[cisco-bba] trouble when a lot of users try and log on

Wayne Lee linkconnect at googlemail.com
Mon Oct 6 09:29:40 EDT 2008


On Mon, Oct 6, 2008 at 2:17 PM, Dean Smith <dean at eatworms.org.uk> wrote:
> Radius has only a single byte unique identifier within the protocol. If your
> radus client (i.e. Cisco NAS) uses the same source port for all requests
> then
>
> Source IP / Port + Dest IP / Port +Unique ID will only give you 256 unique
> requets.
>
> Its entirely possible with high (or even "some") churn you may have > 256
> outstanding reequests and therefore "duplicates"....especially if you're
> authenticating the domain before the full user.
>
> Try "radius-server source-ports extended"
> http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_p1g.html#wp1107199
>
> Dean
>
> ----- Original Message ----- From: "Wayne Lee" <linkconnect at googlemail.com>
> To: <cisco-bba at puck.nether.net>
> Sent: Monday, October 06, 2008 1:07 PM
> Subject: [cisco-bba] trouble when a lot of users try and log on
>
>
>> HI
>>
>> Whenever our L2TP provider has any problems and they drop our link and
>> the 1500 or so L2TP / ADSL connections we have trouble when they all
>> try and log on again, so far the only way we have managed to get
>> through this is to restart the radius daemon on rad 1 after 200 logins
>> or so.
>>
>> We are running a 7206vxr (g1) with 1gig of mem, pre-clone is set for
>> 1500 sessions and we get the below error in the radius logs on rad 2
>>
>> Error: Dropping duplicate authentication packet from client Cisco-LNS
>>
>> We are currently running a old version of ICradius (on both) but we
>> are in the process of migrating to Freeradius, both radius servers are
>> using a MySQL backend. We don't see any load on the sql DB or radius
>> servers but the CPU is high on the router. Would this be a radius
>> problem or a LNS problem?.
>>
>> The setup looks like this
>>
>> Provider ------> Rad1 -----------> Provider --------> LNS ---------> Rad2
>>
>> Rad 1 allows all users and only sends back Tunnel Server endpoint IP
>> Rad 2 does final auth and any other attributes like static IP and
>> accounting
>>
>>
>> Thanks in advance for any help or pointers in debugging this.
>>
>> Wayne
>> _______________________________________________
>> cisco-bba mailing list
>> cisco-bba at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-bba
>
>
Dean

Yes we have radius-server source-ports extended already in the config


More information about the cisco-bba mailing list