Then you are saying the secondary has to fail before the primary is tried again? So then both my primary AND secondary are failing... I find that hard to believe. Logs show that the daemons are not stopping or restarting. -- Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545 On Wed, 16 Apr 2003, Joel - Fox Computers wrote:
My experience has been this:
If the ARC get's a response from a RADIUS server, that becomes the active server and will be tried first until the ARC gets a response from another server, and so on.
In other words, if your primary goes down, the arc hits the secondary, then the secondary becomes active. From that point forward, the ARC tries the secondary server first. Only when the secondary server fails to respond and the ARC has to request to the primary (and the primary responds) will the primary become the "active" authentication server.
You can see this if you do a "show authentication" on the ARC - toward the bottom it displays "Active Authentication Server", which for me often is the secondary. Doing a "mon rad" shows that the secondary is then being requested first.
So, your primary was probably NOT down for two hours - could have been just once for 5 seconds if someone tried to log in at that time.
- Joel
-----Original Message----- From: Paul Farber [mailto:farber@admin.f-tech.net] Sent: Wednesday, April 16, 2003 9:43 PM To: usr-tc@lists.xmission.com Subject: [USR-TC] TC/RADIUS performance
Have a radius performance question.
On April 16th my primary radius server (800Mhz, 256Mb RAM, Linux 2.4.20, ICRADIUS + MySQL, 1600 users) authenticated 2930 radius requests. It is also a local DNS resolver for all dial ins running djbdns.
My backup RADIUS server (1.6Ghz, 256Mb RAM, Linux 2.4.20 ICRADIUS + MySQL 1600 users) caught 284 authentications.
I have 3 HiperARC set up to authenticate off these servers with a timeout of 3 seconds and 10 retries.
If 284 requests had to fail over to the secondary radius server that means that I had (3 x 10 x 284) 8520 seconds of primary RADIUS server being unavailable????? Thats 142 minutes or over two hours?!!?!?!?!?! With over 9% of the total requests having to go to the secondary?!?!?!?!
Even if the ARC switched to the secondary after the first 3 second timeout thats (3x1x284) 852 seconds or over 14 minutes of primary auth server unavailibility?!?!?!?!
?!?!?!?!?!??!?!?!?!?!?!?!??!?
How long will the the ARC retry the primary auth server??? The config says 10 times 3 seconds. But if I do the simple math then I had over two hours of downtime. I don't belive that or I am missing something.
The primary radius server is on the same network as 1 ARC, the other two are routed from two other local LAN segments. The Secondary is 3 hops away.
What am I missing???