[cisco-bba] trouble when a lot of users try and log on

[Euan Galloway]

On Mon, Oct 06, 2008 at 01:07:56PM +0100, Wayne Lee wrote:
> Whenever our L2TP provider has any problems and they drop our link and
> the 1500 or so L2TP / ADSL connections we have trouble when they all
> try and log on again, so far the only way we have managed to get
> through this is to restart the radius daemon on rad 1 after 200 logins
> or so.

Perhaps the restart on Rad 1 just stops new sessions being presented to 
the LNS for long enough for it to deal with the ones it's already 
got outstanding.

> We are running a 7206vxr (g1) with 1gig of mem, pre-clone is set for
> 1500 sessions and we get the below error in the radius logs on rad 2

Pre-clone? Are you using config / IOS that prevents you using 
subinterface VAIs instead of the Full VAIs that pre-cloning gives you.
(I did think that pre-cloning subinterface VAIs would still be 
an optimisation, but since it doesn't do it, I guess Cisco found not!).

> Error: Dropping duplicate authentication packet from client Cisco-LNS

Guessing that the LNS is just too busy and dropping / missing the 
responses, so retransmitting.

> Thanks in advance for any help or pointers in debugging this.

There are some tuning knobs available to limit the number of 
sessions the LNS will deal with at the same time. Without them it is 
possible for a mass disconnection / mass reconnections to make the 
LNS busy enough trying to deal with ALL new sessions to successfully 
deal with NONE of them.

Google for "site:cisco.com Session scalability" and/or
"site:cisco.com Broadband scalability"

There are also some optimisations that help keep the CPU down a bit 
in general for L2TP, or especially on session setup.

e.g.

vpdn ip udp ignore checksum
no virtual-template snmp 

Should be mentioned in the BB Scalabilty docs, but from a quick google 
I can't find the exact doc I'm thinking of.

-- 
Euan Galloway