NimbostratusRADIUS LB problems
Hi guys,
we have a "particular" infrastructure to load balancing. Our devices send packet to a particular port and we have two radius server (each one assign different IP network to the remote client) with the dedicate services for the data port. For the RADIUS access we use classic VIP with round-robin balance on a pool like this:
server1:1812 server2:1812
for the ACCOUNTING there is a pool defined like this:
server1:1813 server2:1813
but there is an iRULE that parse the radius packet, catch the RADIUS AVP FRAMED-IP-ADDRESS and select the node (via a data group) who has assigned the IP. For example:
client connect f5 send the access request to server1 server1 response and send the response with the IP 10.0.0.10 client receive the IP the there is the accounting start, sent to F5 VIP and the iRule check the FRAMED-IP-ADDRESS inside (in this case 10.0.0.10), match with a datagroup where 10.0.0.0/24 is assigned to server1 and use command "node" to redirect radius accounting to the right server
In most of the case this iRule works, but often the traffic is sent in round-robin to the wrong server. For example the same client the remote Radius sent the accounting stop or interim-update doesn't route to server1 (which has the network 10.0.0.0/24 in charge) but to server2 (which has another network to assign). This is a big problem because the server1 doesn't mark the IP as "free" or "busy" and can assign or not this particular ip.
Someone have an idea why this happen? There is a bug or something that i've done wrong?
I attach the iRule used. This problem occurs with LTM 11.2 and 11.4
Code when CLIENT_ACCEPTED {
set terminalip [RADIUS::avp FRAMED-IP-ADDRESS]
if { $terminalip ne "" }
{
set destination_server [class match -value $terminalip equals "datagroup_radius" ]
if { $destination_server ne "" }
{
log local0. "** Routing RADIUS Accouting IP $terminalip to server $destination_server"
node $destination_server
}
}Thanks!
