[Kea-users] Kea HA Heartbeat Failure

Thu Jan 26 14:25:59 UTC 2023

The error “Unauthorized, error code 1” indicates that basic authentication if failing between the control agent and dhcp server.  Not sure of additional log error “communication with kea_dhcp_2 is interrupted”.  When I test my setup with purposely bad password, I do not see that log message.

You mention “keactrl is using a basic authentication with pre-shared key”.  Per docs, I believe Kea currently only supports using basic authentication with username and password.  You may want to verify that your control agent and partner dhcp server are configured with same username/password .   If nothing else, you could disable/remove authentication directives to verify heartbeat successful outside of authentication.

From: Kea-users <kea-users-bounces at lists.isc.org> on behalf of duluxoz <duluxoz at gmail.com>
Date: Thursday, January 26, 2023 at 2:27 AM
To: kea-users at lists.isc.org <kea-users at lists.isc.org>
Subject: [Kea-users] Kea HA Heartbeat Failure
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hi All,

Looking for some pointers on an issue we've got.

TL:DR: Our Kea HA Servers' Heartbeat not connecting - permissions issue.

So we've got to Kea servers (v2.2) running on two Rocky Linux v9.1 servers. Clients are getting IP Addresses (both dynamic and reserved) and keactrl works fine, etc. But we're getting the following error messages showing up in the logs:

~~~

2023-01-26 16:20:37.013 WARN  [kea-dhcp4.ha-hooks/7896.140594097562496] HA_HEARTBEAT_FAILED heartbeat to kea_dhcp_2 (http://192.168.1.3:8000/<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2F192.168.1.3%3A8000%2F&data=05%7C01%7Crick.frey%40windstream.com%7C61a169e047054ccb964008daff771a97%7C2567b4c1b0ed40f5aee358d7c5f3e2b2%7C0%7C0%7C638103184289627508%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=VJ%2B7UkQyhlliH7F%2BU5Mr18f7lzVsjNVlmDXIAGSCIYA%3D&reserved=0>) failed: Unauthorized, error code 1
2023-01-26 16:20:37.013 WARN  [kea-dhcp4.ha-hooks/7896.140594097562496] HA_COMMUNICATION_INTERRUPTED communication with kea_dhcp_2 is interrupted
~~~

Its not SELinux (we turned off SELinux and the problem persisted).

Its not firewalld (we think) - ie the ports are opened, confirmed by netstat.

We are using the default port of 8000 for keactrl and the heartbeat (I assume this is OK, as the doco seems to imply that it is).

keactrl is using a basic authentication with a pre-shared key, and we've checked that its the same on both servers.

We've bound port 8000 to the actual IPv4 address of the server (not 127.0.0.1). We originally had it bound to the loopback address, and we were getting "connection refused" errors, so we bound it to the real IP Address and not we're getting the above error.

The two servers' IP Addresses are in the correct "allow" statement, and when we removed the allow statement from the config (ie opened up connection to all) we still had the same problem.

Finally, our config files are practically the same as those shown on numerous websites and in the official doco and sample files - with the relevant details changed (ie IP Addresses, etc) - I can post them here if required, but I'm loath to fill up a post with irrelevant info unless requested.  :-)

So, any pointers would be appreciated

Cheers
Dulux-Oz

Sensitivity: Internal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20230126/6c1c2a07/attachment.htm>