[cisco-bba] trouble when a lot of users try and log on
Daniel.Chapman at cittel.com
Daniel.Chapman at cittel.com
Mon Oct 6 17:13:41 EDT 2008
Wayne,
You might want to check out the AAA throttling feature if its available on
your IOS. This and the load-balance method least-outstanding feature
should work well. You may want to start by throttling accounting records
and then auth requests.
Dan
Tassos Chatzithomaoglou <achatz at forthnet.gr>
Sent by: cisco-bba-bounces at puck.nether.net
10/06/2008 03:27 PM
To
cisco-bba at puck.nether.net
cc
Subject
Re: [cisco-bba] trouble when a lot of users try and log on
Wayne,
We use CAC for incoming vpdn sessions (it works for PPPoX too), which
limits the number of
vpdn sessions being established simultaneously, based on either CPU or
session charges.
call admission limit 320
call admission vpdn 10 1
The above numbers work ok with us, taking into account that they are from
a 10k platform
(we don't use CAC on our 7200s, because they have very few sessions), the
LAC uses its own
CAC method too, and our radius servers cannot handle too many requests at
the same time.
Probably you'll have to experiment and find you own values.
You can find more info below:
http://www.cisco.com/en/US/docs/routers/10000/10008/feature/guides/122_31sb13/cac-enha.html
We also use the following under the radius groups in order to split the
load on our radius
servers according the auth/acct requests waiting in line:
aaa group server radius XXX
load-balance method least-outstanding
More info can be found below:
http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/sbrdldbl.html
Regarding the precloning thing, according to our experience with the
12.2(31)SB series,
precloning doesn't help much and we prefer using va subinterfaces (with
all their
advantages/disadvantages). Here is the relevant output:
7200#sh vtemplate
Virtual access subinterface creation is globally enabled
Active Active Subint Pre-clone Pre-clone
Interface Subinterface Capable Available Limit
--------- ------------ ------- --------- ---------
Vt1 0 1370 Yes
Vt2 0 235 Yes
--
Tassos
Wayne Lee wrote on 06/10/2008 15:07:
> HI
>
> Whenever our L2TP provider has any problems and they drop our link and
> the 1500 or so L2TP / ADSL connections we have trouble when they all
> try and log on again, so far the only way we have managed to get
> through this is to restart the radius daemon on rad 1 after 200 logins
> or so.
>
> We are running a 7206vxr (g1) with 1gig of mem, pre-clone is set for
> 1500 sessions and we get the below error in the radius logs on rad 2
>
> Error: Dropping duplicate authentication packet from client Cisco-LNS
>
> We are currently running a old version of ICradius (on both) but we
> are in the process of migrating to Freeradius, both radius servers are
> using a MySQL backend. We don't see any load on the sql DB or radius
> servers but the CPU is high on the router. Would this be a radius
> problem or a LNS problem?.
>
> The setup looks like this
>
> Provider ------> Rad1 -----------> Provider --------> LNS --------->
Rad2
>
> Rad 1 allows all users and only sends back Tunnel Server endpoint IP
> Rad 2 does final auth and any other attributes like static IP and
accounting
>
>
> Thanks in advance for any help or pointers in debugging this.
>
> Wayne
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba
>
_______________________________________________
cisco-bba mailing list
cisco-bba at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-bba/attachments/20081006/46e5ec1d/attachment.html>
More information about the cisco-bba
mailing list