Thanks everyone for the advice. I'm working on installing and testing 2.6 STABLE16. I'll see where we're at then, but I suspect things will be looking better. Thanks. Matt Ruzicka Sr. Systems Engineer mruzicka@xxxxxxxx www.cisp.com www.yocolo.com 419.724.5345 : tel 419.867.6913 : fax -----Original Message----- From: Chris Robertson [mailto:crobertson@xxxxxxx] Sent: Thursday, November 01, 2007 3:46 PM To: squid-users@xxxxxxxxxxxxxxx Subject: Re: squid_radius_auth Matt Ruzicka wrote: > We're in process of rebuilding a couple web filter boxes on Centos 4.5 running Squid 2.5.STABLE14 (latest from yum) using squid_radius_auth 1.09 for authentication with the following config: > > auth_param basic program /usr/local/squid/libexec/squid_radius_auth -f /usr/local/squid/etc/squid_radius_auth.conf > auth_param basic children 30 > auth_param basic realm Filtered Web Service > auth_param basic credentialsttl 4 hours > auth_param basic casesensitive off > > We're seeing an odd issue where radius authentication will start failing sometime after the machine has been in production for a variable amount of time. The issue appears to arise only after at least 6 hours, but sometimes as long as 10 or 11 hours. If the machine is not in production and is only receiving test authentications the issues does not appear to arise. > > The failures show up as a long lag after correct credentials are issued and an eventual re-request for credentials. When this happens the squid access logs show denies for web traffic from these IPs passing account names that had previously authenticated. This lag is the same behavior we see if the radius server is unreachable, but I can log into the machine and manually run squid_radius_auth from the command line and authenticate without issue while the problem is occurring. During these failures we do no see the authentication requests hitting our Radius servers. > > However, if I issue a reconfig the problem goes away for another 6+ hours or so. > > I feels like the child processes are wedging somehow, but I'm not sure how or why. > > Additionally the old filter servers are running older versions of CentOS, Squid and v106 of squid_radius_auth and they are not seeing the issue. > > * Has anyone else seen similar behavior? > Yes. See http://www.squid-cache.org/mail-archive/squid-users/200605/0494.html Granted, this issue was appearing with Squid-2.5-Stable13 and squid_radius_auth 1.08. As stated, updating to Squid 2.6 is recommended. You can compile the Fedora SRPM, or the CentOS5 SRPM (which is based on Squid-2.6Stable6) or grab the source, use squid -V on your current install and use that as a guide for compiling. The CentOSPlus repository doesn't seem to have an updated RPM for Squid. > * Is there any additional logging or debugging I can run to hopefully see what is happening? > >From http://www.squid-cache.org/mail-archive/squid-users/200501/0554.html: debug_options ALL,1 29,9 84,9 then see cache.log for details on the auth progress. Be warned that your logs will contain usernames+passwords in plain text when doing this. > For now we have put in place an hourly cron to issue the reconfig, but this is a pretty cludgy work around. > > Thank you in advance. > > Matt Ruzicka > Sr. Systems Engineer > mruzicka@xxxxxxxx > www.cisp.com > www.yocolo.com > > 419.724.5300 : tel > 419.867.6913 : fax > Chris