[Kea-users] kea-dhcp failover not working

Darren Ankney darren.ankney at gmail.com
Wed Apr 19 16:24:56 UTC 2023 

Hi Kraishak,

I didn't look at your certificate setup once I saw the IP problem.
I'd say something isn't right with the cert setup if it stops working
(or there is a firewall issue).  You no longer have to use the
kea-ctrl-agent as of 2.2.0.  Have a look at
https://kea.readthedocs.io/en/kea-2.2.0/arm/hooks.html#multi-threaded-configuration-ha-mt
for details.

https://kea.readthedocs.io/en/kea-2.2.0/arm/hooks.html#https-support
and https://kea.readthedocs.io/en/kea-2.2.0/arm/security.html#tls
contain details about how to setup TLS.

To answer your specific questions:

1) Logs that start with "kea-ctrl-agent" would go in the "loggers"
section of the kea-ctrl-agent configuration.  Things that start with
"kea-dhcp4" go in the "loggers" section of the kea-dhcp4
configuration.  You can log kea-ctrl-agent.http in the kea-ctrl-agent
config and probably kea-dhcp4.ha-hooks will contain the kea-dhcp4
perspective. See
https://kea.readthedocs.io/en/kea-2.2.0/arm/logging.html#id3 for
details about loggers that are possible.

2) max-unacked-clients will cause Kea to wait for the amount of
clients specified that are waiting for their lease to renew.  This is
(in the case of DHCPv4) based on the number contained in the secs
field of the DHCPv4 packet (indicates how long a client has been
trying to obtain a lease).  Not all clients implement this field.  If
you are trying to test with perfdhcp, then something like this:
perfdhcp -4 -r 1 -R 100 -t 60 -Y 10 -y 7200 -l ens256 will cause the
100 clients specified to start setting the secs field for 7200s (I
believe to an incrementing number based on how long perfdhcp has been
running les the number specified by -Y but I could be wrong).  In any
case, after Kea loses contact with the other server it won't answer
clients until max-unacked-clients is reached.

3) If you don't use the HA+MT method I mentioned earlier, then you
need to run kea-ctrl-agent so that Kea has something to talk to.

Thank you,

Darren Ankney

On Wed, Apr 19, 2023 at 9:49 AM Kraishak Mahtha <kraishak.edu at gmail.com> wrote:
>
> Hi Darren,
>
> Thanks for the observation, I was trying on the two different sets of servers, and while copying the config these are missed, I have corrected them but still, it didn't work at first, then I removed the certificate params values like
> "trust-anchor": "",
> "cert-file": "",
> "key-file": "",
> in both the kea-DHCP service file and control-agent config. In control-agent.conf I also added "cert-required": false
> it worked and I am able to get a lease but here I have doubts. When I add the certificates back again it is not working
> I tried to add a debug logging configuration for kea-ctrl-agent.http like
>  "loggers": [
>         {
>             "name": "kea-dhcp4",
>             "debuglevel": 99,
>             "output_options": [
>                 {
>                     "output": "/var/log/kea-dhcp4.log"
>                 }
>             ],
>             "severity": "DEBUG"
>         },
> {
>             "name": "kea-ctrl-agent.http  ",
>             "debuglevel": 99,
>             "output_options": [
>                 {
>                     "output": "/var/log/kea-ctrl-agent.http.log"
>                 }
>             ],
>             "severity": "DEBUG"
>         }
>     ]
>  but I don't see any logs even after starting the server,
> 1)Do we have any way where we can increase debugging for the HTTP agent and see if there are any issues?
> 2)In hot standby mode I tried to check the failover case. It worked only when I set the max-unacked-clients to zero only as part of a suggestion from one of the GitHub URLs but want to cross-check if that is the correct expected way.
> 3)And one last confirmation: when we are running the Kea with HA we should run the keactrl_agent on all the appliances?
> Asking this because generally, I prefer using systemctl for my services and for kea I used it so just checking if should I use keactrl_agent also to be monitored by systemctl service
>
>
> Thanks in Advance
> Kraishak
>
>
>
>
> On Tue, Apr 18, 2023 at 11:37 PM Darren Ankney <darren.ankney at gmail.com> wrote:
>>
>> Hui Kraishak,
>>
>> The first thing I see is that your failover configs aren't exactly the
>> same.  They have two differences that I see:
>>
>> "max-unacked-clients": 5,
>> vs
>> "max-unacked-clients": 0,
>>
>> and
>>
>> "url": "http://192.168.0.169:8000/",
>> vs
>> "url": "http://192.168.0.126:8000/",
>>
>> You really want those configurations to be the same except the
>> "this-server-name":  portion.
>>
>> I also see that the "url": "http://192.168.0.169:8000/", on the
>> primary (in the standby server slot) does not match what you are
>> listening to in your control agent on the standby server:
>>
>> "http-host": "192.168.0.126",
>>         "http-port": 8000,
>>
>> I imagine if you fix that typo, it will begin to work.
>>
>> Thank you,
>>
>> Darren Ankney
>>
>> On Tue, Apr 18, 2023 at 1:38 PM Kraishak Mahtha <kraishak.edu at gmail.com> wrote:
>> >
>> > Hi Kevin,
>> >
>> > We have that setup already, I use a tool that send packets using the 4.0.0.0 network interface, I tried that in standalone and it worked fine. I have been using that tool for years and to my knowledge that has no issues, I also tried with 192.168.0.0/22 network too, but still no luck.
>> >
>> > And when you observe the echo command output file on both primary and failover it shows waiting, I guess that is causing the issue , I think it is something like both in recover recover status just like as ISC failover stages, may be I could be wrong too.
>> >
>> > Do you have any suggestions of how to debug more about the HA, Can we add any more debugging for HA flow ?
>> >
>> > On Tue, 18 Apr 2023 at 10:13 PM, Kevin P. Fleming <lists.kea-users at kevin.km6g.us> wrote:
>> >>
>> >> On Tue, Apr 18, 2023, at 12:26, Kraishak Mahtha wrote:
>> >>
>> >> Hi,
>> >> I am trying to configure the kea-DHCP failover.
>> >> Initially, I ran two DHCP servers as two separate standalone and tested the DHCP leases. It is working fine but when I add that to the failover type it is not working. unable to get leases.
>> >> I tried checking the logs, netstat, and config of both dhcp4 and the control agent, everything seems to be ok. I am not sure where the service is getting stuck, I have attached the required config files and "status-get" command output, can someone guide me on this
>> >>
>> >>
>> >> Your servers are on 192.168.0.0/24, but the subnet you have configured is 4.0.0.0/16. How are you sending the DHCP traffic from the clients to your servers, is there a relay involved? If so, is it sending the traffic to both servers in parallel?
>> >>
>> >>
>> >> --
>> >> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>> >>
>> >> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>> >>
>> >> Kea-users mailing list
>> >> Kea-users at lists.isc.org
>> >> https://lists.isc.org/mailman/listinfo/kea-users
>> >
>> > --
>> > ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>> >
>> > To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>> >
>> > Kea-users mailing list
>> > Kea-users at lists.isc.org
>> > https://lists.isc.org/mailman/listinfo/kea-users

More information about the Kea-users mailing list