Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

When to increase the value of UDPProxyPortBlockLength in radius.ini

0

0

Article ID: KB11610 KB Last Updated: 04 Mar 2017Version: 2.0
Summary:
When to increase the value of UDPProxyPortBlockLength in radius.ini
Symptoms:
Sometimes due to the latency in the network or the delay caused by the proxy target server, an SBR admin may see abnormally high number of the error message "Sent reject response" in the log.  This could be due to the fact that all of the proxy ports configured in the radius.ini may be in use while new radius requests are coming in that needs to be proxied.
Solution:

The two parameters listed below in the radius.ini, are used to set aside a specified number of ports for radius proxy communication.

UDPProxyPortBlockStart = 28000
UDPProxyPortBlockLength = 6

In the above example, the radius will bind the SBR IP address to ports starting from 28000 to 28005; providing 6 ports that could be used for proxy authentication/accounting communication. 

When to increase the value of " UDPProxyPortBlockLength" :

  1. When a lot of "Proxy: authentication failed" messages are followed by "Sent reject response" enable debug logging.
  2. If the following messages are displayed in the debug log, then bump up the value of "UDPProxyPortBlockLength" .
    05/21/2008 15:13:17 CProxyRequest::SetTargetAndBuildRequest(): entering
    05/21/2008 15:13:17 Proxy Error: unable to acquire unique port/identifier
    05/21/2008 15:13:17 CProxyRequest::SetTargetAndBuildRequest(): no pRequestTarget
    05/21/2008 15:13:17 CProxyRequest::ExecForwardEx(): SetTargetAndBuildRequest() failed
    05/21/2008 15:13:17 Proxy: authentication failed

What happens is that when proxy requests are sent to the proxy targets, if the proxy target takes more than normal time to respond back then the corresponding resources are held up.  When all of the proxy ports configured are used up and at the same time if there are new auth/accounting requests coming in, the SBR will reject them as explained above.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search