Customer Rejected while using Simultaneous-Use checking

Problem Description:

Customer new sessions are being Rejected - even though customer is in "current" state in SIMPLer and theoretically his access should be granted. Operator uses "Simultaneous-Use" checks to make sure only a set number of sessions can be created.

On the NAS (Network Access Server) the connection to RADIUS server is fine - the Authentication packets are being answered (not timeouted), but the answers coming back carry the Reject message. If the packets can be inspected deeper ( with packet sniffer or a detailed log from radius client ) following message is visible in the RADIUS server reply:

        Access Reject (3), id: 0x1f, Authenticator: 5be3be47608b04a313034d1208c51ac2
        Reply Attribute (18), length: 48, Value: ..You are already logged in - access denied...

In SIMPLer multiple "current" sessions can be seen for an affected customer account under "Active Sessions" on "RADIUS" -> "Usage Details" page.


Problem Background:

Occassionally the RADIUS server and the NAS can get out of sync regarding active sessions. This issues are always related to "Session Stop" radius accounting packets either not being send by the NAS or being lost on the way up to the RADIUS server which can happen for a variety of reasons:
  • a NAS unclean powercycle (where no Accounting Stop packets were sent towards RADIUS server)
  • network issues causing session stop packets to be lost, etc.

If above occurs an accounting session will be left in "current" state on RADIUS server. Note that by default SIMPLer RADIUS system scans the RADIUS sessions and removes ones that are in "stalled" state for more than 24h, but this will not help immediately in the scenario described as for one day the stalled sessions will remain in "active" state. The reason system does not clean all the stalled sessions immediately (or after couple minutes) is because system waits for NAS'es coming back from network issues when old sessions remained active. In that scenario closing a session while the NAS is unaccessible could result in loggin an additional, duplicate session when the NAS comes back online, which would lead to double billing issues.

If operator uses 'Simultaneous-Use' check either individually for a customer RADIUS account or for a RADIUS group customer is assigned to - when RADIUS server and NAS go out of sync, customer account can be rejected access as the RADIUS might still have the old session trace in the database while the NAS will be reporting a new session for a particular customer. RADIUS server will reject the access request if the summary number of all sessions goes above the number specified in the 'Simultaneous-Use' check attribute - which if set usually carries value of 1.


Problem Resolution:

The best way to resolve this issue is to close all "stalled" sessions. This can be achieved using 'Close Stalled Sessions' functionality available under the 'RADIUS -> Usage Details' page in SIMPLer management platform.

Fig. 1. Accessing Close Stalled Sessions tool

Note: Before executing this command make sure all your NAS'es are connected to your broadband feed for at least 10 minutes (if applicable use ping tool from the respective WIB to verify this). Otherwise unnecessary spikes may occur in customer usage.


Fig. 2. Close Stalled Sessions tool window

Comments