failover issue?
Sten Carlsen
stenc at s-carlsen.dk
Tue Apr 7 09:47:46 UTC 2015
On 07/04/15 09.28, Christian Bösch wrote:
>
>> On 03 Apr 2015, at 14:30 , Bob Harold <rharolde at umich.edu
>> <mailto:rharolde at umich.edu>> wrote:
>>
>>
>> On Fri, Apr 3, 2015 at 2:46 AM, Christian Bösch <boesch at fhv.at
>> <mailto:boesch at fhv.at>> wrote:
>>
>> sure below are the config snippets:
>> thanks for investigation,
>> chris
>>
>> —
>> server1:
>>
>> failover peer "dhcp-failover" {
>> primary;
>> address 10.10.40.21;
>> port 647;
>> peer address 10.10.40.22;
>> peer port 647;
>> max-response-delay 30;
>> max-unacked-updates 10;
>> load balance max seconds 3;
>> mclt 1800;
>> split 128;
>> }
>>
>> group {
>> if exists agent.circuit-id
>> {
>> log ( info, concat( "Lease for ", binary-to-ascii (10, 8,
>> ".", leased-address), " is connected to interface ",
>> binary-to-ascii(10, 8, "/", suffix ( option agent.cir
>> cuit-id, 2)), " , VLAN ", binary-to-ascii (10, 16, "", substring(
>> option agent.circuit-id, 2, 2))));
>> }
>> if substring (option vendor-class-identifier, 0, 9) = "PXEClient" {
>> ddns-updates off;
>> default-lease-time 60;
>> max-lease-time 120;
>> }
>> option domain-name-servers dns1.abc.net
>> <http://dns1.abc.net/>, dns2.abc.net <http://dns2.abc.net/>;
>> option subnet-mask 255.255.255.0;
>> ddns-domainname "lan.abc.net <http://lan.abc.net/>";
>> ddns-rev-domainname "128-191.21.172.in-addr.arpa.";
>> option domain-name "lan.abc.net <http://lan.abc.net/>";
>> subnet 172.21.166.0 netmask 255.255.255.0 {
>> option routers 172.21.166.1;
>> pool {
>> failover peer "dhcp-failover";
>> deny dynamic bootp clients;
>> allow unknown-clients;
>> default-lease-time 300;
>> max-lease-time 600;
>> range 172.21.166.5 172.21.166.254;
>> }
>> }
>> }
>>
>>
>> server2:
>>
>> failover peer "dhcp-failover" {
>> secondary;
>> address 10.10.40.22;
>> port 647;
>> peer address 10.10.40.21;
>> peer port 647;
>> max-response-delay 30;
>> max-unacked-updates 10;
>> load balance max seconds 3;
>> }
>>
>> group {
>> if exists agent.circuit-id
>> {
>> log ( info, concat( "Lease for ", binary-to-ascii (10, 8,
>> ".", leased-address), " is connected to interface ",
>> binary-to-ascii(10, 8, "/", suffix ( option agent.cir
>> cuit-id, 2)), " , VLAN ", binary-to-ascii (10, 16, "", substring(
>> option agent.circuit-id, 2, 2))));
>> }
>> if substring (option vendor-class-identifier, 0, 9) = "PXEClient" {
>> ddns-updates off;
>> default-lease-time 60;
>> max-lease-time 120;
>> }
>> option domain-name-servers dns1.abc.net
>> <http://dns1.abc.net/>, dns2.abc.net <http://dns2.abc.net/>;
>> option subnet-mask 255.255.255.0;
>> ddns-domainname "lan.abc.net <http://lan.abc.net/>";
>> ddns-rev-domainname "128-191.21.172.in-addr.arpa.";
>> option domain-name "lan.abc.net <http://lan.abc.net/>";
>> subnet 172.21.166.0 netmask 255.255.255.0 {
>> option routers 172.21.166.1;
>> pool {
>> failover peer "dhcp-failover";
>> deny dynamic bootp clients;
>> allow unknown-clients;
>> default-lease-time 300;
>> max-lease-time 600;
>> range 172.21.166.5 172.21.166.254;
>> }
>> }
>> }
>>
>>
>> Check for the MAC address (3c:97:0e:b8:6d:40) being defined anywhere
>> in the dhcpd.conf file. If it has "host" declaration, it is a
>> "known" client and will fail the "allow unknown-clients" test.
>> Because you have an "allow" line, the default changes to "deny all
>> others". If you remove the "allow unknown-clients" line, the default
>> will be "allow everyone" - please try that, at least temporarily, to
>> see if it fixes the "peer holds all free leases" message.
>
> The MAC was known through a subclass declaration. So it was exactly
> the case you mentioned above.
A subclass declaration does NOT make it a "known host" in that sense, it
makes it a member of a class. It will still match unknown hosts, I have
been bitten by that.
>
>>
>> As an aside, perhaps "peer holds all free leases" should be reworded
>> like "I don't have a lease that I am allowed to give you, but you
>> could check with my peer in case it has different rules". But in a
>> failover setup it would seem odd for a peer to have a different set
>> of rules.
>
> Yes, a clearer error message would be nice…
>
> Thanks,
> Chris
>
>
>>
>>
>>> On 02 Apr 2015, at 16:33 , Patrick Trapp <ptrapp at nex-tech.com
>>> <mailto:ptrapp at nex-tech.com>> wrote:
>>>
>>> Can you share the config? You should generalize anything
>>> sensitive - whatever you post will be on the list forever...
>>>
>>> ------------------------------------------------------------------------
>>> *From:* dhcp-users-bounces at lists.isc.org
>>> <mailto:dhcp-users-bounces at lists.isc.org> [dhcp-users-bounces at lists.isc.org
>>> <mailto:dhcp-users-bounces at lists.isc.org>] on behalf of
>>> Christian Bösch [boesch at fhv.at <mailto:boesch at fhv.at>]
>>> *Sent:* Thursday, April 02, 2015 5:52 AM
>>> *To:* dhcp-users at lists.isc.org <mailto:dhcp-users at lists.isc.org>
>>> *Subject:* failover issue?
>>>
>>> Hi,
>>>
>>> I have a pair of failover dhcp servers (4.2.4) which work fine
>>> for a long time.
>>> Now I added some subnets (same config like the old working one)
>>> and in that
>>> subnets I get on both servers:
>>>
>>> Apr 2 12:44:52 dns1 dhcpd: DHCPDISCOVER from 3c:97:0e:b8:6d:40
>>> via 172.21.166.1 <http://172.21.166.1/>: peer holds all free leases
>>> Apr 2 12:44:52 dns1 dhcpd: DHCPDISCOVER from 3c:97:0e:b8:6d:40
>>> via 172.21.166.1 <http://172.21.166.1/>: peer holds all free leases
>>> Apr 2 12:44:56 dns1 dhcpd: DHCPDISCOVER from 3c:97:0e:b8:6d:40
>>> via 172.21.166.1 <http://172.21.166.1/>: peer holds all free leases
>>> Apr 2 12:44:56 dns1 dhcpd: DHCPDISCOVER from 3c:97:0e:b8:6d:40
>>> via 172.21.166.1 <http://172.21.166.1/>: peer holds all free leases
>>>
>>>
>>> Apr 2 12:44:52 dns2 dhcpd: DHCPDISCOVER from 3c:97:0e:b8:6d:40
>>> via 172.21.166.1 <http://172.21.166.1/>: peer holds all free leases
>>> Apr 2 12:44:52 dns2 dhcpd: DHCPDISCOVER from 3c:97:0e:b8:6d:40
>>> via 172.21.166.1 <http://172.21.166.1/>: peer holds all free leases
>>> Apr 2 12:44:56 dns2 dhcpd: DHCPDISCOVER from 3c:97:0e:b8:6d:40
>>> via 172.21.166.1 <http://172.21.166.1/>: peer holds all free leases
>>> Apr 2 12:44:56 dns2 dhcpd: DHCPDISCOVER from 3c:97:0e:b8:6d:40
>>> via 172.21.166.1 <http://172.21.166.1/>: peer holds all free leases
>>>
>>> But the pool seems to be well balanced:
>>>
>>> Apr 2 12:43:56 dns1 dhcpd: balancing pool
>>> 8019f8880 172.21.166.0/24 <http://172.21.166.0/24> total 250
>>> free 125 backup 125 lts 0 max-own (+/-)25
>>> Apr 2 12:43:56 dns1 dhcpd: balanced pool
>>> 8019f8880 172.21.166.0/24 <http://172.21.166.0/24> total 250
>>> free 125 backup 125 lts 0 max-misbal 38
>>>
>>> Apr 2 12:43:56 dns2 dhcpd: balancing pool
>>> 8019ef880 172.21.166.0/24 <http://172.21.166.0/24> total 250
>>> free 125 backup 125 lts 0 max-own (+/-)25
>>> Apr 2 12:43:56 dns2 dhcpd: balanced pool
>>> 8019ef880 172.21.166.0/24 <http://172.21.166.0/24> total 250
>>> free 125 backup 125 lts 0 max-misbal 38
>>>
>>> Does anyone have an idea what could be the reason for that?
>>> Thanks,
>>> Chris
>>
>>
>> _______________________________________________
>> dhcp-users mailing list
>> dhcp-users at lists.isc.org <mailto:dhcp-users at lists.isc.org>
>> https://lists.isc.org/mailman/listinfo/dhcp-users
>
>
>
>
>
>
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20150407/ad1ade5d/attachment-0001.html>
More information about the dhcp-users
mailing list