On Wed, 16 Apr 2003, Paul Farber wrote:
Have a radius performance question.
On April 16th my primary radius server (800Mhz, 256Mb RAM, Linux 2.4.20, ICRADIUS + MySQL, 1600 users) authenticated 2930 radius requests. It is also a local DNS resolver for all dial ins running djbdns.
My backup RADIUS server (1.6Ghz, 256Mb RAM, Linux 2.4.20 ICRADIUS + MySQL 1600 users) caught 284 authentications.
Given the numbers, it's not a performance issue. I've never seen ICRADIUS, but even big bloated messes like Merit Radius should be able to handle at least 20 times what you're throwing at that hardware. At least. If ICRADIUS is efficient, you should be able to handle at least 50 times what you're seeing. I'd go with what Joel said. For some reason that first server was unreachable, but not due to high load. Perhaps your server and the switch port aren't both locked to 100Mb? Autodetect often causes a mess. It's nice for workstations, but I always lock servers and any net equipment that allows it. Perhaps the ARC lost connectivity briefly, which could also make it fail over to the secondary. A good way to catch these things is to watch the equipment in question with smokeping. Charles
I have 3 HiperARC set up to authenticate off these servers with a timeout of 3 seconds and 10 retries.
If 284 requests had to fail over to the secondary radius server that means that I had (3 x 10 x 284) 8520 seconds of primary RADIUS server being unavailable????? Thats 142 minutes or over two hours?!!?!?!?!?! With over 9% of the total requests having to go to the secondary?!?!?!?!
Even if the ARC switched to the secondary after the first 3 second timeout thats (3x1x284) 852 seconds or over 14 minutes of primary auth server unavailibility?!?!?!?!
?!?!?!?!?!??!?!?!?!?!?!?!??!?
How long will the the ARC retry the primary auth server??? The config says 10 times 3 seconds. But if I do the simple math then I had over two hours of downtime. I don't belive that or I am missing something.
The primary radius server is on the same network as 1 ARC, the other two are routed from two other local LAN segments. The Secondary is 3 hops away.
What am I missing???
-- Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545
_______________________________________________ USR-TC mailing list USR-TC@mailman.xmission.com http://mailman.xmission.com/cgi-bin/mailman/listinfo/usr-tc