SVN 165 - unwanted UAM redirects

lc chilli at
Sat Apr 26 17:37:04 UTC 2008

Some time ago I reported a strange behavior of SVN 155 and later 159.

We found that under unknown and rare circumstances chilli starts to  
redirect to the UAM server with res=already although the session is  
active. No matther what is entered in the web browser, the user is  
redirected. This behaviour does not start right away after a login,  
but some minutes later.

Today we ran another test at a heavy used location. And we got lucky  
(if you can call this luck) - the problem occured at one Vista user.

Here are two corresponding lines of our UAM-Server log. There was no  
other communication with our UAM Server within this timeframe.

[26/Apr/2008:16:50:31 +0200] "GET /?res=success
[26/Apr/2008:16:59:44 +0200] "GET /?res=already
After this line many "already" lines followed - a few minutes later,  
the user gave up. But for 9 minutes chilli worked as it should.

His computer info: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;  
SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)

We do not know for sure but so far we only noticed this problem when  
Vista was used.

But we know for sure that

- affected users do not go to the login page (=the problem starts  
suddenly without the user doing anything)
- no matter which URL they enter they are always redirected to the UAM  
server with res=already
- chilli keeps sending acct-interim updates, so this is an indication  
that chilli knows the session is active
- chilli closes the session correctly after the affected users give up
- chilli does not send any radius requests when it keeps redirecting
- there must be something which triggers this behaviour

A few days ago I was at a location and by chance a user was having  
this problem. So I sat next to him and tried it myself - no matter  
what I did, chilli redirected me. After this I stopped chilli and  
started it in debug mode. And guess what: The problem did not occur.  
After I left the user stayed for quite a long time. He logged on and  
was logged off (timeout), but this issue did not happen again.

We have reason to believe what it does not happen with the current  
1.0.11 release.

Questions: did anybody use chilli SVN 155 or newer out on the field?   
Are there any ideas what could trigger this behavior? How can we help  
to gather more information? Is there a special debug mode to watch  
closer why chilli starts to redirect?

> Hi David,
> I just returned to my office and checked the logs of this location.  
> Funny: the same user is still there and he opened new sessions and  
> it seems the problem did not occur so far. This leaves me even more  
> clueless.
> Could a miscommunication between chilli and the radius server cause  
> such a behaviour? It is strange because if it occurs for a few  
> minutes everything looks fine, and then suddenly the effect starts.  
> The start of the session means chilli got a green light from Radius.  
> Maybe immediatly if the communication is somehow not successful  
> immediately after chilli starts to think after a few minutes that  
> the session is actually not ok? I ask because sometimes it seems  
> that chilli is not getting radius replies, therefore keeps  
> retransmitting. This does not happen very often, but it happens.
> I am kind of desperate because I saw it with my own eyes but after  
> restarting chilli I could not reproduce it today :(
> Cheers,
> lc
> Am 23.04.2008 um 17:13 schrieb lc:
>> Hi David,
>> Today I spent a few hours at one of those locations and  
>> unfortunately the redirection problem popped up again!
>> The user logged in and worked for a few minutes (gmail). Suddenly  
>> chilli started redirecting him to the uam-page which was displayed  
>> with res=already. I tried it - no matter which URL I entered, I  
>> ended up there.
>> The guy had Windows Vista and IE. After this I killed chilli and  
>> restared it in debug mode - this time unfortunately I could not  
>> reproduce it. However it was defenitly the same behaviour as with  
>> the older SVN (I reported the issue to the mailing list).
>> I will revert one location back to 1.0.11. For the other location:  
>> how can I start chilli in Debug mode without getting the leaky  
>> bucket messages? What can I do to help finding the issue?
>> I keep wondering what could cause chilli to act this way? Why would  
>> it suddenly think the session is not yet open?
>> Cheers,
>> lc
>> Am 22.04.2008 um 14:34 schrieb lc:
>>> Hi David,
>>> finally I managed to put SVN 165 out on two heavy-use locations.  
>>> Will keep you updated on the results!
>>> Cheers,
>>> lc
>>> Am 18.04.2008 um 15:53 schrieb David Bird:
>>>> Thanks for that... good to hear there are no (or little) problems  
>>>> in the field with 1.0.11. I believe gmayer isn't getting his  
>>>> RADIUS responses (if your following the mailing list) and chilli  
>>>> is retransmitting, as expected.
>>>> cheers,
>>>> david
>>>> On Apr 18, 2008, at 3:46 PM, lc wrote:
>>>>> Hi David,
>>>>> I tested it only for 5 Mins to check whether the DNS bug has  
>>>>> gone (and it has - thanks a lot!!!!). But I did't do anything  
>>>>> more with it.
>>>>> I read the issues in the Mailing list and I want to test the  
>>>>> latest SVN against it. Actually I was thinking to put it on at a  
>>>>> few live systems tonight.
>>>>> What worries me a bit is the other effect I had with some older  
>>>>> SVN (the Windows Vista issue - redirection although session was  
>>>>> active). I tried to get hold of those Vista machines but was  
>>>>> unlucky: one got stolen and the other one was sold by the owner.  
>>>>> So I could not reproduce it on my own.
>>>>> So far I run the 1.0.11 release out there. I see some error  
>>>>> messages which are reported by the Radius Server but I have not  
>>>>> had the time to look further into it.
>>>>> Early next week I will give you an update.
>>>>> Cheers,
>>>>> lc
>>>>> Am 18.04.2008 um 15:33 schrieb David Bird:
>>>>>> Are you having issues with it?
>>>>>> cheers,
>>>>>> David

More information about the Chilli mailing list