Skip to content

Authentication requests from the same IP address are not load balanced among security modules

Description of problem:

The authentication requests from the same IP address are always sent to the same security module because only the source IP is used to calculate the index of the security module. This can happen when the server is behind a load balancer or proxy. Both the source IP and port should be used for the calculation.

Version of ocserv used:

1.1.2

Client used:

Microsoft Defender

Distributor of ocserv

Ubuntu

How reproducible:

Describe the steps to reproduce the issue:

  • Configure ocserv to use multiple security modules (secmod).
  • Connect to ocserv multiple times from the same device.
  • Inspect the ocserv logs for the process ID of the secmod used.

Actual results:

The process ID of the secmod is always the same.

Expected results:

The process ID of the secmod should vary on different connections.