> We're in process of rebuilding a couple web filter boxes on Centos 4.5 > running Squid 2.5.STABLE14 (latest from yum) using squid_radius_auth 1.09 > for authentication with the following config: > > auth_param basic program /usr/local/squid/libexec/squid_radius_auth -f > /usr/local/squid/etc/squid_radius_auth.conf > auth_param basic children 30 > auth_param basic realm Filtered Web Service > auth_param basic credentialsttl 4 hours > auth_param basic casesensitive off > > We're seeing an odd issue where radius authentication will start failing > sometime after the machine has been in production for a variable amount of > time. The issue appears to arise only after at least 6 hours, but > sometimes as long as 10 or 11 hours. If the machine is not in production > and is only receiving test authentications the issues does not appear to > arise. > > The failures show up as a long lag after correct credentials are issued > and an eventual re-request for credentials. When this happens the squid > access logs show denies for web traffic from these IPs passing account > names that had previously authenticated. This lag is the same behavior we > see if the radius server is unreachable, but I can log into the machine > and manually run squid_radius_auth from the command line and authenticate > without issue while the problem is occurring. During these failures we do > no see the authentication requests hitting our Radius servers. > > However, if I issue a reconfig the problem goes away for another 6+ hours > or so. > > I feels like the child processes are wedging somehow, but I'm not sure how > or why. > > Additionally the old filter servers are running older versions of CentOS, > Squid and v106 of squid_radius_auth and they are not seeing the issue. > > * Has anyone else seen similar behavior? > > * Is there any additional logging or debugging I can run to hopefully see > what is happening? Could be a lot of things. Step 1 is to try a recent version of squid. 2.5 is no longer supported. Grab 2.6 stable 16 from http://www.squid-cache.org/Versions/v2/2.6/ After that try adding to squid.conf: debug_options ALL,1 29,9 and see what gets added to cache.log > For now we have put in place an hourly cron to issue the reconfig, but > this is a pretty cludgy work around. > Amos
