TC/RADIUS performance
Have a radius performance question. On April 16th my primary radius server (800Mhz, 256Mb RAM, Linux 2.4.20, ICRADIUS + MySQL, 1600 users) authenticated 2930 radius requests. It is also a local DNS resolver for all dial ins running djbdns. My backup RADIUS server (1.6Ghz, 256Mb RAM, Linux 2.4.20 ICRADIUS + MySQL 1600 users) caught 284 authentications. I have 3 HiperARC set up to authenticate off these servers with a timeout of 3 seconds and 10 retries. If 284 requests had to fail over to the secondary radius server that means that I had (3 x 10 x 284) 8520 seconds of primary RADIUS server being unavailable????? Thats 142 minutes or over two hours?!!?!?!?!?! With over 9% of the total requests having to go to the secondary?!?!?!?! Even if the ARC switched to the secondary after the first 3 second timeout thats (3x1x284) 852 seconds or over 14 minutes of primary auth server unavailibility?!?!?!?! ?!?!?!?!?!??!?!?!?!?!?!?!??!? How long will the the ARC retry the primary auth server??? The config says 10 times 3 seconds. But if I do the simple math then I had over two hours of downtime. I don't belive that or I am missing something. The primary radius server is on the same network as 1 ARC, the other two are routed from two other local LAN segments. The Secondary is 3 hops away. What am I missing??? -- Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545
On Wed, 16 Apr 2003, Paul Farber wrote:
Have a radius performance question.
On April 16th my primary radius server (800Mhz, 256Mb RAM, Linux 2.4.20, ICRADIUS + MySQL, 1600 users) authenticated 2930 radius requests. It is also a local DNS resolver for all dial ins running djbdns.
My backup RADIUS server (1.6Ghz, 256Mb RAM, Linux 2.4.20 ICRADIUS + MySQL 1600 users) caught 284 authentications.
Given the numbers, it's not a performance issue. I've never seen ICRADIUS, but even big bloated messes like Merit Radius should be able to handle at least 20 times what you're throwing at that hardware. At least. If ICRADIUS is efficient, you should be able to handle at least 50 times what you're seeing. I'd go with what Joel said. For some reason that first server was unreachable, but not due to high load. Perhaps your server and the switch port aren't both locked to 100Mb? Autodetect often causes a mess. It's nice for workstations, but I always lock servers and any net equipment that allows it. Perhaps the ARC lost connectivity briefly, which could also make it fail over to the secondary. A good way to catch these things is to watch the equipment in question with smokeping. Charles
I have 3 HiperARC set up to authenticate off these servers with a timeout of 3 seconds and 10 retries.
If 284 requests had to fail over to the secondary radius server that means that I had (3 x 10 x 284) 8520 seconds of primary RADIUS server being unavailable????? Thats 142 minutes or over two hours?!!?!?!?!?! With over 9% of the total requests having to go to the secondary?!?!?!?!
Even if the ARC switched to the secondary after the first 3 second timeout thats (3x1x284) 852 seconds or over 14 minutes of primary auth server unavailibility?!?!?!?!
?!?!?!?!?!??!?!?!?!?!?!?!??!?
How long will the the ARC retry the primary auth server??? The config says 10 times 3 seconds. But if I do the simple math then I had over two hours of downtime. I don't belive that or I am missing something.
The primary radius server is on the same network as 1 ARC, the other two are routed from two other local LAN segments. The Secondary is 3 hops away.
What am I missing???
-- Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545
_______________________________________________ USR-TC mailing list USR-TC@mailman.xmission.com http://mailman.xmission.com/cgi-bin/mailman/listinfo/usr-tc
Uhm...yeah...shoulda googled before I asked. If anyone else was curious: http://people.ee.ethz.ch/~oetiker/webtools/smokeping/ David Hamilton extolled:
Charles Sprickman extolled:
On Wed, 16 Apr 2003, Paul Farber wrote:
A good way to catch these things is to watch the equipment in question with smokeping.
Charles
What's smokeping?
I use ICradius on half your machine running 3 times as many services without problems. I also know people who are using ICRADIUS to auth in excess of 100,000 users. I would check your mysql logs or run icradius with some of the debug options so you can see what is going on. The only trouble I have ever had with ICRADIUS has come from corrupted db tables or other mysql issues. I know run nightly db maintenance utility scripts to back up and repair my tables. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 915-695-6962 ext 115
Im really more curious to find out how the ARC is determining when to switch to the secondary. The auths that fail are they really doing the 3 seconds times 10 (total of 30 seconds) or is it not? -- Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545 On Thu, 17 Apr 2003, Lewis Bergman wrote:
I use ICradius on half your machine running 3 times as many services without problems. I also know people who are using ICRADIUS to auth in excess of 100,000 users. I would check your mysql logs or run icradius with some of the debug options so you can see what is going on.
The only trouble I have ever had with ICRADIUS has come from corrupted db tables or other mysql issues. I know run nightly db maintenance utility scripts to back up and repair my tables.
participants (4)
-
Charles Sprickman -
David Hamilton -
Lewis Bergman -
Paul Farber