Running out of IP addressees in the WiFi Subnet, connection problems of the clients.

Darren Ankney darren.ankney at gmail.com
Thu Dec 21 12:08:27 UTC 2023 

Hi Mehmet,

The DHCPDECLINE messages indicate that the clients have done an arp
check for the address in question and something has answered that it
is using the address.  Since these are multiple clients and multiple
addresses, there is most likely a broken client out there that just
responds "I have it" to all of the "arp who has?" queries.  A packet
capture should pretty quickly lead you to the broken client's actual
hardware address which hopefully will give you some clue as to what
client it is.

Thank you,

Darren Ankney

On Thu, Dec 21, 2023 at 4:32 AM Mehmet Ozturk
<mehmetozturk.corporate at gmail.com> wrote:
>
> Hi,
>
> We are having a hard time with our ISC DHCPd version 4.4.1 server, which is running on Ubuntu 22.04LTS. Using the configuration below (details removed for security purposes), the WiFi pool runs out of IP addresses. The WiFi Access points are 70+ units of Ruckus R550, R500, T310S, R510, with the Controller Ruckus ZoneDirector ZD1200.
>
> When this problem occurs, we see plenty of IP addresses in the Leases list with unknown MAC addresses, all for 24 hours.
>
> ###############################################################
> ###############################################################
>
> option tcode "Asia/Ankara";
> option time-offset 10800;
> option ntp-servers X.X.X.X;
> option time-servers X.X.X.X;
>
> db-time-format local;
>
> option domain-name "xxx.com.tr";
>
> option domain-name-servers 10.0.0.9, 10.0.0.46;
>
> default-lease-time 3600;
> max-lease-time 7200;
>
> # Allow each client to have exactly one lease, and expire old leases if a new DHCPDISCOVER occurs
> one-lease-per-client true;
>
> # Tell the server to look up the host name in DNS
> # get-lease-hostnames true;
>
> # Ping the IP address that is being offered to make sure it isn't
> # configured on another node. This has some potential repercussions
> # for clients that don't like delays.
> # ping-check true;
>
> # deny declines;
> # deny bootp;
>
> # If this DHCP server is the official DHCP server for the local
> # network, the authoritative directive should be uncommented.
> authoritative;
>
> # A1 Building
> subnet X.X.X.X netmask 255.255.255.0 {
> authoritative;
> range X.X.X.X X.X.X.X;
> option domain-name-servers X.X.X.X , X.X.X.X;
> option routers X.X.X.X;
> option domain-name "xxx.com.tr";
> }
>
>
> # XXX HALL
> subnet X.X.X.X netmask 255.255.255.0 {
> authoritative;
> range X.X.X.X 1X.X.X.X;
> option domain-name-servers X.X.X.X , X.X.X.X;
> option routers X.X.X.X;
> option domain-name "xxx.com.tr";
> host TEST-NUC {
> hardware ethernet ZZ:ZZ:ZZ:ZZ:ZZ:ZZ;
> fixed-address X.X.X.X;
> }
> }
>
> # XXX-NET_WIFI_PUBLIC
> subnet 172.16.128.0 netmask 255.255.224.0 {
>   # Set default lease time to600 seconds (10 minutes)
>   default-lease-time 600;
>
>   # Set maximum lease time to 3600 seconds (2 hour)
>   max-lease-time 7200;
>
>   # Enable DHCPv4 authoritative mode
>   authoritative;
>
>   # Provide domain name servers for DNS resolution
>   option domain-name-servers 10.0.0.46, 10.0.0.9;
>
>   # Set default gateway to 172.16.128.1
>   option routers 172.16.128.1;
>
>   # Set domain name for hosts on this subnet
>   option domain-name "xxx.com.tr";
>
>   # Set address-range-1 for DHCP clients
>    range 172.16.128.2 172.16.128.254;
> .
> .
> .
>   # Set address-range-x for DHCP clients
>    range 172.16.159.1 172.16.159.254;
>
>
>   # Set subnet mask explicitly
>   option subnet-mask 255.255.224.0;
>
>   # Set broadcast address for the subnet
>   option broadcast-address 172.16.159.255;
>
>   # Configure NTP servers for time synchronization
>   option ntp-servers 10.0.0.46;
>
>   # Enable ping check to verify client connectivity
>   ping-check true;
>
>   # Set ping timeout to 5 seconds for DHCP client checks
>   ping-timeout 5;
>
>   # Deny duplicate IP address assignments
>   deny duplicates;
>
>   # Limit the number of concurrent requests from a client to 5
>   # This helps prevent abuse and resource exhaustion
>   one-lease-per-client true;
>
>   # Configure logging to monitor DHCP server activities
>   log-facility local7;
>
>
>   # Limit dynamic DNS updates
>   ddns-update-style none;
>
>   # Restrict dynamic updates to only known clients
>   ignore client-updates;
>   deny client-updates;
>
>   # Disable BOOTP support
>   allow bootp;
>   deny bootp;
> }
>
> class "black-hole" {
>     match substring (hardware, 1, 6);
>     # deny booting;
>     ignore booting;
> }
> subclass "black-hole" AA:AA:AA:AAAA:AA; #USER-1
> subclass "black-hole" BB:BB:BB:BB:BB:BB; #USER-2
> subclass "black-hole" CC:CC:CC:CC:CC:CC; #USER-3
>
> ###############################################################
> ###############################################################
>
>
> The "/var/lib/dhcp/dhcpd.leases" file includes the details below regarding those Unknown-MAC-Address leases ;
>
> ##################################################################################
> lease 172.16.129.99 {
>   starts epoch 1702534536; # Thu Dec 14 08:15:36 2023
>   ends epoch 1702620938; # Fri Dec 15 08:15:38 2023
>   tstp epoch 1702620938; # Fri Dec 15 08:15:38 2023
>   cltt epoch 1702534536; # Thu Dec 14 08:15:36 2023
>   binding state abandoned;
>   next binding state free;
>   rewind binding state free;
> }
>
> lease 172.16.159.232 {
>   starts epoch 1702534594; # Thu Dec 14 08:16:34 2023
>   ends epoch 1702620996; # Fri Dec 15 08:16:36 2023
>   tstp epoch 1702620996; # Fri Dec 15 08:16:36 2023
>   cltt epoch 1702534594; # Thu Dec 14 08:16:34 2023
>   binding state abandoned;
>   next binding state free;
>   rewind binding state free;
> }
> ##################################################################################
>
> The "/var/log/syslog" file includes the log lines below regarding the Leases;
>
> ##################################################################################
> Dec 14 08:15:30 dd dhcpd[118025]: Reclaiming abandoned lease 172.16.129.99.
> Dec 14 08:15:30 dd dhcpd[118025]: Reclaiming abandoned lease 172.16.129.99.
> Dec 14 08:15:31 dd dhcpd[118025]: message repeated 11 times: [ Reclaiming abandoned lease 172.16.129.99.]
> Dec 14 08:15:31 dd dhcpd[118025]: Reclaiming abandoned lease 172.16.129.99.
> Dec 14 08:15:31 dd dhcpd[118025]: message repeated 3 times: [ Reclaiming abandoned lease 172.16.129.99.]
> Dec 14 08:15:31 dd dhcpd[118025]: Reclaiming abandoned lease 172.16.129.99.
> Dec 14 08:15:32 dd dhcpd[118025]: message repeated 44 times: [ Reclaiming abandoned lease 172.16.129.99.]
> Dec 14 08:15:32 dd dhcpd[118025]: Reclaiming abandoned lease 172.16.129.99.
> Dec 14 08:15:32 dd dhcpd[118025]: message repeated 3 times: [ Reclaiming abandoned lease 172.16.129.99.]
> Dec 14 08:15:32 dd dhcpd[118025]: Reclaiming abandoned lease 172.16.129.99.
> Dec 14 08:15:32 dd dhcpd[118025]: message repeated 19 times: [ Reclaiming abandoned lease 172.16.129.99.]
> Dec 14 08:15:32 dd dhcpd[118025]: Reclaiming abandoned lease 172.16.129.99.
> Dec 14 08:15:33 dd dhcpd[118025]: message repeated 13 times: [ Reclaiming abandoned lease 172.16.129.99.]
> Dec 14 08:15:33 dd dhcpd[118025]: Reclaiming abandoned lease 172.16.129.99.
> Dec 14 08:15:33 dd dhcpd[118025]: message repeated 10 times: [ Reclaiming abandoned lease 172.16.129.99.]
> Dec 14 08:15:33 dd dhcpd[118025]: Reclaiming abandoned lease 172.16.129.99.
> Dec 14 08:15:33 dd dhcpd[118025]: message repeated 2 times: [ Reclaiming abandoned lease 172.16.129.99.]
> Dec 14 08:15:35 dd dhcpd[118025]: DHCPOFFER on 172.16.129.99 to fe:02:fa:00:d8:02 via 172.16.128.1
> Dec 14 08:15:35 dd dhcpd[118025]: DHCPOFFER on 172.16.129.99 to 02:7d:d5:93:89:1a via 172.16.128.1
> Dec 14 08:15:36 dd dhcpd[118025]: DHCPREQUEST for 172.16.129.99 (10.0.0.9) from fe:02:fa:00:d8:02 via 172.16.128.1
> Dec 14 08:15:36 dd dhcpd[118025]: DHCPACK on 172.16.129.99 to fe:02:fa:00:d8:02 via 172.16.128.1
> Dec 14 08:15:36 dd dhcpd[118025]: DHCPREQUEST for 172.16.129.99 (10.0.0.9) from 02:7d:d5:93:89:1a via 172.16.128.1: lease 172.16.129.99 unavailable.
> Dec 14 08:15:36 dd dhcpd[118025]: DHCPNAK on 172.16.129.99 to 02:7d:d5:93:89:1a via 172.16.128.1
> Dec 14 08:15:38 dd dhcpd[118025]: Abandoning IP address 172.16.129.99: declined.
> Dec 14 08:15:38 dd dhcpd[118025]: DHCPDECLINE of 172.16.129.99 from fe:02:fa:00:d8:02 via 172.16.128.1: abandoned
>
> Dec 14 08:16:33 dd dhcpd[121304]: DHCPOFFER on 172.16.159.232 to fe:f7:0d:d9:de:2f via 172.16.128.1
> Dec 14 08:16:34 dd dhcpd[121304]: DHCPREQUEST for 172.16.159.232 (10.0.0.9) from fe:f7:0d:d9:de:2f via 172.16.128.1
> Dec 14 08:16:34 dd dhcpd[121304]: DHCPACK on 172.16.159.232 to fe:f7:0d:d9:de:2f via 172.16.128.1
> Dec 14 08:16:36 dd dhcpd[121304]: Abandoning IP address 172.16.159.232: declined.
> Dec 14 08:16:36 dd dhcpd[121304]: DHCPDECLINE of 172.16.159.232 from fe:f7:0d:d9:de:2f via 172.16.128.1: abandoned
> ##################################################################################
>
> In order to prevent this happening, we added the lines below;
>
> ###############################################################
> ddns-update-style none;
> deny declines;
> deny bootp;
> ###############################################################
>
> But this time, the users started complaining about not being able to connect. When checked, we saw plenty of error lines like below in the syslog file;
>
> ###############################################################
> Dec 12 13:03:58 dd dhcpd[26388]: DHCPDECLINE of 172.16.134.41 from 9a:ab:a2:7c:99:65 via 172.16.128.1: ignored
> Dec 12 13:03:58 dd dhcpd[26388]: DHCPDECLINE of 172.16.155.171 from 46:71:ed:54:a6:c6 via 172.16.128.1: ignored
> Dec 12 13:03:58 dd dhcpd[26388]: DHCPDECLINE of 172.16.140.207 from ae:0d:7b:f5:29:50 via 172.16.128.1: ignored
> Dec 12 13:03:58 dd dhcpd[26388]: DHCPDECLINE of 172.16.158.14 from 6a:6f:94:cd:04:b8 via 172.16.128.1: ignored
> Dec 12 13:03:58 dd dhcpd[26388]: DHCPDECLINE of 172.16.150.178 from 5e:44:2a:d6:3c:6a via 172.16.128.1: ignored
> Dec 12 13:03:58 dd dhcpd[26388]: DHCPDECLINE of 172.16.158.203 from 62:fb:21:37:0a:e5 via 172.16.128.1: ignored
> Dec 12 13:03:58 dd dhcpd[26388]: DHCPDECLINE of 172.16.150.19 from 0a:76:41:7c:41:b6 via 172.16.128.1: ignored
> Dec 12 13:03:58 dd dhcpd[26388]: DHCPDECLINE of 172.16.154.160 from f2:14:c3:9d:08:3d via 172.16.128.1: ignored
> Dec 12 13:03:58 dd dhcpd[26388]: DHCPDECLINE of 172.16.144.224 from 52:a4:78:23:13:97 via 172.16.128.1: ignored
> ###############################################################
>
> The DHCP server/service on the Ruckus Controller has a very limited capacity in terms of IP address to be handled, so we can't use it.
>
> Any suggestions ?
>
> Mehmet.
> --
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users

More information about the dhcp-users mailing list