[cisco-bba] trouble when a lot of users try and log on

Dean Smith dean at eatworms.org.uk
Mon Oct 6 09:17:02 EDT 2008


Radius has only a single byte unique identifier within the protocol. If your 
radus client (i.e. Cisco NAS) uses the same source port for all requests 
then

Source IP / Port + Dest IP / Port +Unique ID will only give you 256 unique 
requets.

Its entirely possible with high (or even "some") churn you may have > 256 
outstanding reequests and therefore "duplicates"....especially if you're 
authenticating the domain before the full user.

Try "radius-server source-ports extended"
http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_p1g.html#wp1107199

Dean

----- Original Message ----- 
From: "Wayne Lee" <linkconnect at googlemail.com>
To: <cisco-bba at puck.nether.net>
Sent: Monday, October 06, 2008 1:07 PM
Subject: [cisco-bba] trouble when a lot of users try and log on


> HI
>
> Whenever our L2TP provider has any problems and they drop our link and
> the 1500 or so L2TP / ADSL connections we have trouble when they all
> try and log on again, so far the only way we have managed to get
> through this is to restart the radius daemon on rad 1 after 200 logins
> or so.
>
> We are running a 7206vxr (g1) with 1gig of mem, pre-clone is set for
> 1500 sessions and we get the below error in the radius logs on rad 2
>
> Error: Dropping duplicate authentication packet from client Cisco-LNS
>
> We are currently running a old version of ICradius (on both) but we
> are in the process of migrating to Freeradius, both radius servers are
> using a MySQL backend. We don't see any load on the sql DB or radius
> servers but the CPU is high on the router. Would this be a radius
> problem or a LNS problem?.
>
> The setup looks like this
>
> Provider ------> Rad1 -----------> Provider --------> LNS ---------> Rad2
>
> Rad 1 allows all users and only sends back Tunnel Server endpoint IP
> Rad 2 does final auth and any other attributes like static IP and 
> accounting
>
>
> Thanks in advance for any help or pointers in debugging this.
>
> Wayne
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba 



More information about the cisco-bba mailing list