Alan DeKok wrote: >>I believe all the proxy does, in effect, is forward packets. I don't >>think it has a notion of stateful conversations for UDP. I'll have to >>check on this. > > Exactly. It forwards a RADIUS request, and when it receives the > reply, where the heck does the reply go?
It's a Sidewinder unit; the RADIUS request goes out via UDP through the Sidewinder, which does some port mapping but keeps the source IP address intact, and forwards the packet on to the RADIUS server, on port 1645, which duly replies, sending its information back across the firewall. All is well unless that RADIUS server is unavailable, times out, or has some other issue that renders it incapable of responding. In that case, another request is issued to a secondary server. This request goes out from the same source IP port, across the Sidewinder (which does its NAT thing), and eventually ends up at port 1645 on the secondary RADIUS server, where it apparently fails to verify at least in some cases. In any event, the secondary sends a response back across the Sidewinder, which appears not to verify correctly back on the server that posed the initial query. That server issues an ICMP udp port unreachable message which the firewall doesn't forward. -- Richard L. Goerwitz III Email: [EMAIL PROTECTED] Phone: +1 507 646 5526 Fax: +1 507 646 4537 PGP key fingerprint: 4471 B6D3 57CC B2DC A0CF 82D3 0B7D EA19 F425 B0E0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html