<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
Hi Hugh-
<div class=""><br class="">
</div>
<div class="">I’m running an older version, 4.7 but did look at the code for AuthByLOADBALANCE and it does not seem to have changed in the latest version. If there’s been some other changes in the retry behavior in AuthByRADIUS we’ll schedule the update and
see what happens. A very cursory look at the code seems that the underlying logic is the same, AuthByRADIUS depends on chooseHost() to return no host available and as long as it supplies one then the request will keep retrying. The one exception is that if
all target hosts have been marked as down then the AuthByLOADBALANCE chooseHost() logs "ProxyAlgorithm LOADBALANCE Could not find a working host to proxy to” and the request stops retrying.</div>
<div class=""><br class="">
</div>
<div class="">Regards-</div>
<div class=""><br class="">
</div>
<div class="">
<div class=""><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-stroke-width: 0px;">
<div style="font-family: Calibri, sans-serif; font-size: 14px;" class=""><b style="font-size: 15px; text-align: -webkit-auto;" class=""><span style="font-size: 10pt; font-family: Arial, sans-serif;" class=""><span><span><span><span style="color: rgb(38, 38, 38);"><span><span><span><span>
<div style="color: rgb(0, 0, 0); font-weight: normal; font-family: Calibri, sans-serif; font-size: 14px; display: inline !important;" class="">
<span><span><span><img apple-inline="yes" id="F498D00A-39BB-4F06-AEEC-646E706E624C" src="cid:3BC7925D-9AA6-49B4-BE13-4C50B5984F63" class=""></span>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">
<span class="Apple-style-span" style="font-size: 15px;"><b class=""><span style="font-size: 10pt; color: rgb(38, 38, 38); font-family: Arial, sans-serif;" class=""><br class="Apple-interchange-newline">
Frank Danielson |</span></b></span><span class="Apple-style-span" style="font-size: 15px;"><b class=""><span style="color: rgb(31, 73, 125); font-style: normal; font-size: 10pt; font-family: Arial, sans-serif;" class=""> </span><span style="font-size: 10pt; font-family: Arial, sans-serif;" class=""><font color="#31849b" class=""><i class="">S.V.P.
Engineering</i></font></span></b></span></div>
<span class="Apple-style-span" style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;"><font class="Apple-style-span" color="#1f497d"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-stroke-width: 0px;"><span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 14px;">
<div style="color: rgb(0, 0, 0); margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<span style="font-size: 10pt; font-family: Wingdings; color: rgb(64, 64, 64);" class="">*</span><span style="font-size: 7.5pt; color: rgb(89, 89, 89); font-family: 'MS Sans Serif';" class=""> </span><span style="text-decoration: underline; font-size: 7.5pt; color: blue; font-family: 'MS Sans Serif';" class=""><a href="applewebdata://B42CE82B-00AD-4466-A1C0-45CE1FB8AEBB/notifications@csky.com" style="color: blue; text-decoration: underline;" class="">fdanielson@csky.com</a></span></div>
</span></span></font></span></span></span></div>
</span></span></span></span></span></span></span></span></span></b></div>
</span></div>
<div><br class="">
<blockquote type="cite" class="">
<div class="">On Nov 4, 2020, at 4:46 PM, Hugh Irvine <<a href="mailto:hugh@open.com.au" class="">hugh@open.com.au</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class=""><br class="">
Hi Frank -<br class="">
<br class="">
What version of Radiator are you running currently?<br class="">
<br class="">
Hugh<br class="">
<br class="">
<br class="">
<blockquote type="cite" class="">On 5 Nov 2020, at 04:10, Frank Danielson <<a href="mailto:FDanielson@csky.com" class="">FDanielson@csky.com</a>> wrote:<br class="">
<br class="">
Good Day All-<br class="">
<br class="">
We’ve been running AuthByLOADBALANCE for some time now and have noticed that if there is a message that does not get a response from the downstream hosts that it will be retried infinitely. This not only keeps the message around forever but as it is tried and
failed, it increases the failure counts for the target hosts which makes them more likely to be marked unavailable and causes delivery problems with other requests.<br class="">
<br class="">
For example a malformed request may be sent by an upstream client and handled by AuthByLOADBALANCE where the target hosts simply do not respond to the proxied request because they don’t like it. The request will be retried on the current host for Retries times
by handle_timeout() after which the request is handed off to failed(), which tracks MaxFailedRequests for the host and marks it unavailable if applicable and then hands off the request to forward() which calls chooseHost() to find the next available host.
The stock chooseHost() in AuthByRADIUS tracks if the request has reach the end of the list or not but chooseHost() in AuthByLOADBALANCE will always return a host if one is available and it could even be the same host as the last try if MaxFailedRequests has
not been reached for that host. The end result is that the request will be retried forever and incrementing the failure count for downstream hosts, causing them to be marked unavailable.
<br class="">
<br class="">
After some looking at the code I think I could override failed() to track the number of unique hosts to which a request has been forwarded with something like
<br class="">
<br class="">
$fp->{retryHosts}->{$host}++<br class="">
<br class="">
and then add a couple of checks in chooseHost() that are similar to the to original one-<br class="">
<br class="">
if (@{$fp->{retryHosts}} < @{$self->{Hosts}}) <br class="">
{<br class="">
foreach $host (@{$self->{Hosts}})<br class="">
{<br class="">
next if ($fp->{retryHosts}->{$host})<br class="">
…<br class="">
<br class="">
The end result being that the request will be tried for each host in the list Retries times and then the next best candidate chosen by the volume algorithm until all hosts are tried and then the request fails. That may not be the optimal behavior but it beats
trying forever.<br class="">
<br class="">
Before doing that and bearing the burden of maintaining a custom AuthBy I figured I’d send it to the list and see if someone else has already solved this problem or if Open Systems would be willing to revisit the AuthByLOADBALANCE logic. Perhaps changing the
interpretation of Retries to mean the total number of times a request is retried instead of a per host number in order to have a finite lifetime on a request? In that case chooseHost() could be called for each retry in handle_timeout() to increase the chances
of success.<br class="">
<br class="">
Regards-<br class="">
<br class="">
<image002.png><br class="">
<br class="">
Frank Danielson | S.V.P. Engineering<br class="">
* <a href="mailto:fdanielson@csky.com" class="">fdanielson@csky.com</a><br class="">
<br class="">
_______________________________________________<br class="">
radiator mailing list<br class="">
<a href="mailto:radiator@lists.open.com.au" class="">radiator@lists.open.com.au</a><br class="">
https://lists.open.com.au/mailman/listinfo/radiator<br class="">
</blockquote>
<br class="">
<br class="">
--<br class="">
<br class="">
Hugh Irvine<br class="">
<a href="mailto:hugh@open.com.au" class="">hugh@open.com.au</a><br class="">
<br class="">
Radiator: the most portable, flexible and configurable RADIUS server <br class="">
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, <br class="">
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, <br class="">
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,<br class="">
DIAMETER, SIM, etc. <br class="">
Full source on Unix, Linux, Windows, macOS, Solaris, VMS, NetWare etc.<br class="">
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>