Много открытых сессий.

[Elias292]

Подскажите новичку.
Дали мне уже все настроенное, как с ним работать не знаю.

Обновился до с 5.2.1-007 до
5.3-001-update4-centos5
Теперь в отчетах Dialup и VPN у некоторых пользователей много открытых и обновленных сессий. больше сотни.
Причем ID сессии одинаковый, время начала сессиий разное.
И вот смотрю щас на отчет, есть две группы сессий, с двумя разными ID одно сегодня, второе 4 дня назад, все обновляется. Сессия обновлена пишет. Ой чую как то оно не правильно.

Куда смотреть? Как бы это исправить?

[serjk]

Смотреть логи RADIUS, почему закрываются активные сессии. И radius5.cfg здесь покажите (без логинов-паролей)

[Elias292]

Закомментировал строку
radius_ippool_acct_timeout=30

в /netup/utm5/radius5.cfg
правильно сделал ?

[Elias292]

Вот конфиг

И еще, а как бы сделать так, чтобы в логах смотреть пароли которые пользователи вводят?
в конфиге pppd добавил show-password
тепрь знаю какие пароли пользователи вводят при авторизации pap, а при чапе пароль не показывается.


##
## /netup/utm5/radius5.cfg
## UTM5 RADIUS server configuration file
##

## =============================================================================
## MAIN RADIUS SERVER PARAMETERS
## =============================================================================

## core_host
## Description: IP address of a host running the utm5_core
## Possible values: an IP address
## Required field.
core_host=127.0.0.1

## core_port
## Description: UTM5 core listening port. Equal to stream_bind_port parameter
## in utm5.cfg.
## Possible values: an integer from 1 to 65534
## Required field.
core_port=12758

## radius_login
## Description: A system user login to access the UTM5 core.
## Possible values: <string>
## Default value: radius

## radius_password
## Description: A system user password to access the UTM5 core.
## Possible values: <string>
## Default value: radius

## radius_ssl_type
## Description: SSL connection type. If 'none' is set, the connection
## is unencrypted.
## Possible values: tls1, ssl3, none
## Default value: none
#radius_ssl_type=none

## radius_acct_host
## Description: IP address of the host receiving Accounting-Requests.
## Possible values: interface IP address or 0.0.0.0
## Default value: 0.0.0.0

## radius_acct_port
## Description: Port of the host receiving Accounting-Requests.
## Possible values: an integer from 1 to 65534
## Default value: 1813

## radius_auth_host
## Description: IP address of the host receiving Access-Requests.
## Possible values: interface IP address or 0.0.0.0
## Default value: 0.0.0.0

## radius_auth_port
## Description: Port of the host receiving Access-Requests.
## Possible values: an integer from 1 to 65534
## Default value: 1812

## radius_auth_mppe
## Description: Enables MPPE 128 bit key generation used for authorization
## via MS-CHAP-v2 protocol.
## Possible values: enable
## Default value: the keys are not generated
radius_auth_mppe=enable

## radius_auth_vap
## Description: If the value is set, authorization of blocked users, whose
## logins are set in IP traffic service link, is disallowed.
## Possible values: 1
## Default value: authorization is allowed

## radius_ippool_acct_timeout
## Description: A time interval during which the IP address is labeled as
## occupied after sending Access-Accept.
## Possible values: time in seconds
## Default value: 30
#radius_ippool_acct_timeout=30

## radius_ippool_timeout
## Description: A time interval during which the IP address is labeled as
## occupied after receiving Accounting-Start.
## Possible values: time in seconds
## Default value: The address is labeled as occupied until coming of the
## Stop packet

## radius_auth_null
## Description: If enabled, the RADIUS server authorizes requests without
## User-Password(2) attribute, if the user's password, defined in the
## service link, is empty.
## Possible values: yes, enable
## Default value: authorization without a password is not performed
#radius_auth_null=yes

## radius_auth_h323_remote_address
## Description: If enabled, then telephone calls authentication is performed
## using h323-remote-address(9;23) attribute value, but not using
## User-Name(1) attribute. The attribute value is used as a login.
## Possible values: enable, on, yes
## Default value: replacement of login with h323-remote-address is not
## performed

## radius_nas_port_vpn
## Description: This parameter is checked against NAS-Port-Type(61) attribute
## value when connecting using the login specified in the IP traffic service
## link. Several values can be set.
## Possible values: a positive integer
## Default value: Checking against NAS-Port-Type for the IP traffic service
## link is not performed

## radius_nas_port_dialup
## Description: This parameter is checked against NAS-Port-Type(61) attribute
## value when connecting using the login specified in the Dial-up service
## link. Several values can be set.
## Possible values: a positive integer
## Default value: checking against NAS-Port-Type for the Dial-up service link
## is not performed

## radius_nas_port_tel
## Description: This parameter is checked against NAS-Port-Type(61) attribute
## value when connecting using the login specified in the Telephony service
## link. Several values can be set.
## Possible values: a positive integer
## Default value: checking against NAS-Port-Type for the Telephony service
## link is not performed

## radius_card_autoadd
## Description: If 'yes' is set, the automatic registration of users is
## enabled via the RADIUS server using prepaid cards. In this case in the
## Login field a user enters the card number and in the Password field - the
## PIN code. In case of the Telephony service, in the Login field it is
## entered the PIN code or its first part and the remainder is used as a
## password.

## Possible values: yes, on, enable
## Default value: automatic registration is not performed
radius_card_autoadd=no

## send_xpgk_ep_number
## Description: If this option is enabled, for the Telephony service, when a
## user is being authorized, in Access-Accept it is transmitted the
## Cisco-AVPair(9;1) attribute with the value:
## xpgk-ep-number=<a semicolon separated list of telephone numbers>.
## Possible values: <any>
## Default value: telephone numbers are not transmitted in affirmative replies
## to authorization requests

## send_h323_ivr_in
## Description: If this option is enabled, for the Telephony service, when a
## user is being authorized, in Access-Accept it is transmitted the
## Cisco-AVPair(9;1) attribute with the value: h323-ivr-in=terminal-alias:
## <a semicolon separated list of telephone numbers>.
## Possible values: <any>
## Default value: telephone numbers are not transmitted in affirmative replies
## to authorization requests

## enable_fast_telephony
## Description: This option enables the rapid mechanism for determination of
## directions and zones when rating telephone calls. In this case templates
## for telephone directions must contain the digits from 0 to 9 and the
## symbols: ^ $ + )( |.
## Possible values: enable, yes
## Default value: the default mechanism for determination of zone/direction
## is used

## h323_origin_reject
## Description: Sets zero cost for Accounting-Requests in which the
## h323-call-origin(9;26) attribute equals the value of this parameter.
## Possible values: <string>
## Default value: unset
#h323_origin_reject=originate {answer|callback|etc}

## interim_update_interval
## Description: Enables session control mechanism using Interim-Update
## packets. The value is transmitted in the Acct-Interim-Interval(85)
## attribute of the Access-Accept packet.
## Possible values: time in seconds, more than 61
## Default value: the default session closure control mechanism is used
interim_update_interval=90

## radius_default_session_timeout
## Description: A value of the Session-Timeout(27) attribute transmitted in
## Access-Accept for the IP traffic service link.
## Possible values: a positive integer
## Default value: 86400
radius_default_session_timeout=86400

## radius_callback_avpair_enable
## Description: Enables transmission of the Cisco-AVPair(9;1) attribute with
## the value lcp:callback-dialstring=<callback number>, where
## <callback number> is the part of the login from the beginning to the
## ':'-symbol.
## Possible values: <any>
## Default value: unset

## radius_acct_rewrite_login_answer
## Description: If the value of the h323-call-origin(9;26) attribute is
## 'originate', then setting this parameter enables replacing of the login
## with the value of the h323-remote-address(9;23) attribute when processing
## Accounting-Request packets.
## Possible values: enable, on, true
## Default value: unset

## radius_acct_rewrite_login_originate
## Description: If the value of the h323-call-origin(9;26) attribute is
## 'answer', then setting this parameter enables replacing of the login with
## the value of the h323-remote-address(9;23) attribute when processing
## Accounting-Request packets.
## Possible values: enable, on, true
## Default value: unset

## =============================================================================
## LOGGING (valid if logfile rotation is enabled)
## =============================================================================

## log_level
## Description: Logging level.
## Possible values: 0, 1, 2, 3
## Default value: 1

## log_file_main
## Description: Main logfile path.
## Possible values: <filename>
## Default value: STDERR
log_file_main=/netup/utm5/log/radius.log

## log_file_debug
## Description: Debug logfile path.
## Possible values: <filename>
## Default value: STDERR
log_file_debug=/netup/utm5/log/radius.log

## log_file_critical
## Description: Critical logfile path.
## Possible values: <filename>
## Default value: STDERR

## rotate_logs
## Description: Enables rotation of logfiles.
## Possible values: yes, on, enable
## Default value: rotation is disabled
rotate_logs=yes

## max_logfile_size
## Description: Maximum logfile size. When logfile size reaches this limit,
## a rotation is performed.
## Possible values: a size in bytes
## Default value: 10485760
max_logfile_size=100000000

## max_logfile_count
## Description: Maximum number of logfiles to retain. Valid if logfile rotation
## is on.
## Default value: not limited

## guest_pool_name
## Description: named IP pool of guest users
## Possible values: pool name
## Authorize unknown users as IP pool users and assign IP address from this pool if it's set
## Default value: not set
guest_pool_name=guest-pool

## blocked_pool_name
## Description: named IP pool of blocked users
## Possible values: pool name
## Authorize blocked users as IP pool users and assign IP address from this pool if it's set
## Default value: not set
blocked_pool_name=blocket-pool

## radius_auth_tel_ext_reg
## Description: process telephony registration request when Called-Station-Id is equal to Called-Station-Id
## if it's set
## Possible values: yes, on, enable
## Default value: disabled

## tls_certificate_path
## Description: path to server certificate file for EAP-TTLS authentication algorithm
## Possible values: <filename>
## Default value: not set

## tls_private_key_path
## Description: path to server private key file for EAP-TTLS authentication algorithm
## Possible values: <filename>
## Default value: not set

## tel_session_timeout
## Description: longest duration of VoIP call
## Possible values: time in seconds
## Default value: 86400

## disconnect_request_timeout
## Description: timeout for PoD response to happen, when session has been dropped manually
## Possible values: time in seconds
## Default value: 5

## incoming_trunk_format
## Description: telephony incoming trunk disposition in format vendor_id:attribute_id:regexp
## Possible values: 2h323-incoming-trunk=([0-9]{7})
## Default value: not used

## outgoing_trunk_format
## Description: telephony outgouing trunk disposition in format vendor_id:attribute_id:regexp
## Possible values: 2:101:h323-outgoing-trunk=([0-9]{7})
## Default value: not used

## pbx_id_format
## Description: tepehhony pbx id disposition in format vendor_id:attribute_id:regexp
## Possible data: 2:102:h323-pbx-id=([0-9]{7})
## Default value: not used

[serjk]

radius_ippool_acct_timeout=30 - нормальная настройка.

Отправка interim-update на NAS настроена?

Пароли при CHAP не передаются (передается хэш), соответственно их нельзя посмотреть.

[Elias292]

interim-update специально не настраивал,
но поскольку UTM пишет сессия обновлена и показывает сколько человек скачал на данный момент значит работает.

[Point]

имеется аналогичная проблема, замечена на 5.3-001 U3/4/6
в админке выглядит следующим образом:

Код: Выделить всё

43123347	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:09:21 YEKT 2014	Tue Apr 08 17:09:21 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123348	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:09:21 YEKT 2014	Tue Apr 08 17:09:21 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123349	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:09:21 YEKT 2014	Tue Apr 08 17:09:21 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123391	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:10:16 YEKT 2014	Tue Apr 08 17:10:16 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123392	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:10:16 YEKT 2014	Tue Apr 08 17:10:16 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123393	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:10:16 YEKT 2014	Tue Apr 08 17:10:16 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123423	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:11:17 YEKT 2014	Tue Apr 08 17:11:17 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123424	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:11:17 YEKT 2014	Tue Apr 08 17:11:17 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123425	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:11:17 YEKT 2014	Tue Apr 08 17:11:17 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123470	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:12:18 YEKT 2014	Tue Apr 08 17:12:18 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123471	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:12:18 YEKT 2014	Tue Apr 08 17:12:18 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123472	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:12:18 YEKT 2014	Tue Apr 08 17:12:18 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123502	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:13:19 YEKT 2014	Tue Apr 08 17:13:19 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123503	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:13:20 YEKT 2014	Tue Apr 08 17:13:20 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123504	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:13:20 YEKT 2014	Tue Apr 08 17:13:20 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123533	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:14:20 YEKT 2014	Tue Apr 08 17:14:20 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123534	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:14:20 YEKT 2014	Tue Apr 08 17:14:20 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123535	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:14:20 YEKT 2014	Tue Apr 08 17:14:20 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123576	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:15:21 YEKT 2014	Tue Apr 08 17:15:21 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123577	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:15:21 YEKT 2014	Tue Apr 08 17:15:21 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123578	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:15:21 YEKT 2014	Tue Apr 08 17:15:21 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123612	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:16:22 YEKT 2014	Tue Apr 08 17:16:22 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123613	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:16:22 YEKT 2014	Tue Apr 08 17:16:22 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123615	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:16:22 YEKT 2014	Tue Apr 08 17:16:22 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123652	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:17:23 YEKT 2014	Tue Apr 08 17:17:23 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123653	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:17:23 YEKT 2014	Tue Apr 08 17:17:23 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123654	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:17:23 YEKT 2014	Tue Apr 08 17:17:23 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123689	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:18:24 YEKT 2014	Tue Apr 08 17:18:24 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123690	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:18:25 YEKT 2014	Tue Apr 08 17:18:25 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123691	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:18:25 YEKT 2014	Tue Apr 08 17:18:25 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123735	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:19:25 YEKT 2014	Tue Apr 08 17:19:25 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123737	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:19:25 YEKT 2014	Tue Apr 08 17:19:25 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123739	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:19:26 YEKT 2014	Tue Apr 08 17:19:26 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123782	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:20:26 YEKT 2014	Tue Apr 08 17:20:26 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123783	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:20:26 YEKT 2014	Tue Apr 08 17:20:26 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123784	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:20:27 YEKT 2014	Tue Apr 08 17:20:27 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123824	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:21:27 YEKT 2014	Tue Apr 08 17:21:27 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123825	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:21:27 YEKT 2014	Tue Apr 08 17:21:27 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123826	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:21:28 YEKT 2014	Tue Apr 08 17:21:28 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123875	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:22:28 YEKT 2014	Tue Apr 08 17:22:28 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123876	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:22:28 YEKT 2014	Tue Apr 08 17:22:28 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123878	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:22:29 YEKT 2014	Tue Apr 08 17:22:29 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123930	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:23:30 YEKT 2014	Tue Apr 08 17:23:30 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123931	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:23:30 YEKT 2014	Tue Apr 08 17:23:30 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123932	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:23:30 YEKT 2014	Tue Apr 08 17:23:30 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123970	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:24:30 YEKT 2014	Tue Apr 08 17:24:30 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123971	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:24:30 YEKT 2014	Tue Apr 08 17:24:30 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43123972	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:24:31 YEKT 2014	Tue Apr 08 17:24:31 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43124009	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:25:31 YEKT 2014	Tue Apr 08 17:25:31 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43124010	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:25:31 YEKT 2014	Tue Apr 08 17:25:31 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43124011	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:25:32 YEKT 2014	Tue Apr 08 17:25:32 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43124053	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:26:32 YEKT 2014	Tue Apr 08 17:26:32 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43124054	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:26:32 YEKT 2014	Tue Apr 08 17:26:32 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43124055	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:26:33 YEKT 2014	Tue Apr 08 17:26:33 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43124092	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:27:33 YEKT 2014	Tue Apr 08 17:27:33 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43124094	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:27:33 YEKT 2014	Tue Apr 08 17:27:33 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43124095	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:27:34 YEKT 2014	Tue Apr 08 17:27:34 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43124132	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:28:34 YEKT 2014	Tue Apr 08 17:28:34 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43124133	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:28:34 YEKT 2014	Tue Apr 08 17:28:34 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43124135	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:28:35 YEKT 2014	Tue Apr 08 17:28:35 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43124174	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:29:35 YEKT 2014	Tue Apr 08 17:29:35 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43124175	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:29:35 YEKT 2014	Tue Apr 08 17:29:35 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43124176	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:29:36 YEKT 2014	Tue Apr 08 17:29:36 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43124205	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:30:36 YEKT 2014	Tue Apr 08 17:30:36 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43124206	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:30:36 YEKT 2014	Tue Apr 08 17:30:36 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43124207	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:30:37 YEKT 2014	Tue Apr 08 17:30:37 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0
43124247	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Tue Apr 08 17:31:37 YEKT 2014	Tue Apr 08 17:31:37 YEKT 2014			0.0.0.0	0:0:0:0:0:0:0:0

в отчетах по диал-ап и впн

Код: Выделить всё

43139444	Wed Apr 09 00:00:00 YEKT 2014		PPPoE	XX:XX:XX:XX:7F:84	0.0.0.0	799484	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Сессия обновлена (3)	73149531	0	1262711264	0	59416	0	0.0
43139445	Wed Apr 09 00:00:00 YEKT 2014		PPPoE	XX:XX:XX:XX:7F:84	0.0.0.0	799484	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Сессия обновлена (3)	73149531	0	1262711264	0	59416	0	0.0

43141594	Wed Apr 09 01:27:27 YEKT 2014		PPPoE	XX:XX:XX:XX:7F:84	0.0.0.0	799484	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Сессия обновлена (3)	73149531	0	1279089644	0

43148068	Wed Apr 09 07:29:23 YEKT 2014		PPPoE   XX:XX:XX:XX:7F:84	0.0.0.0	799484	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Сессия обновлена (3)	73149531	0	1326100904	0	86379	0	0.0
43148069	Wed Apr 09 07:29:24 YEKT 2014		PPPoE   XX:XX:XX:XX:7F:84	0.0.0.0	799484	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Сессия обновлена (3)	73149531	0	1326100904	0	86379	0	0.0
43148084	Wed Apr 09 07:29:43 YEKT 2014	09.04.2014 07:29:43	PPPoE   XX:XX:XX:XX:7F:84	0.0.0.0	799484	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Сессия закрыта (2)	73149531	0	1326153704	0	86400	5	0.0
43148085	Wed Apr 09 07:29:44 YEKT 2014	09.04.2014 07:29:44	PPPoE   XX:XX:XX:XX:7F:84	0.0.0.0	799484	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Сессия закрыта (2)	73149531	0	1326153704	0	86400	5	0.0
43148086	Wed Apr 09 07:29:44 YEKT 2014	09.04.2014 07:29:44	PPPoE   XX:XX:XX:XX:7F:84	0.0.0.0	799484	81ac2a58	buxgsosh4	xx.xxx.xxx.43	Сессия закрыта (2)	73149531	0	1326153704	0	86400	5	0.0

т.е. одновременно имеются и куча открытых сессий, и нормально закрытые

конфиг радиус, всё заремареное выкинуто

Код: Выделить всё

## /netup/utm5/radius5.cfg
## UTM5 RADIUS server configuration file
##

## =============================================================================
## MAIN RADIUS SERVER PARAMETERS
## =============================================================================


core_host=127.0.0.1


core_port=12758


radius_ippool_timeout=8640


interim_update_interval=61


blocked_pool_name=nomoney

radius_auth_tel_ext_reg=yes


## =============================================================================
## LOGGING (valid if logfile rotation is enabled)
## =============================================================================


log_level=1

log_file_main=/netup/utm5/log/radius.log


log_file_debug=/netup/utm5/log/radius-debug.log



log_file_critical=/netup/utm5/log/radius-critical.log


rotate_logs=yes

NAS-ы разные, логины клиентов тоже разные

вот еще один клиент с другого NAS

Код: Выделить всё

42869839	Tue Apr 01 16:28:11 YEKT 2014		PPPoE	XX:XX:XX:XX:E6:77	0.0.0.0	264221	81a3eb80	doriss	xx.xxx.xxx.49	Сессия обновлена (3)	869927	0	6107265	0	305	0	0.0
42869840	Tue Apr 01 16:28:11 YEKT 2014		PPPoE	XX:XX:XX:XX:E6:77	0.0.0.0	264221	81a3eb80	doriss	xx.xxx.xxx.49	Сессия обновлена (3)	869927	0	6107265	0	305	0	0.0
42869842	Tue Apr 01 16:28:11 YEKT 2014		PPPoE	XX:XX:XX:XX:E6:77	0.0.0.0	264221	81a3eb80	doriss	xx.xxx.xxx.49	Сессия обновлена (3)	869927	0	6107265	0	305	0	0.0
42869864	Tue Apr 01 16:32:45 YEKT 2014	01.04.2014 16:34:37	PPPoE	XX:XX:XX:XX:E6:77	91.205.208.178	264221	81a3eb80	doriss	xx.xxx.xxx.49	Сессия закрыта (2)	1797549	0	10385174	0	610	0	0.0
42869945	Tue Apr 01 16:34:43 YEKT 2014	01.04.2014 18:58:17	PPPoE	XX:XX:XX:XX:E6:77	91.205.208.178	264221	81a3eb80	doriss	xx.xxx.xxx.49	Сессия закрыта (2)	4845683	0	52484868	0	9274	0	0.0

причем открытые сессии висят еще с 1 апреля

[serjk]

Нужны логи ядра и RADIUS для этих клиентов, иначе никак.

И radius_ippool_timeout лучше вообще закомментировать.

[Point]

кусок лога радиус по клиенту, у которого куча открытых сессий, клиент не подключается с ошибкой 691

Код: Выделить всё

Apr 14 10:44:29 ?Debug : 28767c40 AuthQueue: New request from 91.205.208.36:33099
--- RADIUS Pkt ---
  Code: [1]  ID:   [-119]
  Auth: Size 16; Data [0x08df4e16e2b9bc99054eb52e4bf51b6d]
    Attr: [6] Vendor: [0] Size 4; Data [0x00000002]
        (Service-Type=INT:2)
    Attr: [7] Vendor: [0] Size 4; Data [0x00000001]
        (Framed-Protocol=INT:1)
    Attr: [5] Vendor: [0] Size 4; Data [0x00961f0e]
        (NAS-Port=INT:9838350)
    Attr: [61] Vendor: [0] Size 4; Data [0x0000000f]
        (NAS-Port-Type=INT:15)
    Attr: [1] Vendor: [0] Size 8; Data [0x666962726f6c6974]
        (User-Name=STRING:fibrolit)
    Attr: [31] Vendor: [0] Size 17; Data [0x38343a43393a42323a34413a43423a3038]
        (Calling-Station-Id=STRING:XX:XX:XX:4A:CB:08)
    Attr: [30] Vendor: [0] Size 6; Data [0x6c616e6d616e]
        (Called-Station-Id=STRING:lanman)
    Attr: [87] Vendor: [0] Size 13; Data [0x56313538315f4d5a5f57694669]
        (NAS-Port-Id=STRING:V1581)
    Attr: [60] Vendor: [0] Size 16; Data [0x76d89bced3ecc777278b466db70146f2]
        (CHAP-Challenge=HEX:...)
    Attr: [3] Vendor: [0] Size 17; Data [0x014cb62907359dccfd1af18120d997c21e]
        (CHAP-Password=HEX:...)
    Attr: [32] Vendor: [0] Size 13; Data [0x39312e3230352e3230382e3336]
        (NAS-Identifier=STRING:XX.XXX.XXX.36)
    Attr: [4] Vendor: [0] Size 4; Data [0x5bcdd024]
        (NAS-IP-Address=IP:XX.XXX.XXX.36)

Apr 14 10:44:29 ?Debug : 28767c40 AuthQueue: Login 'fibrolit'
Apr 14 10:44:29 ?Debug : 28767c40 LoginStorage: Acquire: login 'fibrolit' used 1 times
Apr 14 10:44:29 ?Debug : 28767c40 AuthQueue: Login info found, slink_id 202689
Apr 14 10:44:29 ?Debug : 28767c40 AuthQueue: Using CHAP authentication method
Apr 14 10:44:29 ?Debug : 28767c40 AuthQueue: CHAP authentication OK
Apr 14 10:44:29 ?Debug : 28767c40 AuthQueue: Service ID 119 type 3; account ID 5363
Apr 14 10:44:29 ?Debug : 28767c40 AuthQueue: Allowed/recv CID: XX:XX:XX:4A:CB:08/XX:XX:XX:4A:CB:08
Apr 14 10:44:29  ERROR : 28767c40 IPPoolManager: unable to lease IP from LoginPool 'fibrolit'
Apr 14 10:44:29  ERROR : 28767c40 LogicError: unable to lease IP address
Apr 14 10:44:29 ?Trace : 28767c40 trace: Obtained 8 stack frames.
Apr 14 10&#58;44&#58;29 ?Trace &#58; 28767c40 trace&#58; 0x8068a33 <_ZN3UTM20InvalidArgumentErrorD1Ev+515> at /netup/utm5/bin/utm5_radius
Apr 14 10&#58;44&#58;29 ?Trace &#58; 28767c40 trace&#58; 0x806b5e7 <_ZN3UTM20InvalidArgumentErrorD1Ev+11703> at /netup/utm5/bin/utm5_radius
Apr 14 10&#58;44&#58;29 ?Trace &#58; 28767c40 trace&#58; 0x8061006 <_ZN6RADIUS19InvalidRequestErrorD1Ev+31462> at /netup/utm5/bin/utm5_radius
Apr 14 10&#58;44&#58;29 ?Trace &#58; 28767c40 trace&#58; 0x80666c7 <_ZN6RADIUS19InvalidRequestErrorD1Ev+53671> at /netup/utm5/bin/utm5_radius
Apr 14 10&#58;44&#58;29 ?Trace &#58; 28767c40 trace&#58; 0x8067a80 <_ZN6RADIUS19InvalidRequestErrorD1Ev+58720> at /netup/utm5/bin/utm5_radius
Apr 14 10&#58;44&#58;29 ?Trace &#58; 28767c40 trace&#58; 0x80a563f <_ZN6RADIUS14TransportErrorD1Ev+12911> at /netup/utm5/bin/utm5_radius
Apr 14 10&#58;44&#58;29 ?Trace &#58; 28767c40 trace&#58; 0x81011ff <_ZN3UTM6Thread6threadEPv+127> at /netup/utm5/bin/utm5_radius
Apr 14 10&#58;44&#58;29 ?Trace &#58; 28767c40 trace&#58; 0x2835d70f <pthread_getprio+447> at /lib/libthr.so.3
Apr 14 10&#58;44&#58;29  ERROR &#58; 28767c40 AuthQueue&#58; Unable to lease IP from 'fibrolit'
Apr 14 10&#58;44&#58;29  Info  &#58; 28767c40 AuthQueue&#58; Unable to authorize user
Apr 14 10&#58;44&#58;29 ?Debug &#58; 28767c40 AcctQueue&#58; lookup&#58; session ID 1092535 closed
Apr 14 10&#58;44&#58;29 ?Debug &#58; 28767c40 SessionManager&#58; put&#58; sessiond ID 1092535 from NAS 25 is closed
Apr 14 10&#58;44&#58;29 ?Debug &#58; 28767c40 LoginStorage&#58; Release&#58; login 'fibrolit' used 0 times
Apr 14 10&#58;44&#58;29 ?Debug &#58; 28767c40 AuthQueue&#58; Reply 

в майн логе в это время тишина, после перезагрузки радиуса сессии в отчете диал-ап и впн остались открытыми, но неактивными и клиент удачно авторизовался.

FreeBSD 8.0-RELEASE-p2
/utm5_core -v
NetUP UTM billing system core. Compile date: Mar 14 2014 16:02:14
Version:5.3-001-update6-bsd8 Rev #13999

[Point]

Продолжение марлезонского балета и в версии UTM5.3.002-U1+NAS Mikrotik
не авторизуется большое количество пользователей, находящихся в заблокированном состоянии при radius_auth_vap=0, в отчетах по сессиям radius в админке куча открытых сессий с одинаковыми ID, у клиента в отчетах по диа-ап и впн так же достаточно большое количество открытых сессий с одинаковыми ID сессиями NAS.
Происходит данная ситуация в основном при смене рассчетного периода, когда блокируется достаточно большое количество клиентов.
после перезапуска ядра, радиуса и rfw ситуация стабилизируется, открытые сессии у клиентов закрываются.
Проблема замечена во всех версиях UTM-5.3 после того как был переписан код радиус-сервера.

UTM5.3-002-update1-bsd8 Rev #14146