Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

RADIUS Outstanding Auths

This thread has been viewed 1 times

  • 1.  RADIUS Outstanding Auths

    Posted Sep 19, 2018 03:42 PM

    Hi-

     

    RADIUS server in a load balanced group, increments Outstanding Auths (as per: show aaa authentication-server radius statistics) that *never* get reduced/decremented.

     

    (ArubaLocal5) #show aaa authentication-server radius statistics

    ...
    CS1 895782 16200470 22648 0 0 0 3 0 1150231 75334 895652 14997414 0 3932 33 17118900 17118634 0 782 0 0 0 287 7:22:14 510/510

    I've been at 782 for a couple of days now.

     

    If an outstand auth (per documentation is): 

    "Outstanding Auths This value keeps track of the number of clients that are currently getting authenticated against this authentication server, i.e. clients for which the controller has sent Access-Request but has not yet received Access-Accept or Access-Reject and also the Access-Request has not timed out completely."

     

    I can imagine a lost Auth packet triggering this, but shouldn't my Auth server time is 5 seconds with 3 retransmits eventually age out these stale request?

     

    Is there a condition I'm not considering under which I might not see Outstanding Auths decrement?

     

     

    Thanks-

    Kevin

     

     



  • 2.  RE: RADIUS Outstanding Auths

    EMPLOYEE
    Posted Sep 19, 2018 03:59 PM

    Which version of ArubaOS, please?



  • 3.  RE: RADIUS Outstanding Auths

    Posted Sep 20, 2018 11:11 AM

    6.5.4.7



  • 4.  RE: RADIUS Outstanding Auths

    Posted Oct 01, 2018 04:48 PM

    Has anyone else encountered this?



  • 5.  RE: RADIUS Outstanding Auths

    EMPLOYEE
    Posted Oct 01, 2018 05:06 PM

    Have your timeouts increased since you posted your stats?

     

    I suspect that there was an event which triggered the outstanding auths at the same time as many of the timeouts. The outstanding auths would have likely been related to radius challenges, which could explain why they weren't timed out ... since a challenge was received for the initial access-request.

     

    If the numbers aren't increasing, it's more than likely a one-time event that triggered, rather than an ongoing problems impacting clients.



  • 6.  RE: RADIUS Outstanding Auths

    Posted Oct 03, 2018 09:52 AM

    Thanks Charlie- this was the condition I was hoping to understand.

     

    @cclemmerThe outstanding auths would have likely been related to radius challenges, which could explain why they weren't timed out ... since a challenge was received for the initial access-request.

     



  • 7.  RE: RADIUS Outstanding Auths

    Posted Oct 03, 2018 12:02 PM

    So we definitely had some hiccups with RADIUS that we could attribute to the increased Outstanding Auths as you've described it.

     

    It seems though that outstanding auths:

    a) influences loadbalancing

    b) doesn't get zeroed with a clear stats (or an inservice, or a no enable/enable)

     

    The only way it appeared we could easliy re-balance the load across servers in the group was to redefine the server and update our group membership.  So, I guess is the condition you described not leading to a timeout a bug?  And/or is there a more graceful way to clear that counter after our RADIUS servers stabilized?