Hello Yan,
Le 2018-01-31 ?? 00:28, Yan a ??crit?0?2:
>
> Hi dear users,
>
> After a whole night??s analysis, we found it??s pf that takes too much
> time processing authentication request if the QPS is too high and
> hangs all radius requests later and then Aruba AC meets the radius
> timeout setting and re-sends the same radius access request to pf
> while pf just sent out the first radius accept packet and then
> received the same request, it will response accept for a second time
> and then delete the state id, but Aruba AC might has waited for
> another 5 seconds and send a radius request for a third time, and this
> time pf find no state id match this session and just response
> reject...And then more and more reject responses will cause user
> re-connect wireless and the QPS is much more...It's bad circle...
>
>
> We find pf has below bottlenecks at least to lead to the hang issue:
>
> 1.Mysql query is too slow.
>
Most of the times it's because you receive too many accounting packet
(try to disable it) or because there too many IO.
>
> 2."curl" keeps calling httpd service and it's very slow.
>
Where do you see curl ?, Freeradius use the rest module to talk to the
webservice
>
> 3."doperl" is too slow.
>
Not really, it depend how you configured PacketFence, let's say you have
a ldap source but it take 600ms to do a search then the radius answer
will be slow.
>
> 4."ntlm_auth" process is too slow.
>
Because probably the AD is too slow to answer, btw you can use the NTLM
cache for that.
>
> ?0?2
>
> 5.A device will try to connect again if radiusd crashes or restarted
> or meets its max requests
>
>
> But we don't find which configuration will solve this issue yet. Is
> there any suggestion on how to change configuration to handle this
> performance issue ? Or any basic directions on how to adjust the
> parameters to handle 200 QPS,500 QPS and 2000 QPS ?
>
>
We have setup that handle millions of request per day and without any
issues, check the graph like radius latency and also have a look at
http://mgmt_ip:9000 and try to find where it take time.
Btw if you want to us to check your setup, you can ask for a support
with inverse and it will be a pleasure to help you.
?0?2
Regards
Fabrice
> Any response is appreciated. Thank you very very much.
>
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
