Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Failover peer IP breaking DHCP

    Scheduled Pinned Locked Moved 2.3-RC Snapshot Feedback and Issues - ARCHIVED
    14 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      asterix
      last edited by

      I finally got CARP working. It worked for the initial period but after setting Failover peer IP of the opp node I saw the DHCP service would fail to start.

      It throws the following error on both master and slave.

      Feb 16 00:59:00 php-fpm 98621 /services_dhcp.php: The command '/usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid igb1 igb2 igb3 igb2_vlan4' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.3.3-P1 Copyright 2004-2016 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ /etc/dhcpd.conf line 32: expecting allow/deny key ignore dynamic ^ /etc/dhcpd.conf line 32: expecting a parameter or declaration ignore dynamic bootp clients; ^ Configuration file errors encountered – exiting If you think you have received this message due to a bug rather than a configuration issue please read the section on submitting bugs on either our web page at www.isc.org or in the README file before submitting a bug. These pages explain the proper process and the information we find helpful for debugging.. exitin

      I have re-checked and the clock on both the nodes are in sync. Not sure what this means "/etc/dhcpd.conf line 32: expecting a parameter or declaration ignore dynamic bootp clients". I checked that path and there is no dhcpd.conf file in /etc folder

      Through online search I found it to be in /var/dhcpd/etc/dhcpd.conf

      Line 32 is this.
              hardware ethernet 00:21:6b🆎08:bc;

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Can you share some more details about your configuration?

        Is that line from a static mapping? Or something else?

        I have a 2.3 HA setup with DHCP failover peers set and working, though it's a fairly basic setup that doesn't have much in the way of extra options.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • A
          asterix
          last edited by

          Have 4 networks.. now on CARP
          LAN, VoIP, Video and HVAC.

          All clients have static mappings in DHCP.  Line 32 is what I posted in my original post.

          If I remove failover peer ip DHCP starts right back up. Never tried this without carp so can't comment on another configuration.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Can you PM me a copy of your /var/dhcpd/etc/dhcpd.conf when it's broken?  Or even a copy of your config.xml, the DHCP section at least.

            I can't replicate this locally even with some static mappings in place.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • A
              asterix
              last edited by

              Sent you a copy of /var/dhcpd/etc/dhcpd.conf when it's broken

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Line 32 in that file is much higher than what you quoted, it's one of these:

                      ignore dynamic bootp clients;
                      ignore unknown-clients;
                
                

                Are you trying to deny unknown clients? Or what other options do you have set on that interface?

                In mine, I have:

                                deny dynamic bootp clients;
                
                

                And it's working here, but I suspect there is some other difference in the config at play

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • A
                  asterix
                  last edited by

                  Yes, I have set the option to deny unknown clients and ignore denied clients.

                  I just picked what the edit file - go to line# highlighted for me. Seemed to be line 32.

                  Only other option I have set is…

                  Time format change Change DHCP display lease time from UTC to local time

                  DNS and gateway are updated to reflect CARP

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    It looks like failover doesn't agree with "Ignore denied clients" enabled. It chokes on the config when that's enabled along with failover. I'll start a ticket, looks like it might need some input validation to prevent that from being selected together.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      Opened a ticket for it here: https://redmine.pfsense.org/issues/5898

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • A
                        asterix
                        last edited by

                        @jimp:

                        Opened a ticket for it here: https://redmine.pfsense.org/issues/5898

                        Awesome.. so you were able to replicate this?

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          Yes, the moment I checked "Ignore …" it failed every time unless I unset the failover address. It would appear the two are not compatible, so I'm adding input validation to prevent them from being combined.

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            OK I pushed a fix for it, visible on https://redmine.pfsense.org/issues/5898

                            In the future if you check the box when a failover peer is defined, it will warn you that they cannot be used together, forcing either the "ignore" box to be unchecked, or the failover peer IP to be removed manually.

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • A
                              asterix
                              last edited by

                              Awesome..

                              Please put my name in the fix.. lol .. ;)

                              Also, should the incompatibility be rectified sometime in future?

                              1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                The compatibility is up to ISC – it's their daemon, the daemon is rejecting the setting. So if you need to use them together, advocate upstream to have them fix it.

                                In the past they've had similar issues that were actually OK and just an over-protective parser rejecting it, but in this case it seems more deliberate, so there may be a reason.

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.