ISC DHCP Users

DHCP IP assignment issue - dhcp failover scenario

classic Classic list List threaded Threaded
7 messages Options
Usman Ahmad
Reply | Threaded
Open this post in threaded view
|

DHCP IP assignment issue - dhcp failover scenario

Usman Ahmad
Dear All, 

I have setup two isc-dhcp-server in fail-over mode and these were working fine since long. Just know i am facing issue that some of my customers CPEs keep sending the  DHCP request and doesn't get the IP however from DHCP logs, i can see the complete DORA process. 

Please note that both DHCP servers are connected to different Gateway Routers/DHCP relay servers. Since the same DHCP requests are coming from both relay agent so the both DHCP servers are replying to both relay agents. 

i have isc-dhcp-server v 4.3.1-6 and following is configuration for one server. 

ddns-update-style none;

DHCPDARGS="eth0 eth1";

option domain-name-servers xx.xx.xx.xx, yy.yy.yy.yy;

default-lease-time 86400;
max-lease-time 86400;

authoritative;

log-facility local7;

deny unknown-clients;

one-lease-per-client true;

failover peer "awasr-dhcp-partner" {
         primary;
         address 192.168.2.4;
         port 519;
         peer address 192.168.2.5;
         peer port 520;
         max-response-delay 60;
         max-unacked-updates 10;
         mclt 600;
         split 128;
         load balance max seconds 3;
}
omapi-port 7911;
omapi-key awasr_omapi_key;
key awasr_omapi_key {
               algorithm hmac-md5;
               secret "0asdASCjaeEasWDSAkasjdo/s890amsdASDASfdjka+1DM50=";
}

include "/etc/dhcp/vlans/customer-vlans.conf";


# Sample configuration for a single subnect 

shared-network 1230 {

        option dhcp-parameter-request-list 60,43,3,6,15;
        option vendor-class-identifier "dslforum.org";
        vendor-option-space UMPSYS;
        option UMPSYS.acs-url "http://ump.awasr.com:10301/acs";
        option domain-name "awasr.com";

subnet 10.32.32.0 netmask 255.255.255.0 {
        option routers 10.32.32.1;
        pool {
            failover peer "awasr-dhcp-partner";
            range 10.32.32.25 10.32.32.252;
        }
     }
# for static hosts
include "/etc/dhcp/vlans/1230-hosts.conf";
}

--
Regards,
Usman Ahmad

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Abdul Khader
Reply | Threaded
Open this post in threaded view
|

Re: DHCP IP assignment issue - dhcp failover scenario

Abdul Khader
For troubleshooting take one of the CPE mac address (the CPE which is not getting an IP)and check your logs for that mac address if your server is responding. Better to take a trace using tcpdump.
If the server is responding then you need to check if its reaching the relays. From relays to CPE.
Note  there are CPEs which misbehave. Even after getting the ack they send discover.

Regards
Abdul Khader 

On Mon, 17 Dec 2018, 17:19 Usman Ahmad <[hidden email] wrote:
Dear All, 

I have setup two isc-dhcp-server in fail-over mode and these were working fine since long. Just know i am facing issue that some of my customers CPEs keep sending the  DHCP request and doesn't get the IP however from DHCP logs, i can see the complete DORA process. 

Please note that both DHCP servers are connected to different Gateway Routers/DHCP relay servers. Since the same DHCP requests are coming from both relay agent so the both DHCP servers are replying to both relay agents. 

i have isc-dhcp-server v 4.3.1-6 and following is configuration for one server. 

ddns-update-style none;

DHCPDARGS="eth0 eth1";

option domain-name-servers xx.xx.xx.xx, yy.yy.yy.yy;

default-lease-time 86400;
max-lease-time 86400;

authoritative;

log-facility local7;

deny unknown-clients;

one-lease-per-client true;

failover peer "awasr-dhcp-partner" {
         primary;
         address 192.168.2.4;
         port 519;
         peer address 192.168.2.5;
         peer port 520;
         max-response-delay 60;
         max-unacked-updates 10;
         mclt 600;
         split 128;
         load balance max seconds 3;
}
omapi-port 7911;
omapi-key awasr_omapi_key;
key awasr_omapi_key {
               algorithm hmac-md5;
               secret "0asdASCjaeEasWDSAkasjdo/s890amsdASDASfdjka+1DM50=";
}

include "/etc/dhcp/vlans/customer-vlans.conf";


# Sample configuration for a single subnect 

shared-network 1230 {

        option dhcp-parameter-request-list 60,43,3,6,15;
        option vendor-class-identifier "dslforum.org";
        vendor-option-space UMPSYS;
        option UMPSYS.acs-url "http://ump.awasr.com:10301/acs";
        option domain-name "awasr.com";

subnet 10.32.32.0 netmask 255.255.255.0 {
        option routers 10.32.32.1;
        pool {
            failover peer "awasr-dhcp-partner";
            range 10.32.32.25 10.32.32.252;
        }
     }
# for static hosts
include "/etc/dhcp/vlans/1230-hosts.conf";
}

--
Regards,
Usman Ahmad
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Usman Ahmad
Reply | Threaded
Open this post in threaded view
|

Re: DHCP IP assignment issue - dhcp failover scenario

Usman Ahmad
Following is my network overview in which i am facing problem for the IP assignment. VRRP is configured for the cusomers VLAN passing through the access node till routers. CPE is sending DHCPDISCOVER to both routers which they are further forwarding to both DHCP Servers. And the return traffic is opposite like DHCP Servers --> both routers --> CPE (ACCESS node is working as layer-2).

        DHCP01(.4)             DHCP02(.5) 
 GW:Router-1(.1) GW:Router-2(.2)
            |                                   |
    |                                   |
       ----------    ----------
   | Router-1 |   | Router-2 |
   |DHCP-Relay|               |DHCP-Relay|
    --.253------ VRRP(.1)------.254--
    \                                     /
      \   10.30.10.0/24    /
  \                  /
                --------------------
        | ACCES NODE |
    --------------------
                |
               CPE
  
Please note that IP assignment starts working properly whenever i am putting router-1 as gateway of DHCP-02 or delete default gateway. But i dont want to keep both DHCP server replying to one DHCP relay. 

On Mon, Dec 17, 2018 at 6:21 PM Abdul Khader <[hidden email]> wrote:
For troubleshooting take one of the CPE mac address (the CPE which is not getting an IP)and check your logs for that mac address if your server is responding. Better to take a trace using tcpdump.
If the server is responding then you need to check if its reaching the relays. From relays to CPE.
Note  there are CPEs which misbehave. Even after getting the ack they send discover.

Regards
Abdul Khader 

On Mon, 17 Dec 2018, 17:19 Usman Ahmad <[hidden email] wrote:
Dear All, 

I have setup two isc-dhcp-server in fail-over mode and these were working fine since long. Just know i am facing issue that some of my customers CPEs keep sending the  DHCP request and doesn't get the IP however from DHCP logs, i can see the complete DORA process. 

Please note that both DHCP servers are connected to different Gateway Routers/DHCP relay servers. Since the same DHCP requests are coming from both relay agent so the both DHCP servers are replying to both relay agents. 

i have isc-dhcp-server v 4.3.1-6 and following is configuration for one server. 

ddns-update-style none;

DHCPDARGS="eth0 eth1";

option domain-name-servers xx.xx.xx.xx, yy.yy.yy.yy;

default-lease-time 86400;
max-lease-time 86400;

authoritative;

log-facility local7;

deny unknown-clients;

one-lease-per-client true;

failover peer "awasr-dhcp-partner" {
         primary;
         address 192.168.2.4;
         port 519;
         peer address 192.168.2.5;
         peer port 520;
         max-response-delay 60;
         max-unacked-updates 10;
         mclt 600;
         split 128;
         load balance max seconds 3;
}
omapi-port 7911;
omapi-key awasr_omapi_key;
key awasr_omapi_key {
               algorithm hmac-md5;
               secret "0asdASCjaeEasWDSAkasjdo/s890amsdASDASfdjka+1DM50=";
}

include "/etc/dhcp/vlans/customer-vlans.conf";


# Sample configuration for a single subnect 

shared-network 1230 {

        option dhcp-parameter-request-list 60,43,3,6,15;
        option vendor-class-identifier "dslforum.org";
        vendor-option-space UMPSYS;
        option UMPSYS.acs-url "http://ump.awasr.com:10301/acs";
        option domain-name "awasr.com";

subnet 10.32.32.0 netmask 255.255.255.0 {
        option routers 10.32.32.1;
        pool {
            failover peer "awasr-dhcp-partner";
            range 10.32.32.25 10.32.32.252;
        }
     }
# for static hosts
include "/etc/dhcp/vlans/1230-hosts.conf";
}

--
Regards,
Usman Ahmad
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users


--
--
Regards,
Usman Ahmad

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Simon Hobson-2
Reply | Threaded
Open this post in threaded view
|

Re: DHCP IP assignment issue - dhcp failover scenario

Simon Hobson-2
Usman Ahmad <[hidden email]> wrote:

> Please note that IP assignment starts working properly whenever i am putting router-1 as gateway of DHCP-02 or delete default gateway. But i dont want to keep both DHCP server replying to one DHCP relay.

I would look carefully in the packets and see what GI-Addr is used by each relay, and what address the server replies are sent to.

Also, what is in the routing tables for the two DHCP servers related to the client subnet ?

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Usman Ahmad
Reply | Threaded
Open this post in threaded view
|

Re: DHCP IP assignment issue - dhcp failover scenario

Usman Ahmad
Clients subnet gateway is configured as vip between both relay routers and this vip is active on router-2.

And each router is taking physical address as Gi-addr configured for the vrrp of client subnet.

Regarding dhcp servers routing; dhcp01 gateway is router1 and dhcp02 gateway is router2.

Regards, 
Usman

On Tue, 18 Dec 2018, 10:56 pm Simon Hobson <[hidden email] wrote:
Usman Ahmad <[hidden email]> wrote:

> Please note that IP assignment starts working properly whenever i am putting router-1 as gateway of DHCP-02 or delete default gateway. But i dont want to keep both DHCP server replying to one DHCP relay.

I would look carefully in the packets and see what GI-Addr is used by each relay, and what address the server replies are sent to.

Also, what is in the routing tables for the two DHCP servers related to the client subnet ?

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Niall O'Reilly
Reply | Threaded
Open this post in threaded view
|

Re: DHCP IP assignment issue - dhcp failover scenario

Niall O'Reilly
On 18 Dec 2018, at 19:09, Usman Ahmad wrote:

> Regarding dhcp servers routing; dhcp01 gateway is router1 and dhcp02
> gateway is router2.

I you have reverse path verification enabled on the downstream (towards
CPE,
away from DHCP servers) interfaces of the routers, traffic will likely
be
blocked from the DHCP server which is using the router which is not the
active VRRP partner.

Earlier, Usman Ahmad had written:

> But i dont want to keep both DHCP server replying to one DHCP relay.

I believe that this is a mistake. Every DHCP server has to reply to the
relay
through which it received the corresponding request.  That's just part
of the
protocol.

It's been a while since I worked with the kind of setup you describe, so
some
of my experience may be at odds with current behaviour on the wire.  I
was
forced to learn that either trying to eliminate duplicate OFFERS or
trying to
force the route of the response traffic to match my ideas simply broke
things.

I think you need to let yourself be guided by what works.  The cost of a
few
packets is insignificant, especially in comparison to the value of your
time.

I hope this helps.

Niall O'Reilly
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Simon Hobson-2
Reply | Threaded
Open this post in threaded view
|

Re: DHCP IP assignment issue - dhcp failover scenario

Simon Hobson-2
In reply to this post by Usman Ahmad
Usman Ahmad <[hidden email]> wrote:

> Clients subnet gateway is configured as vip between both relay routers and this vip is active on router-2.

OK

> And each router is taking physical address as Gi-addr configured for the vrrp of client subnet.

That's unclear to me. Does that mean that the relays are using .253 or .254, or using .1 ? They really need to be using .253 and .254 respectively to avoid issues.

> Regarding dhcp servers routing; dhcp01 gateway is router1 and dhcp02 gateway is router2.

I would put in explicit routing rules. Ie, in server 1 put a rule for the client subnet via relay 1, and similarly for server 2 routing via relay 2.

Also, is the routing setup properly such that if server1 were to send a packet to router 1 (at it's client subnet address) via router 2, then router 2 would correctly forward the packet ?
And are there any filters/firewall that might block traffic ?


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Free forum by Nabble Edit this page