dhcpd doesn't acknowledge dhcp requests

I have a dhcp server that won't give out leases and doesn't acknowledge
DHCPDISCOVERs.

I see the requests come in with tcpdump, but the daemon doesn't log them
and doesn't respond.


failover peer "partner" {
   primary;
   address 10.64.0.104;
   port 647;
   peer address 10.64.0.112;
   peer port 647;
   max-response-delay 60;
   max-unacked-updates 10;
   mclt 3600;
   split 255;
   load balance max seconds 3;
}

subnet 10.112.0.0 netmask 255.248.0.0 {
   log(info, concat(
     "Lease: ",binary-to-ascii (10, 8, ".", leased-address)
     ," Mac: ",binary-to-ascii(16, 8, ":", substring(hardware,1, 6))
     ," Relay: ",option agent.remote-id
   ));
   option routers 10.112.0.1;
   pool {
     range 10.112.1.0 10.112.255.255;
     failover peer "partner";
   }
}



 > ip -4 a sh em2
45: em2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
     inet 10.112.0.104/13 brd 10.119.255.255 scope global em2
        valid_lft forever preferred_lft forever

 > tcpdump -vv -i em2

IP (tos 0x0, ttl 255, id 48977, offset 0, flags [none], proto UDP (17),
length 339)
     0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP,
Request from xx:xx:xx:xx:xx:xx (oui Unknown), length 311, xid
0x7f73db12, secs 53, Flags [none] (0x0000)
       Client-Ethernet-Address xx:xx:xx:xx:xx:xx (oui Unknown)
       Vendor-rfc1048 Extensions
         Magic Cookie 0x63825363
         DHCP-Message Option 53, length 1: Discover
         Parameter-Request Option 55, length 9:
           Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
           Option 119, LDAP, Option 252, Netbios-Name-Server
           Netbios-Node
         MSZ Option 57, length 2: 1500
         Client-ID Option 61, length 7: ether xx:xx:xx:xx:xx:xx
         Lease-Time Option 51, length 4: 7776000
         Hostname Option 12, length 8: "Private_"
         Agent-Information Option 82, length 25:
           Circuit-ID SubOption 1, length 7: Anonymo
           Remote-ID SubOption 2, length 14: 172.20.100.101

 > tail /var/log/dhcpd
dhcpd: Sent update done message to partner
dhcpd: Update request from partner: nothing pending
failover peer partner: peer moves from potential-conflict to normal
dhcpd: failover peer partner: I move from conflict-done to normal
dhcpd: balancing pool 7fdb1b28a920 10.112.0.0/13  total 65280  free
32640  backup 32640  lts 0  max-own (+/-)6528
dhcpd: balanced pool 7fdb1b28a920 10.112.0.0/13  total 65280  free
32640  backup 32640  lts 0  max-misbal 9792

 >ss -anlp | grep ':67'
tcp    UNCONN     0      0 *:67                    *:*      
users:(("dhcpd",21614,9))

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

On Tue, 2015-06-02 at 13:06 -0700, Sean McMurray wrote:
> I have a dhcp server that won't give out leases and doesn't
> acknowledge DHCPDISCOVERs.
>
> I see the requests come in with tcpdump, but the daemon doesn't log
> them and doesn't respond.

Just guessing but I'm thinking either a firewall (e.g. iptables) could
be blocking the traffic or the daemon is not listening to broadcasts,
i.e. compiled with --enable-use-sockets or similar.

>  >ss -anlp | grep ':67'
> tcp    UNCONN     0      0 *:67                    *:*      
> users:(("dhcpd",21614,9))

Does it really say TCP there? That's a little strange for a DHCP server.
I'd expect it to have an entry for "raw" and one for "udp".

--
Peter


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

On 06/02/2015 02:33 PM, Peter Rathlev wrote:
> On Tue, 2015-06-02 at 13:06 -0700, Sean McMurray wrote:
>> I have a dhcp server that won't give out leases and doesn't
>> acknowledge DHCPDISCOVERs.
>>
>> I see the requests come in with tcpdump, but the daemon doesn't log
>> them and doesn't respond.
> Just guessing but I'm thinking either a firewall (e.g. iptables) could
> be blocking the traffic or the daemon is not listening to broadcasts,
> i.e. compiled with --enable-use-sockets or similar.
The firewall has port 67 open. The daemon is the stock package on centos7.
>
>>   >ss -anlp | grep ':67'
>> tcp    UNCONN     0      0 *:67                    *:*
>> users:(("dhcpd",21614,9))
> Does it really say TCP there? That's a little strange for a DHCP server.
> I'd expect it to have an entry for "raw" and one for "udp".
>
That's a copy/paste. That's really what it says.

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Is the daemon listening on interface em2?

# ss -anp | grep dhcpd
p_raw  UNCONN     0      0                      *:eth0                   *      users:(("dhcpd",24985,5))
[...]

Alternatively, running the daemon manually in debug mode (-d) should give some hints as to the interfaces it's discovered:

Listening on LPF/eth0/00:14:22:28:ad:83/192.168.125.0/24
Sending on   LPF/eth0/00:14:22:28:ad:83/192.168.125.0/24
Sending on   Socket/fallback/fallback-net

Graham
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

On 06/02/2015 03:40 PM, Graham Clinch wrote: On startup it says that it is Listening and Sending on em2. It also
lists interfaces it will ignore because there is no matching subnet
declared in dhcpd.conf.

It also says:

        Sending on   Socket/fallback/fallback-net

> ss -anp | grep dhcpd
p_raw  UNCONN     0      0                      *:em2                  *      users:(("dhcpd",21614,5))
u_str  ESTAB      0      0                      * 558943                 * 559749 users:(("dhcpd",21614,2),("dhcpd",21614,1))
u_dgr  UNCONN     0      0                      * 558954                 * 8044  users:(("dhcpd",21614,3))
raw    UNCONN     0      0                      *:1                     *:*      users:(("dhcpd",21614,4))
tcp    UNCONN     0      0                      *:14659                 *:*      users:(("dhcpd",21614,20))
tcp    UNCONN     0      0                      *:67                    *:*      users:(("dhcpd",21614,9))
tcp    UNCONN     0      0                     :::23465                :::*      users:(("dhcpd",21614,21))
tcp    LISTEN     0      1            10.64.0.104:647                   *:*      users:(("dhcpd",21614,11))
tcp    ESTAB      0      0            10.64.0.104:647         10.64.0.112:56061  users:(("dhcpd",21614,10))


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Sean,

I don't see a subnet defined for the 10.64.0.104 local subnet.

Without it, broadcasts aren't going to get answered as there is no dhcpd pool or configuration
telling it to answer local requests.

Alternatively, if you wanted the devices to use an IP Helper, as long as the request comes from
an IP address including in one of your subnets, it will get linked to that network and if rules
are passed allowing an answer, you will get your dhcp answer at the remote device.

Try adding something like the following:

subnet 10.64.0.0 netmask 255.255.255.0 {  # obviously if this isn't a /24, then adjust as needed
     authoritative;
     option routers 10.64.0.1;
     option subnet-mask 255.255.255.0;
     min-lease-time 14400;
     default-lease-time 14400;
     range 10.64.0.5 10.64.0.10;
}

Dave

On 6/3/15 10:10, Sean McMurray wrote:
--
Dave Calafrancesco
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

On 06/03/2015 08:52 AM, dave c wrote:
> Sean,
>
> I don't see a subnet defined for the 10.64.0.104 local subnet.
>
> Without it, broadcasts aren't going to get answered as there is no
> dhcpd pool or configuration telling it to answer local requests.
There is a pool for 10.112.0.0/13 and broadcasts are coming from that
interface. Those are the broadcasts that are being ignored.
The 10.64.0.0 network is just being used to sync the peers.

[snip] [snip]
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

I've removed failover and simplified the config. But dhcpd still ignores
dhcp requests.
My config now looks like this:

log-facility local6;
ddns-update-style interim;
ignore client-updates;
authoritative;
max-lease-time 300;

subnet 10.96.0.0 netmask 255.248.0.0 {
   log(info, concat(
     "Lease: ",binary-to-ascii (10, 8, ".", leased-address)
     ," Mac: ",binary-to-ascii(16, 8, ":", substring(hardware,1, 6))
     ," Relay: ",option agent.remote-id
   ));
   option routers 10.96.0.1;
   pool {
     range 10.96.1.0 10.96.255.255;
   }
}

subnet 10.104.0.0 netmask 255.248.0.0 {
   log(info, concat(
     "Lease: ",binary-to-ascii (10, 8, ".", leased-address)
     ," Mac: ",binary-to-ascii(16, 8, ":", substring(hardware,1, 6))
     ," Relay: ",option agent.remote-id
   ));
   option routers 10.104.0.1;
   pool {
     range 10.104.1.0 10.104.255.255;
   }
}

subnet 10.112.0.0 netmask 255.248.0.0 {
   log(info, concat(
     "Lease: ",binary-to-ascii (10, 8, ".", leased-address)
     ," Mac: ",binary-to-ascii(16, 8, ":", substring(hardware,1, 6))
     ," Relay: ",option agent.remote-id
   ));
   option routers 10.112.0.1;
   pool {
     range 10.112.1.0 10.112.255.255;
   }
}

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

strace shows the daemon receiving requests but not responding.
I'm stumped as to why it won't respond.

On 06/05/2015 08:56 AM, Sean McMurray wrote: [removed]
> subnet 10.112.0.0 netmask 255.248.0.0 {
[removed]
> option routers 10.112.0.1;
>   pool {
>     range 10.112.1.0 10.112.255.255;
>   }
> }

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

On Fri, 2015-06-05 at 14:49 -0700, Sean McMurray wrote:
> strace shows the daemon receiving requests but not responding.
> I'm stumped as to why it won't respond.

That certainly seems strange. Have you tried removing the log statements
completely? I would call it a bug if that changes anything, but it would
be easy to try.

With the stock CentOS 7 package it should not be SELinux related, unless
there was an error in the definitions. However, could you try disabling
SELinux if you haven't already?

Other than that I can only think of starting the daemon with a trace
file (-tf flag), which should let someone with adequate skills figure
out exactly what happens inside the process.

--
Peter


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

I have stripped dhcpd.conf all the way down to this:

     log-facility local6;

     subnet 10.112.0.0 netmask 255.248.0.0 {
       option routers 10.112.0.1;
       pool {
         range 10.112.1.0 10.112.255.255;
       }
     }

I have disabled SELinux. I have disabled iptables.
I have purged the leasefile.
Still, dhcpd does not respond to DHCPDISCOVERs.


On 06/08/2015 03:21 PM, Peter Rathlev wrote:

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

The DHCP requests come through a DSLAM which injects the option 82 info.

Question ... I noticed option 82 information in your packet dump.  How is that ending up in there?

The packet dump doesn't appear to show a relay agent in play, so option 82 shouldn't exist...

---

From: "Sean McMurray" [hidden email]
To: "Users of ISC DHCP" [hidden email]
Sent: Tuesday, June 9, 2015 1:30:13 PM
Subject: Re: dhcpd doesn't acknowledge dhcp requests

I have stripped dhcpd.conf all the way down to this:

     log-facility local6;

     subnet 10.112.0.0 netmask 255.248.0.0 {
       option routers 10.112.0.1;
       pool {
         range 10.112.1.0 10.112.255.255;
       }
     }

I have disabled SELinux. I have disabled iptables.
I have purged the leasefile.
Still, dhcpd does not respond to DHCPDISCOVERs.


On 06/08/2015 03:21 PM, Peter Rathlev wrote:
> On Fri, 2015-06-05 at 14:49 -0700, Sean McMurray wrote:
>> strace shows the daemon receiving requests but not responding.
>> I'm stumped as to why it won't respond.
> That certainly seems strange. Have you tried removing the log statements
> completely? I would call it a bug if that changes anything, but it would
> be easy to try.
>
> With the stock CentOS 7 package it should not be SELinux related, unless
> there was an error in the definitions. However, could you try disabling
> SELinux if you haven't already?
>
> Other than that I can only think of starting the daemon with a trace
> file (-tf flag), which should let someone with adequate skills figure
> out exactly what happens inside the process.
>


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

On 6/9/15 10:30 AM, Sean McMurray wrote: What is the IP address of the DHCP server?


--
I am conducting an experiment in the efficacy of PGP/MIME signatures.
This message should be signed. If it is not, or the signature does not
validate, please let me know how you received this message (direct, or
to a list) and the mail software you use. Thanks!


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

On 06/09/2015 12:29 PM, Doug Barton wrote: 10.112.0.112

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

On 6/9/15 1:16 PM, Sean McMurray wrote:
Ok, and the /13 netmask is something you intended to do, and matches
what's on the wire?


--
I am conducting an experiment in the efficacy of PGP/MIME signatures.
This message should be signed. If it is not, or the signature does not
validate, please let me know how you received this message (direct, or
to a list) and the mail software you use. Thanks!


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

On 06/09/2015 01:22 PM, Doug Barton wrote: The /13 is intentional. I'm not sure what you mean by "matches what's on
the wire." It matches the mask of the 10.112.0.112 ip. So any DHCP
requests coming in on that interface should associate with this subnet
definition.

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

I've run a test using dhtest from https://github.com/saravana815/dhtest
The dhcpd daemon responds to this test.

DHCP requests from real clients get ignored by the daemon.

I've run tcpdump and strace on both requests to detect the difference.

#ss -anlp | grep dhcp
p_raw  UNCONN     0      0 *:em2.112                  *      
users:(("dhcpd",20077,6))
u_dgr  UNCONN     0      0                      * 649449                
* 8044  users:(("dhcpd",20077,3))
raw    UNCONN     0      0 *:1                     *:*      
users:(("dhcpd",20077,5))
tcp    UNCONN     0      0 *:67                    *:*      
users:(("dhcpd",20077,8))
tcp    UNCONN     0      0 *:29204                 *:*      
users:(("dhcpd",20077,20))
tcp    UNCONN     0      0 :::29973                :::*      
users:(("dhcpd",20077,21))

First, the dhtest request:
===============

#./dhtest -V -i em2.112 -m 01:02:03:04:05:06

#tcpdump -vv -i em2.112
11:11:37.541868 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto
UDP (17), length 272)
     0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP,
Request from 01:02:03:04:05:06 (oui Unknown), length 244, xid
0x2103abd8, Flags [none] (0x0000)
       Client-Ethernet-Address 01:02:03:04:05:06 (oui Unknown)
       Vendor-rfc1048 Extensions
         Magic Cookie 0x63825363
         DHCP-Message Option 53, length 1: Discover

#strace -p <PID>
select(22, [5 6 8], [], NULL, {40765, 184189}
) = 1 (in [6], left {40745, 888739})
recvmsg(6, {msg_name(0)=NULL,
msg_iov(1)=[{"\377\377\377\377\377\377\1\2\3\4\5\6\10\0E\0\1\20\0\0\0\0@\21y\336\0\0\0\0\377\377"...,
1536}], msg_controllen=36, {cmsg_len=36, cmsg_level=SOL_PACKET,
cmsg_type=, ...}, msg_flags=0}, 0) = 286
write(4, "\0\0\0\7\0\0\1(Ux\200G\0\0\0\0", 16) = 16
write(4,
"\0\0\0\0\0\0\0\4\0\0\0\0\10\0\10\0\200\0\0\0\24\0\6\0\0D\7\1\1\2\3\4"...,
52) = 52
write(4,
"\1\1\6\0U\242b\356\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\2\3\4"...,
244) = 244
sendto(3, "<182>Jun 10 11:21:59 dhcpd: DHCP"..., 75, MSG_NOSIGNAL, NULL,
0) = 75
write(4, "\0\0\0\17\0\0\0000Ux\200G\0\0\0\0", 16) = 16
write(4, "\4\0\0\0\np\1\0\361\204\331X\t\177\0\0\240\32\303Z", 20) = 20
write(4, "\10\0\266\220Ao\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0",
28) = 28
sendto(5, "\10\0\266\220Ao\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0",
28, 0, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("10.112.1.0")}, 16) = 28


Now, the dhcp request from a real client:
=========================

#tcpdump -vv -i em2.112
11:07:45.356945 IP (tos 0x0, ttl 255, id 54051, offset 0, flags [none],
proto UDP (17), length 339)
     0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP,
Request from 00:1f:f3:50:1a:83 (oui Unknown), length 311, xid
0x7f73dd69, secs 9, Flags [none] (0x0000)
       Client-Ethernet-Address 00:1f:f3:50:1a:83 (oui Unknown)
       Vendor-rfc1048 Extensions
         Magic Cookie 0x63825363
         DHCP-Message Option 53, length 1: Discover
         Parameter-Request Option 55, length 9:
           Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
           Option 119, LDAP, Option 252, Netbios-Name-Server
           Netbios-Node
         MSZ Option 57, length 2: 1500
         Client-ID Option 61, length 7: ether 00:1f:f3:50:1a:83
         Lease-Time Option 51, length 4: 7776000
         Hostname Option 12, length 8: "MVT-IMac"
         Agent-Information Option 82, length 25:
           Circuit-ID SubOption 1, length 7: Cutover
           Remote-ID SubOption 2, length 14: 172.23.101.112

#strace -p <PID>
select(22, [5 6 8], [], NULL, {40953, 482348}) = 1 (in [8], left {40951,
672863})
recvfrom(8,
"\1\1\6\0\177s\335n\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\37\363P"...,
1540, 0, {sa_family=AF_INET, sin_port=htons(68),
sin_addr=inet_addr("0.0.0.0")}, [16]) = 311

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Hi,

> #tcpdump -vv -i em2.112
                   ^^^^^^^
Is that tagged vlan 112 on interface em2? - I'd not spotted that
previously.  I've never tried it personally, but my recollection of
posts to this list is 'dhcpd and tagged vlans don't mix well'.

Does dhtest fail if run from a different device?  If so, I guess it's
really going over the (presumably untagged) loopback interface.

Are you able to present vlan 112 untagged?

Graham
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Yes. That is tagged vlan 112 on interface em2.
dhtest fails if I include a -v 112 to tell it about vlan 112.
What are the problems with tagged vlans?

On 06/11/2015 04:00 AM, Graham Clinch wrote:
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users