aws-nlb “status” virtual-server ⇒ “Failed inserting TCP socket into parent list / max_connections (16)”

Pavels Veretennikovs pavels.veretennikovs at devops.care
Sat May 17 17:38:25 UTC 2025 

Hello list,

WHAT / WHY
----------
I am running FreeRADIUS 3.2.7 (official docker image) behind an AWS Network
Load Balancer.  The NLB performs a TCP health-check against the "status"
virtual-server on port 8000 every 10 seconds.  After ±16 probes the 
server starts
logging:

   Failed inserting TCP socket into parent list.
   Ignoring new connection due to client max_connections (16)

Health checks continue to be successful (because they are just TCP, I 
assume).

SET-UP
------
Can be reproduced on following Dockerfile:

   FROM freeradius/freeradius-server:3.2.7
   RUN cp /etc/freeradius/sites-available/aws-nlb 
/etc/freeradius/sites-enabled/aws-nlb
   RUN sed -i 's/192\.0\.2\.1/*/' /etc/freeradius/sites-enabled/aws-nlb
   EXPOSE 8000/tcp
   CMD ["-f", "-X"]


The only change is wildcard IP on healthcheck server. All other 
configuration is untouched vanilla 3.2.7.

DEBUG LOGS
------
… [initialisation omitted – identical to stock container, including last 
2 probes output] …

20:23:49+03:00 Ready to process requests
20:23:50+03:00  ... new connection request on TCP socket
20:23:50+03:00 Failed inserting TCP socket into parent list.         
<--- THIS ONE
20:23:50+03:00 Listening on status from client (10.88.0.20, 41252) -> 
(*, 8000, virtual-server=aws-nlb)
20:23:50+03:00 Waking up in 0.8 seconds.
20:23:50+03:00 Client has closed connection
20:23:50+03:00  ... shutting down socket status from client (10.88.0.20, 
41252) -> (*, 8000, virtual-server=aws-nlb)
20:23:50+03:00 Ready to process requests
20:23:51+03:00  ... new connection request on TCP socket
20:23:51+03:00 Failed inserting TCP socket into parent list.
20:23:51+03:00 Listening on status from client (10.88.0.20, 41254) -> 
(*, 8000, virtual-server=aws-nlb)
20:23:51+03:00 Waking up in 0.7 seconds.
20:23:51+03:00 Client has closed connection
20:23:51+03:00  ... shutting down socket status from client (10.88.0.20, 
41254) -> (*, 8000, virtual-server=aws-nlb)
20:23:51+03:00 Ready to process requests
20:23:52+03:00  ... new connection request on TCP socket
20:23:52+03:00 Ignoring new connection due to client max_connections 
(16)                     <--- AND THIS ONE
20:23:52+03:00 Ready to process requests
20:23:53+03:00  ... new connection request on TCP socket
20:23:53+03:00 Ignoring new connection due to client max_connections (16)
20:23:53+03:00 Ready to process requests

QUESTIONS
---------

How harmful is this? And I doing something wrong? Can this be fixed?


Thanks in advance for any insight.  Happy to provide an untrimmed 
**radiusd -X**
log or additional details if required.

Best regards,
— Pavels

More information about the Freeradius-Users mailing list