Failover Peer Issue with Polycom SoundStation IP 6000 Phone

Hello list,

Hopefully someone can help me. I'm on CentOS using ISC dhcp version 4.2.5.

We have many Polycom phones, but only 1 model in particular is having
issues obtaining an IP address from our ISC DHCP server. I see all 4 DORA
DHCP packets, but the request and ack keeps repeating and the phone doesn't
get an IP and says "Error DHCP Failed" after about 1 minute. After that it
may take 1 hour, or maybe 30 minutes to actually get the IP. All other
Polycom models are working fine and obtain an IP in a few seconds.

If I stop the secondary failover server's DHCP service, then the phone I'm
having an issue with gets an IP immediately. See dhcpd.conf below. I've
also tried clearing the secondary database also to no avail. Please advise.
Thank you.

Primary server config:

failover peer "failover-dhcp" {
  primary; # This defines the master
  address a.a.14.34;
  port 847;
  peer address a.a.15.34;
  peer port 647;
  max-response-delay 60;
  max-unacked-updates 10;
  mclt 3600;
  split 255; # 128 is balanced; use 255 if primary is 100% responsible
until failure
  load balance max seconds 3;
}

allow unknown-clients;
ping-check on;
ping-check true;

option dhcp-server-identifier a.a.14.34;
option domain-name "domain.net";
option domain-name-servers a.a.14.35, a.a.15.35;
option ntp-servers a.a.14.36, a.a.15.36;
option time-servers a.a.14.36, a.a.15.36;
option time-offset -18000;
option option-125 code 125 = string;

default-lease-time 86400;
max-lease-time 86400;

ddns-update-style none;

authoritative;

log-facility local4;

subnet a.a.14.0 netmask 255.255.255.192 {
}

shared-network "HPBX" {
        subnet b.b.0.0 netmask 255.255.240.0 {
                option routers b.b.0.1;
                option subnet-mask 255.255.240.0;
                option broadcast-address b.b.15.255;
                option tftp-server-name "
https://meta-portal.domain.net/sip-ps";
                default-lease-time 604800;
                max-lease-time 604800;
                pool {
                        failover peer "failover-dhcp";
                        range b.b.0.101 b.b.15.254;
                        deny dynamic bootp clients;
                }
        }
}

shared-network "HPBX_MGMT" {
        subnet c.c.0.0 netmask 255.255.240.0 {
                option routers c.c.0.1;
                option subnet-mask 255.255.240.0;
                option broadcast-address c.c.15.255;
                option tftp-server-name "a.a.14.34";
                option bootfile-name "startup-config.350";
                send option-125
00:00:00:09:0B:05:09:43:49:30:33:32:2e:30:30:50;
                default-lease-time 15552000;
                max-lease-time 15552000;
                pool {
                        range c.c.0.101 c.c.15.254;
                        deny dynamic bootp clients;
                }
        }
}

Secondary server config:

failover peer "failover-dhcp" {
  secondary; # This defines the slave
  address a.a.15.34;
  port 647;
  peer address a.a.14.34;
  peer port 847;
  max-response-delay 60;
  max-unacked-updates 10;
  load balance max seconds 3;
}

allow unknown-clients;
ping-check on;
ping-check true;

option dhcp-server-identifier a.a.15.34;
option domain-name "domain.net";
option domain-name-servers a.a.14.35, a.a.15.35;
option ntp-servers a.a.14.36, a.a.15.36;
option time-servers a.a.14.36, a.a.15.36;
option time-offset -18000;
option option-125 code 125 = string;

default-lease-time 86400;
max-lease-time 86400;

ddns-update-style none;

authoritative;

log-facility local4;

subnet a.a.15.0 netmask 255.255.255.192 {
}

shared-network "HPBX" {
        subnet b.b.0.0 netmask 255.255.240.0 {
                option routers b.b.0.1;
                option subnet-mask 255.255.240.0;
                option broadcast-address b.b.15.255;
                option tftp-server-name "
https://meta-portal.domain.net/sip-ps";
                default-lease-time 604800;
                max-lease-time 604800;
                pool {
                        failover peer "failover-dhcp";
                        range b.b.0.101 b.b.15.254;
                        deny dynamic bootp clients;
                }
        }
}

_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
dhcp-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users

Will Bashlor <[hidden email]> wrote:

> Hopefully someone can help me. I'm on CentOS using ISC dhcp version 4.2.5.
>
> We have many Polycom phones, but only 1 model in particular is having issues obtaining an IP address from our ISC DHCP server. I see all 4 DORA DHCP packets, but the request and ack keeps repeating and the phone doesn't get an IP and says "Error DHCP Failed" after about 1 minute. After that it may take 1 hour, or maybe 30 minutes to actually get the IP. All other Polycom models are working fine and obtain an IP in a few seconds.
>
> If I stop the secondary failover server's DHCP service, then the phone I'm having an issue with gets an IP immediately.

I think the best step to take is to collect traffic dumps in the two cases - pcap, wireshark, ...
You can then inspect the packets to see if there is anything different between them.

When you stop the peer, do you put the remaining server into partner down state ?
Two things come to mind, one is a difference in lease times, the other is that the phone doesn't like getting multiple responses (shouldn't be a problem, it's part of the spec).

Simon

_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Thanks so much for the reply! I stop the service on the second server, then
the first server stated: "dhcpd: failover peer failover-dhcp: I move from
normal to communications-interrupted". I'm not sure if this is the same as
partner down state?

The lease times are both 7 days. I could easily change this but I don't
think it will make a difference.

I compared the 2 case captures. Case 1 with 2 servers in a failover
configuration when the issue is happening, and case 2 with the second
server's service stopped and the issue is not happening (phone gets IP
immediately). The only difference I can see between the 2 captures is the
"DHCP Server Identifier" in the ACK. In case 1 the "DHCP Server Identifier"
in the ACK is the IP of the second server (which I find odd since split is
set to 255). But this is also the case with captures using the other model
phones (i.e. VVX411) that are working fine. Hmmm. In case 2, of course the
"DHCP Server Identifier" is the IP of the first server, since there is only
1 server. For case 1 and case 2 I see the "DHCP Server Identifier" in the
OFFER messages is the IP of server 1.

I did notice that in a long capture I took where the phone has the issue but
starts working 30ish minutes later, the last ACK is different from the rest
in that it has the first server IP as the "DHCP Server Identifier". So for
grins I temporarily changed the "DHCP Server Identifier" on the second
server to the IP of the first server, and the SoundStation IP 6000 then
immediately booted normally in a few seconds even with both servers running.

It seems this particular model phone has an issue with the OFFER "DHCP
Server Identifier" being the IP of server 1 and the ACK "DHCP Server
Identifier" being the IP of server 2. At this point though I still don't
know what a resolution could be.



--
Sent from: http://isc-dhcp-users.2343191.n4.nabble.com/
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
dhcp-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users

I never used failover; but Is it reasonable that the DHCP Server Identifier is not the actual server that sent out this message? I.e. should it be the same in both instances?
I think Simon might be able to answer this?

_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

In the dhcp-options man page it says dhcp-server-identifier is used as
the address for unicast replies to the server, so it is probably
important to point to the individual servers.

        option dhcp-server-identifier ip-address;

          This  option is used in DHCPOFFER and DHCPREQUEST messages, and
may optionally be included in the DHCPACK and DHCPNAK messages.  DHCP
servers include this option in the DHCPOFFER in order to allow
          the client to distinguish between lease offers.  DHCP clients
use the contents of the ´server identifier´ field as the destination
address for any DHCP messages unicast to the DHCP  server.   DHCP
          clients also indicate which of several lease offers is being
accepted by including this option in a DHCPREQUEST message.

The only use case for setting this is where you have multiple IP
addresses on the DHCP server and you want replies to come back to a
specific one, eg a private management network and the client facing
interface. This is not a failover specific setting, and in my experience
the defaults will usually have the right behaviour.

Now, down to the problem, it is obviously a bug in the firmware of these
phones. Have you checked with the vendor to see if there is an update
available before hacking around with dhcp configs? There are rather alot
of support articles onthe Polycom support website, and something there
might be of use if you haven't looked there already.

The potential issue I see is that if you set the server-identifier to
the first dhcp server, and then that server goes down, unicast replies
to the other server may not work as intended. This is something to test
out to be sure there is no adverse impact.

Perhaps setting a class that matches these particular phones and setting
the server-identifier only for the phones in question? Something like
this where you match on the vendor part of the mac address:

class "soundstation6000" {
     match if substring(hardware, 1, 4 = 1:aa:bb:cc);  # the leading 1 is
type ethernet, aa:bb:cc are the first three octets of the mac address
     server-identifier aa.aa.14.34;  # or whatever the other server's IP
address is
}

regards,
Glenn

On 2020-11-13 02:54, Sten Carlsen wrote:
          This  option is used in DHCPOFFER and DHCPREQUEST messages, and
may optionally be included in the DHCPACK and DHCPNAK messages.  DHCP
servers include this option in the DHCPOFFER in order to allow
          the client to distinguish between lease offers.  DHCP clients
use the contents of the ´server identifier´ field as the destination
address for any DHCP messages unicast to the DHCP  server.   DHCP
          clients also indicate which of several lease offers is being
accepted by including this option in a DHCPREQUEST message.
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Thanks Glenn,

I never intended on leaving the secondary server's dhcp-server-identifier set to the primary
server IP. The only reason I changed it was for troubleshooting.

If the primary server was to go down, then the offer dhcp-server-identifier
and the ack dhcp-server-identifier would differ again and we'd be in the
same situation.

If having the dhcp-server-identifier's different from the offer and the ack
is acceptable for the standard and that's normal operation, then it does
point to the phone, which I suspected anyway since the other models are
working fine.

Unfortunately I've tried 3 or 4 different firmware versions with the same
result. But if someone can confirm that what I am seeing is normal behavior,
then I will surely stop messing with the DHCP server config.

We only have 2 of these phones, so setting up a separate class with a
different dhcp-server-identifier just for these may be a viable option if I
can't find another solution.

Thanks Glenn for your time I really appreciate it.

Will



--
Sent from: http://isc-dhcp-users.2343191.n4.nabble.com/
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
dhcp-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users

willieb <[hidden email]> wrote:

> Thanks so much for the reply! I stop the service on the second server, then
> the first server stated: "dhcpd: failover peer failover-dhcp: I move from
> normal to communications-interrupted". I'm not sure if this is the same as
> partner down state?

No, they are two different states.

In partner-down state, one server will behave near enough the same as a single server - handling all the IPs in the pools.

communications-interrupted is very different. The server cannot know that the other server is actually down - there are a number of potential network topologies/fault conditions where a client could have communications to/from both servers, but the servers can't communicate between themselves. If a server assumed the other was down and took over the whole range(s), then that would cause some rather serious issues.

To get from communications-interrupted to partner-down requires operator intervention, OR configuring automatic transition (it's not the default) having decided that the risk is acceptable for the given network topology.

I don't actually use failover, but there's been plenty of threads about it over the years. In partner down state, the server will alter it's behaviour in terms of what leases it will service and what lease times it will use - and I think that differs depending on whether the address is currently managed by this server or it's peer. TBH I don't have that detail in my head.

> The lease times are both 7 days. I could easily change this but I don't
> think it will make a difference.

Probably not. But many years ago I had to give up configuring a particular printer (early days of the digital copiers) with DHCP - it would just never accept a lease. Some time later I found out that it only accepted leases that were over 2 years long - met with a "WTF ?" from me ! You have to wonder what's in the mindset of some developers.

> I compared the 2 case captures. Case 1 with 2 servers in a failover
> configuration when the issue is happening, and case 2 with the second
> server's service stopped and the issue is not happening (phone gets IP
> immediately). The only difference I can see between the 2 captures is the
> "DHCP Server Identifier" in the ACK.

Interesting. I would have expected to see differences in lease lengths as well - see above about peer states.

> In case 1 the "DHCP Server Identifier"
> in the ACK is the IP of the second server (which I find odd since split is
> set to 255). But this is also the case with captures using the other model
> phones (i.e. VVX411) that are working fine. Hmmm. In case 2, of course the
> "DHCP Server Identifier" is the IP of the first server, since there is only
> 1 server. For case 1 and case 2 I see the "DHCP Server Identifier" in the
> OFFER messages is that of server 1.

BTW - did you check which server "owns" that lease ?

Simon

_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

>> substring(hardware, 1, 4 = 1:aa:bb:cc)

I'm not sure who owned the lease, but I do believe the class solution will
be a nice workaround. I have 2 questions at the moment:

1.) Regarding the substring statement above, what is the difference in using
"1, 4" or "1, 3"?

2.) The first 6 digits of the mac address (OUI) is the same for all of our
Polycom phones, but it appears the SoundStations we have all use 34 as the
next 2 mac digits. So can we specify 8 digits instead of 6 digits for
matching?

Thanks.



--
Sent from: http://isc-dhcp-users.2343191.n4.nabble.com/
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

So from the dhcp-eval man page the arguments to substring() are

        substring (data-expr, offset, length)

Note that the parameter hardware() is one byte for the network type (1
for ethernet, but others include token ring, etc) prefixed to the MAC
address. So for a device that has the mac address aa:bb:cc:dd:ee:ff,
hardware() will return 01:aa:bb:cc:dd:ee:ff

The hardware string represents 7 bytes of data with each byte (or octet)
being represented by two hexadecimal characters separated by a colon.

So for Q1, the last parameter is the length of the string to match.

And for Q2 matching on the first 4 bytes of the mac seems like the way
to go, eg: if hardware() is as above then we want to match 1:aa:bb:cc:34
which is a length of 5.

substring(hardware, 1, 5 = 1:aa:bb:cc:34)

or to ignore the network type, perhaps start at the second byte

substring(hardware, 2, 4 = aa:bb:cc:34)

Hope this helps.

regards,
Glenn

On 2020-11-19 05:45, willieb wrote: _______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Thanks for the reply. I'm back working on this since Thanksgiving is over. I
was able to create a class with the text below:

class "SSIP" {
match if substring (hardware,2,4) = aa:bb:cc:34;
server-identifier x.x.14.34;
}

But when I add:

allow members of "SSIP";

to the shared-network then I get the errors at the end of this reply.

Also, if I add the allow members statement, doesn't that deny other clients?
My goal is to allow all clients normally, but clients that have the hardware
address beginning with aa:bb:cc:34 I want them to get the server-identifier
of x.x.14.34. I hope that makes sense. Thanks for your help guys.

-Will

? dhcpd.service - DHCPv4 Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; disabled; vendor
preset: disabled)
   Active: failed (Result: exit-code) since Mon 2020-11-30 10:39:20 EST; 4s
ago
     Docs: man:dhcpd(8)
           man:dhcpd.conf(5)
  Process: 27298 ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user
dhcpd -group dhcpd --no-pid (code=exited, status=1/FAILURE)
 Main PID: 27298 (code=exited, status=1/FAILURE)

Nov 30 10:39:20 localhost.localdomain dhcpd[27298]:                                      
^
Nov 30 10:39:20 localhost.localdomain dhcpd[27298]: Configuration file
errors encountered -- exiting
Nov 30 10:39:20 localhost.localdomain dhcpd[27298]:
Nov 30 10:39:20 localhost.localdomain dhcpd[27298]: This version of ISC DHCP
is based on the release available
Nov 30 10:39:20 localhost.localdomain dhcpd[27298]: on ftp.isc.org.
Features have been added and other changes
Nov 30 10:39:20 localhost.localdomain dhcpd[27298]: have been made to the
base software release in order to make
Nov 30 10:39:20 localhost.localdomain systemd[1]: dhcpd.service: main
process exited, code=exited, status=1/FAILURE
Nov 30 10:39:20 localhost.localdomain systemd[1]: Failed to start DHCPv4
Server Daemon.
Nov 30 10:39:20 localhost.localdomain systemd[1]: Unit dhcpd.service entered
failed state.
Nov 30 10:39:20 localhost.localdomain systemd[1]: dhcpd.service failed.



--
Sent from: http://isc-dhcp-users.2343191.n4.nabble.com/
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Hi Will,

Looks like a simple syntax error of some sort in the config. If you run
that ExecStart command yourself I'm sure it will give better info.

However, the good news is that you don't need to 'allow members of
"SSIP"' in the pool(s). All the work is done in the class statement, in
that if it matches the class then all the settings in the class are
applied to that request. IP address and other allocation will be done in
whatever pools it subsequently uses. You could check this with a packet
trace using tcpdump for example.

regards,
Glenn

On 2020-12-01 02:44, willieb wrote: _______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Thanks Glenn,

That is great news! I won't try to add the allow statement then. But
unfortunately it's not working. The ACK still shows the identifier of the
secondary server and not the primary for the SSIP class match. I verified
this with a wireshark capture. Here's the syntax I've tried (separately) and
it makes no difference for the identifier used in the ACK:

class "SSIP" {
match if substring (hardware,2,4) = aa:bb:cc:34;
server-identifier x.x.14.34;
}

class "SSIP" {
match if substring (hardware,1,5) = 1:aa:bb:cc:34;
server-identifier x.x.14.34;
}

class "SSIP" {
match if substring (hardware,2,4) = aa:bb:cc:34;
option dhcp-server-identifier x.x.14.34;
}

class "SSIP" {
match if substring (hardware,1,5) = 1:aa:bb:cc:34;
option dhcp-server-identifier x.x.14.34;
}

class "SSIP" {
match if substring (hardware,2,4) = aa:bb:cc:34;
server-identifier x.x.14.34;
option dhcp-server-identifier x.x.14.34;
}

class "SSIP" {
match if substring (hardware,1,5) = 1:aa:bb:cc:34;
server-identifier x.x.14.34;
option dhcp-server-identifier x.x.14.34;
}

Edit: Glenn, I didn't mean to send those first 2 replies directly to your
email lol...


glenn.satchell wrote
Quoted from:
http://isc-dhcp-users.2343191.n4.nabble.com/Failover-Peer-Issue-with-Polycom-SoundStation-IP-6000-Phone-tp3609p3650.html




--
Sent from: http://isc-dhcp-users.2343191.n4.nabble.com/
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

On Tue, Dec 01, 2020 at 10:16:05AM -0600, willieb wrote:
 
> class "SSIP" {
>     match if substring (hardware,2,4) = aa:bb:cc:34;
>     server-identifier x.x.14.34;
> }

    String offsets begin at zero. Try

        > class "SSIP" {
        >     match if substring (hardware,1,4) = aa:bb:cc:34;
        >     server-identifier x.x.14.34;
        > }
--
Bruce A. Hudson | [hidden email]
ITS, Networks and Systems |
Dalhousie University |
Halifax, Nova Scotia, Canada | (902) 494-3405
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users