[cisco-bba] trouble when a lot of users try and log on
Euan Galloway
euang+cisco-bba at lists.eusahues.co.uk
Mon Oct 6 09:17:50 EDT 2008
On Mon, Oct 06, 2008 at 01:07:56PM +0100, Wayne Lee wrote:
> Whenever our L2TP provider has any problems and they drop our link and
> the 1500 or so L2TP / ADSL connections we have trouble when they all
> try and log on again, so far the only way we have managed to get
> through this is to restart the radius daemon on rad 1 after 200 logins
> or so.
Perhaps the restart on Rad 1 just stops new sessions being presented to
the LNS for long enough for it to deal with the ones it's already
got outstanding.
> We are running a 7206vxr (g1) with 1gig of mem, pre-clone is set for
> 1500 sessions and we get the below error in the radius logs on rad 2
Pre-clone? Are you using config / IOS that prevents you using
subinterface VAIs instead of the Full VAIs that pre-cloning gives you.
(I did think that pre-cloning subinterface VAIs would still be
an optimisation, but since it doesn't do it, I guess Cisco found not!).
> Error: Dropping duplicate authentication packet from client Cisco-LNS
Guessing that the LNS is just too busy and dropping / missing the
responses, so retransmitting.
> Thanks in advance for any help or pointers in debugging this.
There are some tuning knobs available to limit the number of
sessions the LNS will deal with at the same time. Without them it is
possible for a mass disconnection / mass reconnections to make the
LNS busy enough trying to deal with ALL new sessions to successfully
deal with NONE of them.
Google for "site:cisco.com Session scalability" and/or
"site:cisco.com Broadband scalability"
There are also some optimisations that help keep the CPU down a bit
in general for L2TP, or especially on session setup.
e.g.
vpdn ip udp ignore checksum
no virtual-template snmp
Should be mentioned in the BB Scalabilty docs, but from a quick google
I can't find the exact doc I'm thinking of.
--
Euan Galloway
More information about the cisco-bba
mailing list