Hi all,
We are experiencing some unexpected behaviour of freeradius on our Solaris 9 platform.
We use two V240 dual processor SPARC machines, LDAP back-end, flat file accounting. I
have heavily indexed the directory and it seems lightning fast, slapd is running at
0.2% most of the time, yet radiusd chews 95+% of CPU0 and I have to re-nice the
process to get a workable shell! This is on both machines. As I understand it we can't
spread the load across both CPUs?
I don't believe that the problem is caused by the number of lookups as it was running
at fairly low loads (with 10k subs) until we recently added another couple of thousand
(who match in the users file instead of dropping through to the LDAP). Our users file
has about 130 DEFAULT matches (total) as follows:
DEFAULT Suffix == "@subdomain.provider.com", NAS-IP-Address == 10.0.0.1,
Auth-Type := Accept
Service-Type = Framed,
Framed-Protocol = PPP,
ERX-Virtual-Router-Name = PROVIDER1,
Tunnel-Type = L2TP,
Tunnel-Medium-Type = IP,
ERX-Tunnel-Password = xxxxxx,
Tunnel-Client-Endpoint = 172.X.X.X,
Tunnel-Server-Endpoint = 172.X.X.Y,
Tunnel-Assignment-Id = xxxx,
Tunnel-Client-Auth-Id = blahblah,
Tunnel-Server-Auth-Id = blehbleh
DEFAULT Suffix == "@subdomain.provider.com", NAS-IP-Address == 10.0.0.2,
Autz-Type := WholesaleLDAP, Auth-Type := Accept
Service-Type = Framed,
Framed-Protocol = PPP,
ERX-Virtual-Router-Name = PROVIDER1,
Tunnel-Type = L2TP,
Tunnel-Medium-Type = IP,
ERX-Tunnel-Password = xxxxxx,
Tunnel-Client-Endpoint = 172.X.X.X,
Tunnel-Server-Endpoint = 172.X.X.Y,
Tunnel-Assignment-Id = xxxxx,
Tunnel-Client-Auth-Id = blahblah,
Tunnel-Server-Auth-Id = blehbleh
We get a lot of "Unresponsive child" and "Dropping conflicting packet" errors in our
radius log, as well as the max number of threads hitting its ceiling (128).
Suggestions for a reasonable figure for this for our hardware platform would be
helpful to know. It seems to hit its roof at around 250. I'm not sure whether better
performance would be gained from allowing it to peak or to keep it low.
The lookups we're doing don't seem particularly CPU intensive... in the one case we're
matching domain suffix and NAS-IP-Address and building a tunnel, in the other the same
but doing a quick lookup in addition. From what I've read so far, matches like this
should be extremely quick to perform, even with a big users file. I'd like to turn to
my LDAP as the source of the problem but I really don't believe it's at fault.
Any and all help gratefully received.
Cheers,
Jamie Stungo
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
