[rbak-nsp] auth storm and problem with freeRadius

Frans Legdeur frans at falco-networks.com
Sun Apr 19 08:55:45 EDT 2009 

Hi Marcin,

The problem could well be that the Redback works with an outstanding amount
of requests that differs from what the radius server can handle.

By default, the redback will work with 250 outstanding requests before it
stops sending more authentication requests.
Your radius server, as many others, might stop handling request at 100
incoming requests (buffered).
This means that the redback will timeout 150 requests before it will send
them again (See command "show radius statistics" number of "request timeout"
should run up).

You can adjust the max number of outstanding requests on the redback by
command: "radius max-outstanding 100" at the context where the radius server
is configured (This example limits the amount to 100 outstanding requests).

With regards to the different type of radius servers, FreeRadius should
performance wise works well. Personally we always work with Radiator, due to
it's flexibility and ease of configuration, including connections to
databases. I have recently tested 800 subscriber sessions, generated with
SmartBits on PPPoA, which runs against an SE-100 with my laptop as radius
server (Apple G4, Perl, Radiator and PostGreSQL), took 42 seconds to get
them all authenticated.

This included radius guided CCOD for each circuit and PPPoA, this would summ
up to 1600 requests all together to get them authenticated (19 subs/sec) and
accounting ... (that's 57 radius request per second handled)

So, your problem is not within the radius server, just limit the amount of
outstanding requests and it should work fine ;-)

At Belgacom we once had complains that the SE didn't authenticate the
subscribers quick enough, closer look showed the radius server couldn't
handle the requests quick enough ... Once that was solved all worked fine.

Kind regards,


Frans.

> From: Marcin Kuczera <marcin at leon.pl>
> Date: Sat, 18 Apr 2009 12:54:17 +0200
> To: <redback-nsp at puck.nether.net>
> Subject: [rbak-nsp] auth storm and problem with freeRadius
> 
> well,
> 
> since some time we have some problems with radius, process dies just
> like that (on one server) and on the other stops responding.
> 
> let's pick the one that dies:
> db:~# dpkg -s freeradius
> Package: freeradius
> Status: install ok installed
> Priority: optional
> Section: net
> Installed-Size: 1604
> Maintainer: Stephen Gran <sgran at debian.org>
> Architecture: i386
> Version: 2.0.4+dfsg-6
> Provides: radius-server
> 
> last night, after when I had a problem:
> Apr 17 21:14:17: %PPAL2-3-PPPOE_ERR:
> a593028b/0002524333/907900000:02/IPPA/EU00:Failed to allocate memory for
> pppoe throttle node -
> 0004c20c 0009ae08 0004bee4 0009036e 00098138 00098110 00000000
> 
> I did a reload of card #2.
> So - all subscribers (pppoe and clips) went down.
> 
> 
> After reload all I had a little storm of auth requests.. and - I had to
> start freeradius about 20 times for ~900subcribers (It's just start of
> moving subscribers to redback so - not too much).
> 
> Did anyone had such problems and what could help on freeradius side ?
> 
> Or - which radius working with postgresql would you recommend ?
> 
> Regards,
> Marcin
> 
> _______________________________________________
> redback-nsp mailing list
> redback-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/redback-nsp

More information about the redback-nsp mailing list