On Tue, 5 Oct 2004, Stungo, Jamie wrote: > Hi all, > > We are experiencing some unexpected behaviour of freeradius on our Solaris 9 > platform. We use two V240 dual processor SPARC machines, LDAP back-end, flat > file accounting. I have heavily indexed the directory and it seems lightning > fast, slapd is running at 0.2% most of the time, yet radiusd chews 95+% of > CPU0 and I have to re-nice the process to get a workable shell! This is on > both machines. As I understand it we can't spread the load across both CPUs?
Freeradius is multithreaded, so the load sould be spread across both CPUs. What type is the CPU usage, kernel/user/io? > > I don't believe that the problem is caused by the number of lookups as it was > running at fairly low loads (with 10k subs) until we recently added another > couple of thousand (who match in the users file instead of dropping through to > the LDAP). I really don't understand this paragraph. What do you mean by subs? Couple thousand of what? Match in the users file? > Our users file has about 130 DEFAULT matches (total) as follows: That's plenty of DEFAULT entries. Remember that for each request the server might try matching 130 entries. Make sure you have the best matching entries first. Though i would not bet my money on that being the root cause. > > DEFAULT Suffix == "@subdomain.provider.com", NAS-IP-Address == 10.0.0.1, > Auth-Type := Accept > Service-Type = Framed, > Framed-Protocol = PPP, > ERX-Virtual-Router-Name = PROVIDER1, > Tunnel-Type = L2TP, > Tunnel-Medium-Type = IP, > ERX-Tunnel-Password = xxxxxx, > Tunnel-Client-Endpoint = 172.X.X.X, > Tunnel-Server-Endpoint = 172.X.X.Y, > Tunnel-Assignment-Id = xxxx, > Tunnel-Client-Auth-Id = blahblah, > Tunnel-Server-Auth-Id = blehbleh > > DEFAULT Suffix == "@subdomain.provider.com", NAS-IP-Address == 10.0.0.2, > Autz-Type := WholesaleLDAP, Auth-Type := Accept > Service-Type = Framed, > Framed-Protocol = PPP, > ERX-Virtual-Router-Name = PROVIDER1, > Tunnel-Type = L2TP, > Tunnel-Medium-Type = IP, > ERX-Tunnel-Password = xxxxxx, > Tunnel-Client-Endpoint = 172.X.X.X, > Tunnel-Server-Endpoint = 172.X.X.Y, > Tunnel-Assignment-Id = xxxxx, > Tunnel-Client-Auth-Id = blahblah, > Tunnel-Server-Auth-Id = blehbleh > > We get a lot of "Unresponsive child" and "Dropping conflicting packet" errors > in our radius log, as well as the max number of threads hitting its ceiling > (128). Suggestions for a reasonable figure for this for our hardware platform > would be helpful to know. It seems to hit its roof at around 250. I'm not sure > whether better performance would be gained from allowing it to peak or to keep > it low. Could you post your authorize,authenticate,session and accounting sections? Do you check for double logins? > > > The lookups we're doing don't seem particularly CPU intensive... in the one ? case we're matching domain suffix and NAS-IP-Address and building a tunnel, in ? the other the same but doing a quick lookup in addition. From what I've read What quick lookup? Lookup on where? ldap? > so far, matches like this should be extremely quick to perform, even with a > big users file. I'd like to turn to my LDAP as the source of the problem but I > really don't believe it's at fault. > > Any and all help gratefully received. > > Cheers, > > Jamie Stungo > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html