[RADIATOR] Problems with radiator to radsecproxy TLS connections

Hartmaier Alexander alexander.hartmaier at t-systems.at
Tue Mar 25 04:26:25 CDT 2014


Hi Elmar,

On 2014-03-24 17:10, Elmar Dreher wrote:
> Hello all,
>
> i am systemadministrator for eduroam at the university of Konstanz.
> We are using radiator and radsecproxy:
> 1. Radiator is hosted in an Application Zone
> 2. Radsecproxy is hosted in a DMZ and connected to the DFN for eduroam purposes
> 3. OS on both environments is Ubuntu 12.04
>
> The setup is the following:
> 1. All connection (beetween radiator and radsecproxy) are implemented by using TLS
> 2. On radiator the RADSEC implementaion is used to realize TLS connetion from and to radsecproxy
> 3. Radiator an radsecproxy are redundant (2 radiators and 2 radsecproxies) and are connected redundant
>
>
> Now the problem:
> Soemtimes it happens that the connection between radsecproxy <-> radiator is broken (experience has shown after 5 to 6 weeks):
> At case of an eduroam Login attempt radsecproxy or radiator is logging that the remote peer isn't available.
> Looking an the network connection with netstat -tapen everythink looks ok.
>
> Does everbody have the same experience with this architecture or does have an idea or hint what could be the problem or how to solve the problem (we already have a weekly reboot of all radsecproxy and radiator services and everything works fine).
Maybe a stateful firewall is dropping the tcp connection from its
connection table because of inactivity longer than its tcp idle timeout?
You should enable tcp keepalives in the linux kernel and lower its
values so it kicks in before the firewall removes the idle tcp
connection from its connection tracking table.

See http://tldp.org/HOWTO/TCP-Keepalive-HOWTO/usingkeepalive.html
>
>  Many greetings from Konstanz, Elmar Dreher
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*


More information about the radiator mailing list