not the 
> same.
> 
> If we fire 60 requests in a short time from the test system to the 
> servers, the server loggs:
> Thu Nov  3 13:35:11 2022 : Error: (159) Ignoring duplicate packet from 
> client test port 46673 - ID: 65 due to unfinished request in component 
> <core> module <queue>

  That's bad.

  This message means that something is blocking the server.   Seeing as the server can do 20K packets/s in a default configuration, the problem is something on your local system.

  i.e. slow database, network, etc.

> This seems not very bad: every user is still accepted via LDAP
> 
> But in real the message is different:
> Thu Nov  3 00:59:25 2022 : Error: Received conflicting packet from client 
> nas port 40634 - ID: 90 due to unfinished request in module ldap.  Giving 
> up on old request.
> Thu Nov  3 00:59:25 2022 : WARNING: (338542) WARNING: Module rlm_ldap 
> became unblocked
> Thu Nov  3 00:59:25 2022 : Auth: (338542) Invalid user: [user024] (from 
> client nas port 0)

  Fix your database so that it replies 

> We think, we have a timing issue with our LDAP. But why is the log message 
> so different?

  It's the difference between the NAS retrying the same packet (duplicate), or giving up on that packet, and sending a new one for a different user (conflicting).

  But the error message is irrelevant.  The problem is that your database is completely broken.  There is simply no reason for your database to *block* for 5-30 seconds at a time.

  This is a *disaster*.  No amount of poking FreeRADIUS will fix this.

   Alan DeKok.

More information about the Freeradius-Users mailing list