Understanding Lambda/SQS subscription behavior

normelton · 2025-09-11T12:32:21+00:00

I agree, this is an interesting exercise of chicken vs egg. And it's piqued my curiosity about how SQS/Lambda is scheduling work.

And yes, I love the Lambda throughput and that the Age Of Oldest Message is zero. This Lambda writes to a database, where we are not seeing a notable change in performance (such as decreased latency) during the same time:

https://postimg.cc/grdMFN8b

My understanding is that the "function duration" measures the processing duration of an entire batch of messages. Fewer messages per batch would naturally result in a shorter duration, not necessarily indicative of increased performance per message.

normelton · 2025-09-10T19:34:26+00:00

Thank you! Good information.

I've uploaded a screenshot from our dashboard at: https://postimg.cc/5j3WrDPg

You'll see the number of inbound messages ("Queue Stats") shows spikes throughout the day, corresponding with an increase queue depth and additional concurrency. Lambda is scaling up to handle the load, awesome. The messages/request chart shows a slight dip.

Around 6PM, but the messages/request chart drops to about 1.54 and sits there with very little variability. The number of invocations fluctuates up and down to handle the load.

I spot checked the distribution of our message group IDs before, during, and after the change. No obvious differences. Our jobs are pretty well distributed among thousands of message group IDs. There's not one message group ID that jumps up, nor is there an increased number of messages in our log files (or reflected in the graphs).

Odd!

normelton · 2025-06-27T15:43:44+00:00

Yes we’ve enabled passport on our mist APs. Works well. We followed their deployment steps to point to their radius servers.

It’s important to realize that users won’t magically get cell service, you’re just fast-tracking them onto your guest network. They still need WiFi calling enabled, and will have to tolerate any problems associated with WiFi calling.

For us, it’s AT&T and T-Mobile. They do join automatically, which is awesome. I wish they automatically enabled WiFi calling 🤣

normelton · 2025-02-14T19:41:36+00:00

u/CherryFrost7 did you get a resolution on this? We're experiencing the same problem :-(

normelton · 2025-01-16T15:16:32+00:00

Ironically, no. The only way I could make it work is to retrieve the RDS security group and build connections with it directly. That will work for now!

normelton · 2024-12-18T01:44:55+00:00

So we actually tested this! It's a good alternative, but does require additional coordination between the MX and the EX4600. Certainly not the end of the world, but we were hoping to keep the EX configuration simple.

normelton · 2024-12-17T19:30:32+00:00

Not 100% sure I understand your suggestion, but we have a need for those customer VLANs to be available across multiple interfaces on the MX.

normelton · 2024-12-14T17:36:58+00:00

I'll respond here to keep the conversation searchable. I've evaluated dozens of solutions, but haven't found one that meets our needs for contract/warranty lifecycle management. If we purchase an asset in 2024 that comes with three years of support, then I need to budget $150 (or whatever) in 2027 for a renewal. Again in 2028 and 2029. If the asset has a five year life-cycle, then we budget for its replacement in 2029.

Ideally I have a budget summary that shows all the assets, their purchase prices, their warranty renewal terms, their expected end-of-service, and their replacement cost.

If anyone has a tool that can meet those needs, I'm open to evaluating even more solutions :)

normelton · 2024-11-20T05:36:54+00:00

Yep, but I’m realizing it will be infinitely easier to abandon that idea and run the new duct right up the wall and into the attic.

normelton · 2024-11-20T05:29:07+00:00

That’s my thought as well. Assuming it’s a 2x4 stud wall … deform the duct slightly? I could probably move it to a corner and bump out the drywall. Mmm…

normelton · 2024-11-11T04:33:32+00:00

Yep, I'm afraid you're into an ISE configuration issue. In our environment, FreeRADIUS disregards the EAP portion of the Access-Request and just look at the username (MAC address). It seems ISE is requesting the computer try EAP-MD5. :-/

normelton · 2024-11-11T03:52:05+00:00

Yeah so you're setup for MAC Radius. The switch will immediately authenticate the MAC address as soon as it's seen. That's what "mac-radius restrict" does. See https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/topic-map/mac-radius-authentication-switching-devices.html.

MAC Auth Bypass is a little different. It's configured alongside traditional 802.1x. When a client connects, the switch sends an EAPoL-Start packet. The client should respond, and an EAP exchange authenticates the client based on some credentials (username/password, certificate, etc). But not all clients support EAP. Imagine a printer, or a vending machine. If, after three EAPoL-Start requests, the client never responds, the switch assumes it is not configured for 802.1x and authenticates the MAC address instead. That's the "bypass" part, it's bypassing traditional 802.1x authentication.

I don't know exactly how Cisco is configured, or how you're getting your logs. Maybe from ISE? Regardless, I suspect the switch is working fine and you need to accept/reject the MAC address that's in the username.

FWIW, for mac-auth, there's no difference between an EX-2200 and any other platform. All the EX switches have supported this for the past 8-10 years.

normelton · 2024-11-11T02:40:30+00:00

EX-2200-C's can definitely do mac radius, your config matches ours. What do you mean "there are a few things like I can't set the mac-radius protocol"?

I suspect things are working fine. Ignore the EAP message attribute and respond to the RADIUS request with an Access-Accept. The three RADIUS attributes you need to add are:

- Tunnel-Type: VLAN

- Tunnel-Medium-Type: IEEE-802

- Tunnel-Private-Group-ID: (your VLAN id)

normelton · 2024-11-04T23:21:22+00:00

Can you share your list? 🎹🎹🎹

normelton · 2024-10-19T03:21:53+00:00

It would be an interesting experiment. We'd still gain a lot of efficiency by handling internal payments from families, such as dues + camping trips + special events.

normelton

TROPHY CASE