The VIP Enterprise Gateway allows a load balancer/NAS to send RADIUS health checks to the Validation Server(s) for status monitoring. If the request is incomplete or incorrect, error 18530 will occur. The below steps described how to prevent this error. 

ERROR "2022-04-19 13:56:47.146 GMT-0600"  0.0.0.0 MCP:1812 0 18530 "text=Error 18530 occurred at VSValidationServer.cpp:910. Description: VSValidationServer._receiveRequest() -- Invalid request received - -1" Thread-7492 VSValidationServer.cpp

18530 indicated an invalid request has been received by the Validation Server. A valid RADIUS request to the VIP EG must be in UDP PAP format with a username, passcode, shared secret, user name, and NAS IP address or Identifier.  Refer to your manufacturer's documentation for constructing a valid RADIUS request in your NAS/Load Balancer for healthcheck\heartbeat monitoring. 

SASMonitor is a user ID reserved for use by a load balancer\firewall RADIUS to check connectivity to the VIP RADIUS validation server. Valid SASMonitor requests are not written to INFO level logs (to avoid unnecessary logs).  When the VIP RADIUS server receives an authentication request from a NAS with user ID SASMonitor, it responds with this message: response: Access-Reject. Message:{hostname:x.x.x.x][ DB cnxn ctx pool entries: 1, capacity: 1]. This reduces unnecessary load on LDAP and VIP Cloud traffic. Otherwise, the transaction attempts the full validation against LDAP and/or the VIP cloud and fails. 

(Important: If Business Continuity* is enabled, the VIP health check service on the Enterprise Gateway verifies VIP cloud connectivity by sending validation requests to the VIP cloud service using a User ID consisting of SASMonitor + server hostname or FQDN. (example: SASMonitor_vipeg.example.com). These transactions can be seen in VIP Manager reports. )

To enable or modify the SASMonitor user ID for load balance/NAS health monitoring:

1. Backup the radserv.conf file located in the following directory:

Windows:
C:\Program Files (x86)\Symantec\VIP_Enterprise_Gateway\Validation\servers\<Validation Server Name>\conf\

Linux:
/opt/Symantec/VIP_Enterprise_Gateway/Validation/servers/<Validation Server Name>/conf/

2. Edit the following lines in radserv.conf

 # VIPEGServerSpec section:
server.monitor.enabled = true
server.monitor.username = SASMonitor (case sensitive. can be modified to use a different name.)

3. Restart the validation server.

To perform an authentication test against the monitor user using the vsradiusclient test tool: 

On Windows:

C:\Program Files (x86)\Symantec\VIP_Enterprise_Gateway\tools\vsradiusclient_test.exe --server-host <IP> --server-port 1812 --secret <RADIUS shared secret> --client-ip <IP> --user-name SASMonitor --password 123456

On Linux:

/opt/Symantec/VIP_Enterprise_Gateway/tools/vsradiusclient_test --server-host <IP> --server-port 1812 --secret <RADIUS shared secret> --client-ip <IP> --user-name SASMonitor --password 123456

Sample Output:

** --server-host: 10.212.125.208 --server-port: 1812 --client-ip: 10.212.127.188
Received Access-Reject
Attribute: 'Reply-Message' of len 71 [[hostname: vip4-rhel65-p1-ap][DB cnxn ctx pool entries: 1, capacity: 1]]
Rejection

If text=Error 18530 occurred at VSValidationServer is still seen in the logs:

• Confirm the username is sent, and matches the username your load balancer\firewall is sending.  
• RADIUS PAP protocol must be used (MS-CHAP is not supported). 
• The IP address of the source is seen in the logs. Check that server for additional data.
• Enable verbose logging in the VIP EG Validation Server settings by setting the log level to DEBUG level and restarting the service.
• VSRadiusClient_test tool can be used to test validation server functionality.

*VIP Enterprise Health Check for cloud connectivity:

The VIP Enterprise Gateway Health Check service monitors the EG to VIP Cloud Services connectivity. If connectivity is lost, VIP EG validation servers with business continuity set to 'automatic' will begin querying the Health Check service. This triggers the healthcheck service begin cloud connectivity tests with a username consisting of SASMonitor+<ServerHostName> or SASMonitor+<ServerFQDN>. (example, SASMonitor_EG99Denver. or SASMonitor_EG99Denver.example.com). These are not the same usernames sent by the load balancer. If connectivity is lost and the health check threshold settings are exceeded, a signal is sent to the validation server to enter business continuity mode. When connectivity is re-established, the Health Check service sends another signal to resume normal mode. (Reference documentation here: Configuring Health Check Settings )

LDAP connectivity is monitored separately, and if lost, any Validation Server pointing to that user store will auto-stop until the connection is reestablished. The IdP and LDAP Services may also stop if they are being used. For your security, a lost LDAP connection will not trigger business continuity mode. 

Notes:

• SASMonitor users used by the Health Check service are created when the source Enterprise Gateway 'Health Check' service is started and a 'SYHC' credential ID is assigned. If the user already exists, VIP Manager will show 'user already exists' error. This is expected. 
• SASMonitor Health Check users no longer used by any VIP EG can safely be deleted from the VIP cloud.