krb5kdc: Invalid message type - while dispatching (udp)

[Ken Raeburn]

On Feb 22, 2010, at 10:02, Kevin Longfellow wrote:
> 
> Hi,
> 
> We are testing using a F5 BigIP load balancer for the kdc's.  Setting the F5 for port 88 UDP works but the F5 probe produces the below kdc issue in the log file.  The response from F5 is to "paste a proper Kerberos UDP payload into the health monitor".  I think if F5 knew what that was they would tell us.  Anyone know what should be put in send string under properties for the UDP probe?
> 
> [root at dadvig0065 log]# tail krb5kdc.log
> krb5kdc: Invalid message type - while dispatching (udp)

If the F5 doesn't conclude that the KDC is offline because of this, you could just leave it be.  (Though, we probably should be logging at least the address the bogus packet is coming from.)

Or, you could use tcpdump or wireshark or some such tool to capture a real Kerberos request triggered by running "kinit", and have the F5 replay that.  It doesn't even have to be for a valid principal -- you could use "kinit F5-probe at YOUR.REALM", so that you can know from the name in the logged error messages that they're triggered by the F5 probes.  There isn't any sort of simple "are you there" message in the Kerberos protocol.

Ken

P.S.  If you're willing to reveal it, I'm curious about what kind of environment you have that actually needs load balancing for KDCs.  It's pretty common to have multiple KDCs for redundancy in case of hardware problems, or locality if there are multiple sites, but I've heard of few cases where KDC performance was actually a problem.  If you've got any sort of analysis available showing when performance of a single KDC becomes inadequate with what kind of hardware, etc., I'd like to see it.  (E.g., peak request rates, KDC maxing out its CPU usage, timeouts, whatever you've observed.)

-- 
Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium