Failover peer IP breaking DHCP
-
I finally got CARP working. It worked for the initial period but after setting Failover peer IP of the opp node I saw the DHCP service would fail to start.
It throws the following error on both master and slave.
Feb 16 00:59:00 php-fpm 98621 /services_dhcp.php: The command '/usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid igb1 igb2 igb3 igb2_vlan4' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.3.3-P1 Copyright 2004-2016 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ /etc/dhcpd.conf line 32: expecting allow/deny key ignore dynamic ^ /etc/dhcpd.conf line 32: expecting a parameter or declaration ignore dynamic bootp clients; ^ Configuration file errors encountered – exiting If you think you have received this message due to a bug rather than a configuration issue please read the section on submitting bugs on either our web page at www.isc.org or in the README file before submitting a bug. These pages explain the proper process and the information we find helpful for debugging.. exitin
I have re-checked and the clock on both the nodes are in sync. Not sure what this means "/etc/dhcpd.conf line 32: expecting a parameter or declaration ignore dynamic bootp clients". I checked that path and there is no dhcpd.conf file in /etc folder
Through online search I found it to be in /var/dhcpd/etc/dhcpd.conf
Line 32 is this.
hardware ethernet 00:21:6b
08:bc; -
Can you share some more details about your configuration?
Is that line from a static mapping? Or something else?
I have a 2.3 HA setup with DHCP failover peers set and working, though it's a fairly basic setup that doesn't have much in the way of extra options.
-
Have 4 networks.. now on CARP
LAN, VoIP, Video and HVAC.All clients have static mappings in DHCP. Line 32 is what I posted in my original post.
If I remove failover peer ip DHCP starts right back up. Never tried this without carp so can't comment on another configuration.
-
Can you PM me a copy of your /var/dhcpd/etc/dhcpd.conf when it's broken? Or even a copy of your config.xml, the DHCP section at least.
I can't replicate this locally even with some static mappings in place.
-
Sent you a copy of /var/dhcpd/etc/dhcpd.conf when it's broken
-
Line 32 in that file is much higher than what you quoted, it's one of these:
ignore dynamic bootp clients; ignore unknown-clients;Are you trying to deny unknown clients? Or what other options do you have set on that interface?
In mine, I have:
deny dynamic bootp clients;And it's working here, but I suspect there is some other difference in the config at play
-
Yes, I have set the option to deny unknown clients and ignore denied clients.
I just picked what the edit file - go to line# highlighted for me. Seemed to be line 32.
Only other option I have set is…
Time format change Change DHCP display lease time from UTC to local time
DNS and gateway are updated to reflect CARP
-
It looks like failover doesn't agree with "Ignore denied clients" enabled. It chokes on the config when that's enabled along with failover. I'll start a ticket, looks like it might need some input validation to prevent that from being selected together.
-
Opened a ticket for it here: https://redmine.pfsense.org/issues/5898
-
Opened a ticket for it here: https://redmine.pfsense.org/issues/5898
Awesome.. so you were able to replicate this?
-
Yes, the moment I checked "Ignore …" it failed every time unless I unset the failover address. It would appear the two are not compatible, so I'm adding input validation to prevent them from being combined.
-
OK I pushed a fix for it, visible on https://redmine.pfsense.org/issues/5898
In the future if you check the box when a failover peer is defined, it will warn you that they cannot be used together, forcing either the "ignore" box to be unchecked, or the failover peer IP to be removed manually.
-
Awesome..
Please put my name in the fix.. lol .. ;)
Also, should the incompatibility be rectified sometime in future?
-
The compatibility is up to ISC – it's their daemon, the daemon is rejecting the setting. So if you need to use them together, advocate upstream to have them fix it.
In the past they've had similar issues that were actually OK and just an over-protective parser rejecting it, but in this case it seems more deliberate, so there may be a reason.
