excessive failover pool balancing, leases files getting out of sync

Gordon A. Lang glang at goalex.com
Sat Jun 18 00:40:45 UTC 2011 

----- Original Message ----- 
From: "Alex Moen" <alexm at ndtel.com>
To: "Users of ISC DHCP" <dhcp-users at lists.isc.org>
Sent: Friday, June 17, 2011 2:54 PM
Subject: Re: excessive failover pool balancing,leases files getting out of 
sync


>
> On Jun 17, 2011, at 9:55 AM, Marc Perea wrote:
>
>> >From: "Gordon A. Lang" glang at goalex.com
>>
>> >While most clients are happily getting leases, many clients keep
>> >retrying as if they never got the offer/acks or else they simply
>> don't
>> >like what they are getting.
>> >
[...snip...]
>> Hi Gordon,
>> this sounds exactly like a problem we are currently investigating.  We've 
>> looked into our core, BRAS, transport, access, and CPE vendors  alike. I 
>> wonder if we could see if we have any similarities? We  don't use 
>> failover, but instead of a couple dhcp servers with the  same config 
>> handing back static host IPs.
[...snip snip...]
>
> Just curious, guys, if you are using the access equipment (DSL modem  or 
> ONT) as the firewall?  If not, you could sniff between the modem/ ont and 
> the firewall WAN port to prove or disprove whether the OFFER  is being 
> sent down to the firewall.
>
> We made a conscious decision to *not* utilize a modem/ont firewall in  any 
> installation; rather, to recommend/sell/give an off-the-shelf  inexpensive 
> firewall to the customer for this express reason.  That  way, we have a 
> definite DMARC and are not dealing with any liabilities  related to 
> network security, or relying on a modem/ont vendor to make  proper 
> firewalls.  Also, it makes troubleshooting much easier when it  comes to a 
> situation exactly like this.
>
> If you are using a built-in firewall, you could try switching to  bridged 
> mode and monitoring the connection between the bridge  connection and a 
> "real" firewall.  It could be that the built-in  firewall is just 
> experiencing a bug causing this behavior.
>
> We have a couple of dsl/fttp vendors in place.  I have seen this  behavior 
> on one of them.  Typically, rebooting the access card or  swapping 
> activity on the management cards will clear the problem  up...  Marc, you 
> probably can guess which vendor I am talking about.
>
> Just my $.02...
>
> Alex

In my case, there are no firewalls anywhere near the packet flows.  We use 
Cisco "ip helper-address" configurations to relay broadcasts to the DHCP 
servers.  So, when a client is using broadcast (DISCOVER or boot-up REQUEST 
on Windows boxes), the DHCP server actually receives a unicast from the 
router.  But when the client does a unicast (renew REQUEST), the DHCP server 
receives the unicast directly from the client.

I don't recall seeing any failures involving client renewal requests, so I 
plan to carefully examine broadcast handling, but I have dozens of similarly 
weak theories -- nothing strong to follow.

--
Gordon A. Lang

More information about the dhcp-users mailing list