Kea logging "failed to send DHCPv6 packet ... Permission denied"
-
Running 24.11 with system patches 2.2.20_5 on third-party hardware.
I switched from ISC to Kea today via the System/Advanced/Networking/ServerBackend button. Didn't modify any of the other DHCP config.
I'm seeing Permission Denied log errors like the following.
[24.11-RELEASE][admin@pfSense.home.arpa]/var/log: grep 'kea-dhcp6.*ERROR' dhcpd.log Jul 3 16:45:45 pfSense kea-dhcp6[94552]: ERROR [kea-dhcp6.packets.0x1ab15217400] DHCP6_PACKET_SEND_FAIL duid=[00:03:00:01:90:09:d0:17:9e:81], [no hwaddr info], tid=0x40707e: failed to send DHCPv6 packet: pkt6 send failed: sendmsg() returned with an error: Permission denied Jul 3 16:46:43 pfSense kea-dhcp6[94552]: ERROR [kea-dhcp6.packets.0x1ab15217400] DHCP6_PACKET_SEND_FAIL duid=[00:03:00:01:56:d7:c7:4d:80:da], [no hwaddr info], tid=0xe7caa9: failed to send DHCPv6 packet: pkt6 send failed: sendmsg() returned with an error: Permission denied Jul 3 16:47:20 pfSense kea-dhcp6[94552]: ERROR [kea-dhcp6.packets.0x1ab15217400] DHCP6_PACKET_SEND_FAIL duid=[00:04:d6:40:1f:04:84:ca:29:d8:92:fa:67:99:45:01:03:df], [no hwaddr info], tid=0xb97c18: failed to send DHCPv6 packet: pkt6 send failed: sendmsg() returned with an error: Permission denied Jul 3 16:48:11 pfSense kea-dhcp6[94552]: ERROR [kea-dhcp6.packets.0x1ab15217400] DHCP6_PACKET_SEND_FAIL duid=[no info], [no hwaddr info], tid=0x8d8f21: failed to send DHCPv6 packet: pkt6 send failed: sendmsg() returned with an error: Permission denied Jul 3 16:52:34 pfSense kea-dhcp6[94552]: ERROR [kea-dhcp6.packets.0x1ab15216d00] DHCP6_PACKET_SEND_FAIL duid=[00:03:00:01:1c:53:f9:09:fc:ea], [no hwaddr info], tid=0xe340e5: failed to send DHCPv6 packet: pkt6 send failed: sendmsg() returned with an error: Permission denied Jul 3 16:56:02 pfSense kea-dhcp6[94552]: ERROR [kea-dhcp6.packets.0x1ab15216d00] DHCP6_PACKET_SEND_FAIL duid=[00:01:00:01:2e:1f:bc:71:8c:f8:c5:ad:6f:d8], [no hwaddr info], tid=0xbb514a: failed to send DHCPv6 packet: pkt6 send failed: sendmsg() returned with an error: Permission denied Jul 3 17:08:07 pfSense kea-dhcp6[94552]: ERROR [kea-dhcp6.packets.0x1ab15216600] DHCP6_PACKET_SEND_FAIL duid=[00:03:00:01:1c:53:f9:09:fc:ea], [no hwaddr info], tid=0xe340e5: failed to send DHCPv6 packet: pkt6 send failed: sendmsg() returned with an error: Permission denied Jul 3 17:17:23 pfSense kea-dhcp6[94552]: ERROR [kea-dhcp6.packets.0x1ab15216600] DHCP6_PACKET_SEND_FAIL duid=[00:01:00:01:2a:54:20:7d:e4:e7:49:b9:7b:48], [no hwaddr info], tid=0xa93d9a: failed to send DHCPv6 packet: pkt6 send failed: sendmsg() returned with an error: Permission denied Jul 3 17:38:33 pfSense kea-dhcp6[94552]: ERROR [kea-dhcp6.packets.0x1ab15217400] DHCP6_PACKET_SEND_FAIL duid=[00:03:00:01:1c:53:f9:09:fc:ea], [no hwaddr info], tid=0xe340e5: failed to send DHCPv6 packet: pkt6 send failed: sendmsg() returned with an error: Permission deniedKea is running as root, so it's not that sort of Permission Denied.
[24.11-RELEASE][admin@pfSense.home.arpa]/var/log: ps axwwu | grep kea root 81406 0.0 0.3 55072 24252 - S 16:45 0:00.45 /usr/local/sbin/kea-dhcp4 -c /usr/local/etc/kea/kea-dhcp4.conf root 94552 0.0 0.3 55028 23676 - S 16:45 0:00.28 /usr/local/sbin/kea-dhcp6 -c /usr/local/etc/kea/kea-dhcp6.confPcap attached for a client exchange generating these types of messages (1c:53:f9:09:fc:ea). Correlating with the logs (taken at a later time than those above), the errors occur when responding to DHCPv6 Information-Requests. keaDHCP.pcap
/usr/local/etc/kea/kea-dhcp6.confbelow with the v6 prefixes obscured.No issues with Kea v4.
Thanks in advance for suggestions.
{ "Dhcp6": { "interfaces-config": { "interfaces": [ "igc1.15", "igc1.20", "igc1.40" ] }, "lease-database": { "type": "memfile", "persist": true, "name": "/var/lib/kea/dhcp6.leases" }, "loggers": [ { "name": "kea-dhcp6", "output_options": [ { "output": "syslog" } ], "severity": "WARN" } ], "valid-lifetime": 7200, "max-valid-lifetime": 86400, "host-reservation-identifiers": [ "hw-address", "duid" ], "hooks-libraries": [ { "library": "/usr/local/lib/kea/hooks/libdhcp_lease_cmds.so" }, { "library": "/usr/local/lib/kea/hooks/libdhcp_lease_options.so" }, { "library": "/usr/local/lib/kea/hooks/libdhcp_run_script.so", "parameters": { "name": "/usr/local/bin/kea_run6", "sync": false } } ], "control-socket": { "socket-type": "unix", "socket-name": "/var/run/kea6-ctrl-socket" }, "sanity-checks": { "lease-checks": "fix-del" }, "subnet6": [ { "id": 1, "interface": "igc1.15", "subnet": "26...1f::/64", "option-data": [ { "name": "domain-search", "data": "home.arpa" }, { "name": "dns-servers", "data": "26...1f:e63a:6eff:fe61:c5ee" } ], "reservations-in-subnet": true }, { "id": 2, "interface": "igc1.20", "subnet": "26...1e::/64", "option-data": [ { "name": "domain-search", "data": "home.arpa" }, { "name": "dns-servers", "data": "26...1e:e63a:6eff:fe61:c5ee" } ], "reservations-in-subnet": true }, { "id": 3, "interface": "igc1.40", "subnet": "26...1c::/64", "option-data": [ { "name": "domain-search", "data": "home.arpa" }, { "name": "dns-servers", "data": "26...1c:e63a:6eff:fe61:c5ee" } ], "reservations-in-subnet": true } ] } } -
@marcg did you find a solution to this problem?
-
@y2raza said in Kea logging "failed to send DHCPv6 packet ... Permission denied":
@marcg did you find a solution to this problem?
Not yet. I'm currently running 25.07 with ISC. I'll eventually try Kea on 25.07.
Are you seeing this issue on 25.07?
-
@marcg unfortunately I am
-
@marcg said in Kea logging "failed to send DHCPv6 packet ... Permission denied":
[24.11-RELEASE][admin@pfSense.home.arpa]/var/log: grep 'kea-dhcp6.*ERROR' dhcpd.log
Interesting - as I also have a device on my network that shows up the same way :
[25.07.1-RELEASE][root@pfSense.bhf.tld]/var/log: grep 'kea-dhcp6.*ERROR' dhcpd.log
<131>1 2025-07-31T11:47:06.075613+02:00 pfSense.bhf.tld kea-dhcp6 12748 - - ERROR [kea-dhcp6.packets.0xe5077e16600] DHCP6_PACKET_SEND_FAIL duid=[00:01:00:01:21:28:c4:6d:80:ee:73:ce:85:9f], [no hwaddr info], tid=0xa23017: failed to send DHCPv6 packet: pkt6 send failed: sendmsg() returned with an error: Permission denied
....It's nearly always this device :
00:01:00:01:21:28:c4:6d:80:ee:73:ce:85:9Which is
= a Wifi (of coure ^^) device using a legacy 2,4 Ghz 'B' - a Older windows 10 based mural touch screen PC for our DHACP needs in our kitchen (a hotel restaurant).
For me, these lines are Ipv6 lease renewals that fail sometimes as the device went out of wifi ranche, or the neighbour fired an EMP cracker, or some leaking micro wave oven destroyed the kitchen wifi - the radios signals.
My thoughts : I have to apply the golden rule : don't use wifi for stuff that needs a 'serious' connection as wifi is only for the non essential stuff. The day I connect this device with a cable, the issue will be gone.grep 'kea-dhcp6.*ERROR' dhcpd.log | wc -l 253and the first DHCP line dates from July 14.
So 253 lines in 36 days or an avarage of 7 occurrences per day.
Knowing that IPv6 leases are for more frequent as IPv4 leases, and IPv6 isn't really essential for me for this device, I somewhat forgot about this (my) issue.Why this is a
@marcg said in Kea logging "failed to send DHCPv6 packet ... Permission denied":
Permission denied
issue : I can't tell.
Why would kea have an issue with sending an UDP packet over the wire ? -
@Gertjan said in Kea logging "failed to send DHCPv6 packet ... Permission denied":
grep 'kea-dhcp6.*ERROR' dhcpd.log | wc -l
so from what I am understanding, you are saying these devices which are displaying this error in the logs are on the WiFi vlan, we may be better off ignoring those.
I have only opened ipv6 on wifi and 1 other vlan which only has only one wired connection.
-
@y2raza said in Kea logging "failed to send DHCPv6 packet ... Permission denied":
so from what I am understanding, you are saying these devices which are displaying this error in the logs are on the WiFi vlan, we may be better off ignoring those.
From the DUIDs in my orginal post, the error occured for a roughly equal mix of wired and wireless clients.
FWIW, all clients are attached to Ubiquiti switches and APs, with multiple VLANs all trunked router-on-a-stick to pfSense. The DUIDs in the post were from at least two different VLANs.
-
@marcg could it be the switches blocking packets causing this issue? But why would Pfsense log that as permission denied on its interface.
-
@y2raza said in Kea logging "failed to send DHCPv6 packet ... Permission denied":
@marcg could it be the switches blocking packets causing this issue? But why would Pfsense log that as permission denied on its interface.
I think this is a Kea/pfSense issue.
All of the relevant VLANs are configured as "Third-Party Gateway" on the Ubiquiti side (i.e., pure L2 VLAN with the exception of IPv4 DHCP guarding). They shouldn't be blocking this traffic. I don't see any errors in the pfSense ISC dhcpd logs.
-
@marcg well cannot go back to ISC since I am on 25.07.1. This is an extremely annoying problem.
-
@y2raza I'm also on 25.07.1 (left out the ".1" in my earlier posts). Both Kea and ISC are available as options under System/Advanced/Networking on my system. Maybe on yours, too?
-
@marcg Thanks I have switched to ISC, will remain there till they figure out the issues with KEA
