Ana,
The notes in the proxy.conf file describe how proxying works when you do not receive a response from a home server. # # If the home server doesn't respond to the request within # this time, this server will consider the request dead, and # respond to the NAS with an Access-Reject. # # If NO responses are received to any requests sent within this # time period, the home server will be marked "zombie", as below. # # Useful range of values: 5 to 60 response_window = 20 # # If the home server does not respond to ANY packets for # a certain time, consider it dead. This time period is # called the "zombie" period, because the server is neither # alive nor dead. # # If "status_check" below is something other than "none", then # the server will start sending status checks at the start of # the zombie period. It will continue sending status checks # until the home server is marked "alive". # # Useful range of values: 20 to 120 zombie_period = 40 When a home server does not respond to an Access-Request, the proxy process has failed and the default behavior is to reject the users Access-Request. The proxy server marks the home server as a zombie and after another 40 seconds has passed, the proxy server marks the home server as dead. Once a server is marked dead, the proxy server will not send requests to that server. Access-Requests that are sent to the proxy server after the home server is marked dead, will skip the dead home server and fail-over to the next home server. Since an Access-Reject is sent to the NAS, the NAS will deny the user/device access. This will happen to all users/devices that try to authenticate when the proxy server was marked alive but it is actually dead. You can lessen the impact of a dead server by using type=load-balance instead of fail-over for the home server pool. In 2.1.6 the server can be configured to not respond when it does not receive a response from a home server. This will cause the NAS to retry the request multiple times, which will eventually cause the proxy server to send the request to the alive home server. Let me know if you want to try this and I can send an example configuration. Tim From: freeradius-users-bounces+tim.sylvester=networkradius....@lists.freeradius.or g [mailto:freeradius-users-bounces+tim.sylvester=networkradius....@lists.freer adius.org] On Behalf Of Ana Gallardo Sent: Wednesday, June 24, 2009 11:40 PM To: freeradius-users@lists.freeradius.org Subject: response_window and zombie_period problem Hello, first of all, sorry for my english. I'm testing Freeradius 2.0.4+dfsg-6 in Debian. I want to configure proxy like this (proxy.conf): # radiusxx authentication home_server radiusxx_auth { type = auth ipaddr = 1.2.3.4 port = 1812 secret = secret response_window = 50 zombie_period = 20 status_check = request username = "user" password = "pass" check_interval = 30 num_answers_to_alive = 3 } # radiusxx accounting home_server radiusxx_acct { type = acct ipaddr = 1.2.3.4 port = 1813 secret = secret response_window = 50 zombie_period = 20 status_check = request username = "user" password = "pass" check_interval = 30 num_answers_to_alive = 3 } # radiusyy authentication home_server radiusyy_auth { type = auth ipaddr = 1.2.3.5 port = 1812 secret = secret response_window = 50 zombie_period = 20 status_check = request username = "user" password = "pass" check_interval = 30 num_answers_to_alive = 3 } # radiusyy accounting home_server radiusyy_acct { type = acct ipaddr = 1.2.3.5 port = 1813 secret = secret response_window = 50 zombie_period = 20 status_check = request username = "user" password = "pass" check_interval = 30 num_answers_to_alive = 3 } #authentication pool home_server_pool my_auth { type = fail-over home_server = radiusxx_auth home_server = radiusyy_auth } #accounting pool home_server_pool my_acct { type = fail-over home_server = radiusxx_acct home_server = radiusyy_acct } realm myrealm.my { auth_pool = my_auth acct_pool = my_acct # nostrip } My problem is when I'm going to test failover: I stop Freeradius in xx server and I send a authentication request. Sending Access-Request of id 143 to 1.2.3.4 port 1812 User-Name = "mmmm" User-Password = "111" Calling-Station-Id = "00:11:22:33:44:55" NAS-IP-Address = 1.2.2.2 Proxy-State = 0x3238 Proxying request 0 to home server 1.2.3.4 port 1812 Sending Access-Request of id 143 to 1.2.3.4 port 1812 User-Name = "mmmm" User-Password = "111" Calling-Station-Id = "00:11:22:33:44:55" NAS-IP-Address = 1.2.2.2 Proxy-State = 0x3238 Going to the next request Waking up in 0.9 seconds. Waking up in 28.9 seconds. rad_recv: Access-Request packet from host 1.2.2.2 port 39710, id=28, length=75 Sending duplicate proxied request to home server 1.2.3.4 port 1812 - ID: 143 Sending Access-Request of id 143 to 1.2.3.4 port 1812 User-Name = "mmmm" User-Password = "111" Calling-Station-Id = "00:11:22:33:44:55" NAS-IP-Address = 1.2.2.2 Proxy-State = 0x3238 Waking up in 26.9 seconds. rad_recv: Access-Request packet from host 1.2.2.2 port 39710, id=28, length=75 Sending duplicate proxied request to home server 1.2.3.4 port 1812 - ID: 143 Sending Access-Request of id 143 to 1.2.3.4 port 1812 User-Name = "mmmm" User-Password = "111" Calling-Station-Id = "00:11:22:33:44:55" NAS-IP-Address = 1.2.2.2 Proxy-State = 0x3238 Waking up in 23.9 seconds. . . . WARNING: Marking home server 1.2.3.4 port 1812 as zombie (it looks like it is dead). After 30 seconds I always get an accept_reject the first time. But if my zombie_period = 20, don't must mark radiusxx as zombie after 20 seconds and proxy my request to radiusyy. My response_window = 50 and Freeradius must wait 50 seconds before consider the request dead. Then, when I send another authentication request: Sending Access-Request of id 129 to 1.2.3.4 port 1812 User-Name = "mmmm" User-Password = "111" Calling-Station-Id = "00:11:22:33:44:55" NAS-IP-Address = 1.2.2.2 Proxy-State = 0x31 Proxying request 1 to home server 1.2.3.4 port 1812 Sending Access-Request of id 129 to 1.2.3.4 port 1812 User-Name = "mmmm" User-Password = "111" Calling-Station-Id = "00:11:22:33:44:55" NAS-IP-Address = 1.2.2.2 Proxy-State = 0x31 Going to the next request Waking up in 0.9 seconds. Waking up in 28.9 seconds. rad_recv: Access-Request packet from host 1.2.2.2 port 59850, id=1, length=75 FAILURE: Marking home server 1.2.3.4 port 1812 as dead. Sending Access-Request of id 118 to 1.2.3.5 port 1812 User-Name = "mmmm" User-Password = "111" Calling-Station-Id = "00:11:22:33:44:55" NAS-IP-Address = 1.2.2.2 Proxy-State = 0x31 Proxying request 1 to home server 1.2.3.5 port 1812 Sending Access-Request of id 118 to 1.2.3.5 port 1812 User-Name = "mmmm" User-Password = "111" Calling-Station-Id = "00:11:22:33:44:55" NAS-IP-Address = 1.2.2.2 Proxy-State = 0x31 Waking up in 26.9 seconds. rad_recv: Access-Accept packet from host 1.2.3.5 port 1812, id=118, length=23 Proxy-State = 0x31 I don't know why Freeradius doesn't send me an acces-accept, when I send the first request, after mark radiusxx (zombie_period = 20) as zombie and proxy the request to radiusyy. Thank you and sorry for my english.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html