[cisco-bba] trouble when a lot of users try and log on

Daniel.Chapman at cittel.com Daniel.Chapman at cittel.com
Mon Oct 6 17:13:41 EDT 2008


Wayne,

You might want to check out the AAA throttling feature if its available on 
your IOS.  This and the load-balance method least-outstanding feature 
should work well.  You may want to start by throttling accounting records 
and then auth requests.

Dan



Tassos Chatzithomaoglou <achatz at forthnet.gr> 
Sent by: cisco-bba-bounces at puck.nether.net
10/06/2008 03:27 PM

To
cisco-bba at puck.nether.net
cc

Subject
Re: [cisco-bba] trouble when a lot of users try and log on






Wayne,

We use CAC for incoming vpdn sessions (it works for PPPoX too), which 
limits the number of 
vpdn sessions being established simultaneously, based on either CPU or 
session charges.

call admission limit 320
call admission vpdn 10 1

The above numbers work ok with us, taking into account that they are from 
a 10k platform 
(we don't use CAC on our 7200s, because they have very few sessions), the 
LAC uses its own 
CAC method too, and our radius servers cannot handle too many requests at 
the same time. 
Probably you'll have to experiment and find you own values.

You can find more info below:
http://www.cisco.com/en/US/docs/routers/10000/10008/feature/guides/122_31sb13/cac-enha.html


We also use the following under the radius groups in order to split the 
load on our radius 
servers according the auth/acct requests waiting in line:

aaa group server radius XXX
  load-balance method least-outstanding

More info can be found below:
http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/sbrdldbl.html

Regarding the precloning thing, according to our experience with the 
12.2(31)SB series, 
precloning doesn't help much and we prefer using va subinterfaces (with 
all their 
advantages/disadvantages). Here is the relevant output:


7200#sh vtemplate
Virtual access subinterface creation is globally enabled

          Active     Active    Subint  Pre-clone Pre-clone
        Interface Subinterface Capable Available   Limit
        --------- ------------ ------- --------- ---------
Vt1            0         1370   Yes
Vt2            0          235   Yes


-- 
Tassos

Wayne Lee wrote on 06/10/2008 15:07:
> HI
> 
> Whenever our L2TP provider has any problems and they drop our link and
> the 1500 or so L2TP / ADSL connections we have trouble when they all
> try and log on again, so far the only way we have managed to get
> through this is to restart the radius daemon on rad 1 after 200 logins
> or so.
> 
> We are running a 7206vxr (g1) with 1gig of mem, pre-clone is set for
> 1500 sessions and we get the below error in the radius logs on rad 2
> 
> Error: Dropping duplicate authentication packet from client Cisco-LNS
> 
> We are currently running a old version of ICradius (on both) but we
> are in the process of migrating to Freeradius, both radius servers are
> using a MySQL backend. We don't see any load on the sql DB or radius
> servers but the CPU is high on the router. Would this be a radius
> problem or a LNS problem?.
> 
> The setup looks like this
> 
> Provider ------> Rad1 -----------> Provider --------> LNS ---------> 
Rad2
> 
> Rad 1 allows all users and only sends back Tunnel Server endpoint IP
> Rad 2 does final auth and any other attributes like static IP and 
accounting
> 
> 
> Thanks in advance for any help or pointers in debugging this.
> 
> Wayne
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba
> 

_______________________________________________
cisco-bba mailing list
cisco-bba at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-bba/attachments/20081006/46e5ec1d/attachment.html>


More information about the cisco-bba mailing list