No auth requests through TLS tunnel if connection was checked

nabble at felix.world nabble at felix.world
Wed Dec 18 11:34:20 UTC 2024 

Hi there, 

We’ve some productive instances which experience the same issue but only after a certain time. 
Therefore I’m currently not able to reproduce it reliably but it’s visible that the Recv-Q is getting bigger and bigger. 

root at radius-d6674b64-xt6x4:/# netstat -ap 
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        9      0 0.0.0.0:2083            0.0.0.0:*               LISTEN      1/radiusd           
tcp       85      0 radius-d6674b64-xt:2083 10-244-25-182.tra:35878 CLOSE_WAIT  1/radiusd           
tcp       85      0 radius-d6674b64-xt:2083 10-244-25-182.tra:39682 CLOSE_WAIT  1/radiusd           
tcp   236288      0 radius-d6674b64-xt:2083 10-244-25-182.tra:37974 ESTABLISHED 1/radiusd           
tcp      442      0 radius-d6674b64-xt:2083 10-244-25-182.tra:40226 CLOSE_WAIT  1/radiusd           
tcp      298      0 radius-d6674b64-xt:2083 10-244-25-182.tra:39460 CLOSE_WAIT  -                   
tcp      326      0 radius-d6674b64-xt:2083 10-244-25-182.tra:33402 CLOSE_WAIT  -                   
tcp     6404      0 radius-d6674b64-xt:2083 10-244-25-182.tra:33096 CLOSE_WAIT  1/radiusd           
tcp       85      0 radius-d6674b64-xt:2083 10-244-25-182.tra:51816 CLOSE_WAIT  1/radiusd           
tcp       85      0 radius-d6674b64-xt:2083 10-244-25-182.tra:39432 CLOSE_WAIT  1/radiusd           
tcp       85      0 radius-d6674b64-xt:2083 10-244-25-182.tra:59936 CLOSE_WAIT  1/radiusd           
tcp       85      0 radius-d6674b64-xt:2083 10-244-25-182.tra:58720 CLOSE_WAIT  1/radiusd           
tcp      199      0 radius-d6674b64-xt:2083 10-244-25-182.tra:33400 CLOSE_WAIT  -                   
tcp      326      0 radius-d6674b64-xt:2083 10-244-25-182.tra:59178 CLOSE_WAIT  -                   
tcp     8023      0 radius-d6674b64-xt:2083 10-244-25-182.tra:51882 CLOSE_WAIT  1/radiusd           
tcp       85      0 radius-d6674b64-xt:2083 10-244-25-182.tra:57698 CLOSE_WAIT  1/radiusd           
tcp     6765      0 radius-d6674b64-xt:2083 10-244-25-182.tra:37272 CLOSE_WAIT  1/radiusd           
tcp   258034      0 radius-d6674b64-xt:2083 10-244-25-182.tra:55148 ESTABLISHED 1/radiusd           
tcp      247      0 radius-d6674b64-xt:2083 10-244-25-182.tra:58998 CLOSE_WAIT  -                   
tcp       85      0 radius-d6674b64-xt:2083 10-244-25-182.tra:49494 CLOSE_WAIT  1/radiusd           
tcp        1      0 radius-d6674b64-x:38118 20.50.2.37:http         CLOSE_WAIT  1/radiusd           
tcp     5736      0 radius-d6674b64-xt:2083 10-244-25-182.tra:39550 CLOSE_WAIT  1/radiusd           
tcp      326      0 radius-d6674b64-xt:2083 10-244-25-182.tra:57830 CLOSE_WAIT  -                   
tcp    19335      0 radius-d6674b64-xt:2083 10-244-25-182.tra:57654 CLOSE_WAIT  1/radiusd           
tcp      994      0 radius-d6674b64-xt:2083 10-244-25-182.tra:35026 CLOSE_WAIT  1/radiusd           
tcp       85      0 radius-d6674b64-xt:2083 10-244-25-182.tra:47572 CLOSE_WAIT  1/radiusd           
tcp      326      0 radius-d6674b64-xt:2083 10-244-25-182.tra:49282 CLOSE_WAIT  -                   
tcp      326      0 radius-d6674b64-xt:2083 10-244-25-182.tra:59172 CLOSE_WAIT  -                   
tcp       85      0 radius-d6674b64-xt:2083 10-244-25-182.tra:35852 CLOSE_WAIT  1/radiusd           
udp        0      0 localhost:18120         0.0.0.0:*                           1/radiusd           
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path
unix  3      [ ]         STREAM     CONNECTED     498007517 1/radiusd            
unix  3      [ ]         STREAM     CONNECTED     498007516 1/radiusd   


I know it's cheeky to ask this without a reproducible test, but the last time there was an obvious error, so I wanted to ask if you could look at it? 
I fully understand if not. 

—
Lineconnect 

> On 12. Apr 2024, at 18:05, Alan DeKok <aland at deployingradius.com> wrote:
> 
>  Thanks.  I've pushed the patch, and another one-line fix which stops that error.
> 
>> On Apr 12, 2024, at 11:36 AM, nabble at felix.world wrote:
>> 
>> That worked! 
>> Now the requests are coming through. Thanks! 
>> 
>> One thing to mention is that every time, the radsec client connects, there is one new error.
>> 
>> 
>> hread 4 got semaphore
>> Thread 4 handling request 0, (1 handled so far)
>> (0) (TLS) Checking connection to see if it is authorized.
>> (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
>> (0)   Autz-Type New-TLS-Connection {
>> (0)     [ok] = ok
>> (0)   } # Autz-Type New-TLS-Connection = ok
>> (0) (TLS) Connection is authorized
>> (0) ERROR: Failed signing packet: ERROR: RADIUS packets must be assigned an Id
>> (0) Sent Access-Accept Id 4294967295 from 0.0.0.0:2083 to 192.168.215.1:32993 length 20
>> (0) Finished request
>> Thread 4 waiting to be assigned a request
>> Waking up in 0.2 seconds.
>> Waking up in 4.6 seconds.
>> 
>> - 
>> Lineconnect 
>> 
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list