On Fri, 11 Jul 2003 01:21 pm, randy wrote: > * randy <[EMAIL PROTECTED]> [2003-07-09 20:22]: > > since after starting radiusd the connections to my oracle cluster > > get established ok and work for 2:30 minutes, is there a way to > > "force" freeradius to close those connections and open them again > > after, say, 2 minutes? this way at least i wouldn't have to kill > > radiusd every 2 minutes... > > it looks like i have tracked down the problem: i have set up a > completely identical redhat 7.3 box with freeradius-snapshot-20030702 > with rlm_sql_oracle, which is connecting to the same oracle rac > cluster but from a different network segment. so the only difference > is that the connections between radius and oracle are going over a > different firewall. > > this new radius hasn't had any difficulties since i started it up > about 24 hours ago. so this has got to be a network/firewall problem.
Sounds like you have a problem with a statefull firewall timing out conenctions it shouldn't. Fix the firewall. > still i think that freeradius should be able to figure out when the > connections to oracle have died. to me it looks like it doesn't even > notice that the connections are gone, and keeps waiting for a response > from oracle. They aren't "gone" as such. It sounds like your FW is dropping all packets rather than rejecting/closing the connection. This is a diffucult situation to deal with as it doen't happen in a normal network situation. If the FW were to reject the packets freeradius WOULD close and reopen the connection. Solution, Fix the firewall. Either increase its Statefull connection timeouts or turn off statefull inspaction for those connections. (ie Add an explicit allow rule) > is there a way i can tell freeradius to completely shut down the > oracle connections and re-establish them after n seconds of no > response? none of the settings i can configure in oraclesql.conf > changed anything. all i can do is kill radiusd, and once it comes back > up, the connections are re-established fine. shouln't this be possible > without totally killing radiusd? Patches are welcome. The problem is that the firewall is breaking RFC by dropping packets, so the TCP/IP stack on your server is retrying etc.. FreeRADIUS doesn't know the connection has gone away, rather it thinks that it's VERY slow. It is possibly to detect but requires some extra code in the server... In any case you would not want to close a connection quicker than say 30secs as you might just have a slow TCP connection. this will still cause you problems... Fix the firewall... Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
