[cisco-bba] trouble when a lot of users try and log on

Tassos Chatzithomaoglou achatz at forthnet.gr
Mon Oct 6 15:27:02 EDT 2008


Wayne,

We use CAC for incoming vpdn sessions (it works for PPPoX too), which limits the number of 
vpdn sessions being established simultaneously, based on either CPU or session charges.

call admission limit 320
call admission vpdn 10 1

The above numbers work ok with us, taking into account that they are from a 10k platform 
(we don't use CAC on our 7200s, because they have very few sessions), the LAC uses its own 
CAC method too, and our radius servers cannot handle too many requests at the same time. 
Probably you'll have to experiment and find you own values.

You can find more info below:
http://www.cisco.com/en/US/docs/routers/10000/10008/feature/guides/122_31sb13/cac-enha.html

We also use the following under the radius groups in order to split the load on our radius 
servers according the auth/acct requests waiting in line:

aaa group server radius XXX
  load-balance method least-outstanding

More info can be found below:
http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/sbrdldbl.html

Regarding the precloning thing, according to our experience with the 12.2(31)SB series, 
precloning doesn't help much and we prefer using va subinterfaces (with all their 
advantages/disadvantages). Here is the relevant output:


7200#sh vtemplate
Virtual access subinterface creation is globally enabled

          Active     Active    Subint  Pre-clone Pre-clone
        Interface Subinterface Capable Available   Limit
        --------- ------------ ------- --------- ---------
Vt1            0         1370   Yes
Vt2            0          235   Yes


-- 
Tassos

Wayne Lee wrote on 06/10/2008 15:07:
> HI
> 
> Whenever our L2TP provider has any problems and they drop our link and
> the 1500 or so L2TP / ADSL connections we have trouble when they all
> try and log on again, so far the only way we have managed to get
> through this is to restart the radius daemon on rad 1 after 200 logins
> or so.
> 
> We are running a 7206vxr (g1) with 1gig of mem, pre-clone is set for
> 1500 sessions and we get the below error in the radius logs on rad 2
> 
> Error: Dropping duplicate authentication packet from client Cisco-LNS
> 
> We are currently running a old version of ICradius (on both) but we
> are in the process of migrating to Freeradius, both radius servers are
> using a MySQL backend. We don't see any load on the sql DB or radius
> servers but the CPU is high on the router. Would this be a radius
> problem or a LNS problem?.
> 
> The setup looks like this
> 
> Provider ------> Rad1 -----------> Provider --------> LNS ---------> Rad2
> 
> Rad 1 allows all users and only sends back Tunnel Server endpoint IP
> Rad 2 does final auth and any other attributes like static IP and accounting
> 
> 
> Thanks in advance for any help or pointers in debugging this.
> 
> Wayne
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba
> 



More information about the cisco-bba mailing list