[RADIATOR] Unexpected behavior with UseStatusServerForFailureDetect in AuthBy LOADBALANCE

Heikki Vatiainen hvn at open.com.au
Fri May 10 08:55:22 CDT 2013 

On 05/10/2013 02:33 AM, Todor Genov wrote:

> I have found an issue where the "Retries" clause is ignored when using UseStatusServerForFailureDetect with "AuthBy LOADBALANCE".

Hello Todor,

We have recently received reports about Status-Server probing and there
appears to be some issues that require a further look from us.

However, before doing anything else, please check the reference manual
for 'FailureBackoffTime' and especially this note:

   Caution: with most types of load balancing modules, the
   default of 0 will mean endless retransmission of each
   request until a reply is received.

Since you have not specified FailureBackoffTime it defaults to 0 and
might be the cause of the problem you see.

Thanks,
Heikki

> In a scenario where a downstream proxy becomes unresponsive requests enter a re-transmit loop until the next Status-Server keepalive detects the host has failed and only then requests are ignored.
> 
> To replicate use the following config:
> 
> <Realm DEFAULT>
>     <AuthBy LOADBALANCE>
>         Retries 3
> 	RetryTimeout 1
>         UseStatusServerForFailureDetect
> 	KeealiveTimeout 300
> 	NoreplyTimeout 1
>         <Host localhost>
>             AuthPort 1822
>             AcctPort 1823
>         </Host>
>     </AuthBy>
> </Realm>
> 
> A single Access-Request is re-transmitted 300 ( KeepaliveTimeout/RetryTimeout ) times instead of 3. Once the request is eventually ignored the following can be seen in the logs: 
> 
> Fri May 10 01:19:33 2013: INFO: AuthRADIUS : Could not find a working host to forward a (76) after 301 seconds. Ignoring
> Fri May 10 01:19:33 2013: INFO: AuthRADIUS : No reply after 301 seconds and 3 retransmissions to 127.0.0.1:1822 for a (227)
> 
> When using the same config with "AuthBy RADIUS" the behavior is as expected and the request is re-transmitted only three times then ignored:
> 
> Fri May 10 01:08:41 2013: INFO: AuthRADIUS : Could not find a working host to forward a (1) after 4 seconds. Ignoring
> Fri May 10 01:08:41 2013: INFO: AuthRADIUS : No reply after 4 seconds and 3 retransmissions to 127.0.0.1:1822 for a (129)
> 
> Thanks.
> 
> --
> todor
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list