<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
mso-fareast-language:FI;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
mso-fareast-language:FI;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=FI link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I think that change should live on it’s own. Newer submitted for upstream patching, and it’s too late now as 3.x series is eol:ed, I have not checked how that is implemented in 4.x series.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If there would be correct-patch, it should be configuration option somewhere. And that patch might not work correctly if you have more than one server-id in your configuration (I think that it might be subnet/pool level thing).<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> Joey D. [mailto:jobewan@gmail.com] <br><b>Sent:</b> 17. huhtikuuta 2014 20:22<br><b>To:</b> Torppa Jarkko<br><b>Cc:</b> dhcp-hackers@lists.isc.org<br><b>Subject:</b> Re: Multiple ACK Issue<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-family:"Courier New"'>This looks like something that I'd like to implement/test. Can you advise what other changes you reference that need to be put in place b/f compiling? Also, was this ever submitted for upstream patching? It looks like the comment section above your patch indicates that ISC openly states that this is a theoretical issue. I see that they have reasoning for by default disregarding the check, although this should be a compile-time option imo.<br><br>Thanks!<br><br><br>/* At this point it's possible that we will get a broadcast<br> DHCPREQUEST for a lease that we didn't offer, because<br> both we and the peer are in a position to offer it.<br> In that case, we probably shouldn't answer. In order<br> to not answer, we would have to compare the server<br> identifier sent by the client with the list of possible<br> server identifiers we can send, and if the client's<br> identifier isn't on the list, drop the DHCPREQUEST.<br> We aren't currently doing that for two reasons - first,<br> it's not clear that all clients do the right thing<br> with respect to sending the client identifier, which<br> could mean that we might simply not respond to a client<br> that is depending on us to respond. Secondly, we allow<br> the user to specify the server identifier to send, and<br> we don't enforce that the server identifier should be<br> one of our IP addresses. This is probably not a big<br> deal, but it's theoretically an issue.<br><br> The reason we care about this is that if both servers<br> send a DHCPACK to the DHCPREQUEST, they are then going<br> to send dueling BNDUPD messages, which could cause<br> trouble. I think it causes no harm, but it seems<br> wrong. */<br><br><br>- Joey D.<br><br></span><o:p></o:p></p><div><p class=MsoNormal>On 04/17/2014 02:11 AM, Torppa Jarkko wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I wrote a patch for the server, for 3.x series it’s couple of lines. Wont apply cleanly, as there are other changes before that need to compile with –DHONOR_SERVER_ID</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>diff -u -r1.28 -r1.29</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>--- dhcp.c 4 Feb 2009 09:48:17 -0000 1.28</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>+++ dhcp.c 8 Aug 2011 19:15:28 -0000 1.29</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>@@ -40,7 +40,7 @@</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>#include "dhcpd.h"</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>#ifndef lint</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-static char lcopy[] = "$Id: dhcp.c,v 1.28 2009/02/04 09:48:17 torppa Exp $";</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>+static char lcopy[] = "$Id: dhcp.c,v 1.29 2011/08/08 19:15:28 torppa Exp $";</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>#endif</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>int outstanding_pings;</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>@@ -689,6 +689,20 @@</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> to send dueling BNDUPD messages, which could cause</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> trouble. I think it causes no harm, but it seems</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> wrong. */</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>+# if defined(HONOR_SERVER_ID)</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>+ if(have_server_identifier) {</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>+ /* This does not look for configures server-id XXX */</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>+ struct iaddr from;</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>+ memcpy(&from.iabuf,&packet->interface->primary_address,sizeof(packet->interface->primary_address));</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>+ from.len = sizeof(packet->interface->primary_address);</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>+</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>+ if(sip.len == from.len && memcmp(sip.iabuf, from.iabuf, from.len) != 0) {</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>+ /* We are not the server with that SERVER_ID */</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>+ log_debug("%s: ignoring our server-id %s", msgbuf, piaddr(from));</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>+ goto out;</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>+ }</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>+ }</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>+# endif /* HONOR_SERVER_ID */</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> } else</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> peer = (dhcp_failover_state_t *)0;</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>#endif</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Joey D. [<a href="mailto:jobewan@gmail.com">mailto:jobewan@gmail.com</a>] <br><b>Sent:</b> 16. huhtikuuta 2014 17:43<br><b>To:</b> Torppa Jarkko<br><b>Cc:</b> <a href="mailto:dhcp-hackers@lists.isc.org">dhcp-hackers@lists.isc.org</a><br><b>Subject:</b> Re: Multiple ACK Issue</span><o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><div><p class=MsoNormal>Can you elaborate as to how you accomplished the dropping of the requests? Is that an option or a script on the server? <o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'> <o:p></o:p></p><div><p class=MsoNormal>On Wed, Apr 16, 2014 at 1:39 AM, Torppa Jarkko <<a href="mailto:jarkko.torppa@elisa.fi" target="_blank">jarkko.torppa@elisa.fi</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I had similar problem on 3.x, at that time I tried to look at the code and did’nt see anything that would try to prevent sending duplicates. Some clients (juniper firewalls) don’t like it if they get response from a server that they did not specify.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Fixed the issue by making path that drops the requests if our-id is not in the requests. As I red RFC at that time that would be the correct behavior.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> dhcp-hackers-bounces+jarkko.torppa=<a href="mailto:elisa.fi@lists.isc.org" target="_blank">elisa.fi@lists.isc.org</a> [mailto:<a href="mailto:dhcp-hackers-bounces%2Bjarkko.torppa" target="_blank">dhcp-hackers-bounces+jarkko.torppa</a>=<a href="mailto:elisa.fi@lists.isc.org" target="_blank">elisa.fi@lists.isc.org</a>] <b>On Behalf Of </b>Joey D.<br><b>Sent:</b> 15. huhtikuuta 2014 20:47<br><b>To:</b> <a href="mailto:dhcp-hackers@lists.isc.org" target="_blank">dhcp-hackers@lists.isc.org</a><br><b>Subject:</b> Re: Multiple ACK Issue</span><o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I'm still looking for any/all input regarding this issue. Is there a different mailing list that would be more appropriate for this?<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Wed, Apr 9, 2014 at 12:05 PM, Joey D. <<a href="mailto:jobewan@gmail.com" target="_blank">jobewan@gmail.com</a>> wrote:<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>bumping this into the dhcp-hackers list in hopes of a response.<span style='color:#888888'><br><br>- Joey D.</span><o:p></o:p></p><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Mon, Apr 7, 2014 at 11:49 AM, Joey D. <<a href="mailto:jobewan@gmail.com" target="_blank">jobewan@gmail.com</a>> wrote:<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>It looks like the last response/inquiry was not sent to the list. I'm sending it back through in hopes of getting additional feedback on my issue. I'm still looking for info as to whether this is expected behaviour.<span style='color:#888888'><br><br>- Joey D.</span><o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><br><br><br><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On 04/04/2014 01:50 PM, Joey D. wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Courier New"'> I have tested this with numerous packet captures. In every Packet capture, there are 2 DISCOVERs, 1 OFFER (from 'Server B', indicating the load-balancing algorithm is doing it's job), 2 REQUESTs (from the client, with option 54 noting Server B), 2 ACKS with each server sending their own option 54 address.<br><br>This scenario does not occur if I wipe the lease data for that client from both servers' lease tables; this results in only 1 ACK from the server listed in option 54 in the REQUEST (Server B). Once that works, if I reboot the client, we are back in the state of ACKS being sent from both servers. I can submit more data in a bug report if necessary, but I'm not sure if this is a bug just yet...<br><br>In the event of T2 timer, there is no option 54 info as mentioned.<br><br>I included the email thread including additional data below (we use split 128).<br><br>Regards,<br><br>- Joey D.</span><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br><br>On 04/04/2014 01:24 PM, Bruce Hudson wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre> My DHCP is a bit rusty these days but I would definitely not expect<o:p></o:p></pre><pre>multiple ACKs during a regular DORA. The request from the client should<o:p></o:p></pre><pre>include the server identifier of the offer it is accepting; and only<o:p></o:p></pre><pre>that server should process the request. That is part of the protocol.<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> If you are seeing multiple ACKs, either (1) the client is broken<o:p></o:p></pre><pre>and is not including a server identifier, (2) the servers are somehow<o:p></o:p></pre><pre>set to use the same identifier, or (3) the DHCP server is broken and<o:p></o:p></pre><pre>ignoring the identifier in the request. In the absence of packet traces,<o:p></o:p></pre><pre>I am inclined to assume one of the first two. Can you see a server<o:p></o:p></pre><pre>ACKing a client request that includes a different identifier?<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> A client can definitely broadcast a request without an identifier,<o:p></o:p></pre><pre>either during a reboot or at T2 as you suggest. In those cases I would<o:p></o:p></pre><pre> <o:p></o:p></pre><pre>expect any server that sees the request to respond. You will see <o:p></o:p></pre><pre>multiple ACKs. <o:p></o:p></pre><pre> <o:p></o:p></pre><pre> You did not say (or I missed) whether or not these two servers are<o:p></o:p></pre><pre>part of a redundancy pair or not. If they are, that might be the code<o:p></o:p></pre><pre>path that leads to ignoring the server identifier. On the other hand,<o:p></o:p></pre><pre>in that case I would expect the "split" statement to prevent both<o:p></o:p></pre><pre>servers from responding. Do you set the split to 255? <o:p></o:p></pre><pre>--<o:p></o:p></pre><pre>Bruce A. Hudson | <a href="mailto:Bruce.Hudson@Dal.CA" target="_blank">Bruce.Hudson@Dal.CA</a><o:p></o:p></pre><pre>ITS, Networks and Systems |<o:p></o:p></pre><pre>Dalhousie University |<o:p></o:p></pre><pre>Halifax, Nova Scotia, Canada | <a href="tel:%28902%29%20494-3405" target="_blank">(902) 494-3405</a><o:p></o:p></pre></blockquote><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On 04/04/2014 12:04 PM, Joey D. wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span style='font-family:"Courier New"'> I apologize if it's not proper etiquette to post the same issue to both mailing lists, but I'm looking for a bit of feedback as to whether what I'm experiencing is 'expected' behaviour from the isc dhcp software. It looks as though myself and Leigh are both observing the same 'multiple ack' scenario, but it's a bit of a "muddy" explanation in the RFC as to whether both ACKs should present themself during a reboot/DORA (although I'd expect it to happen at a T2 timer).<br><br>- Joey D.</span><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On 04/02/2014 12:48 PM, jobewan wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> In our environment, multiple ACKs are causing an issue. We have our servers setup in 2 different geographic regions, and there is a DHCP proxy in-line near the client site. The issue is that the anti-spoofing mechanism in the dhcp-proxy always picks up on the 1st ack to make it back, which is always going to be 'Server A' (due to the latency b/t the regions); although 'Server B' is sending the offer. This in turn causes issues for the client that is wanting an IP address from Server B.<br><br>Is the double ACK an expected behavior on a reboot? The RFC on 3.1 says "If the client already knows its address, some steps may be omitted", which indicates that this should potentially follow the process noted in 3.2 (showing both servers sending an ACK). Although, during a reboot, the client doesn't know it's ip address and follows a simple DORA which would indicate it would use the process in 3.1 (meaning only 1 server sends an ACK)<br><br>(also, sorry for the double post, It appeared that my initial mail was caught by a spamfilter).<br><br>- Joey D.<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On 04/02/2014 11:16 AM, Leigh Porter wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I see a similar issue with a similar config, however the duplicate ACK is not on the initial request but for lease renewals.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I’ve not bothered investigating so far as it seemed to do no harm for now..</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>--</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Leigh</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:dhcp-users-bounces+leigh.porter=ukbroadband.com@lists.isc.org" target="_blank">dhcp-users-bounces+leigh.porter=ukbroadband.com@lists.isc.org</a> [<a href="mailto:dhcp-users-bounces+leigh.porter=ukbroadband.com@lists.isc.org" target="_blank">mailto:dhcp-users-bounces+leigh.porter=ukbroadband.com@lists.isc.org</a>] <b>On Behalf Of </b>Joey D.<br><b>Sent:</b> 02 April 2014 17:04<br><b>To:</b> <a href="mailto:dhcp-users@lists.isc.org" target="_blank">dhcp-users@lists.isc.org</a><br><b>Subject:</b> Multiple ACK Issue</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> Below is a diagram of what we witness is happening in the event of a device reboot of a previously connected device (meaning the device is already established in the leases db on both servers), as well as our failover config. Is there a configuration directive that can be used which mandates that only the server sending the offer can send the ACK? (much like what is done when allocating a fresh lease like in sec 3.2 in the rfc). I can detail a bit more as to the environment layout if necessary, but I'm hoping there is an option I'm simply overlooking. </span><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> Server A Client Server B</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> v v v</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> | | |</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> | Begins initialization |</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> | | |</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> | _____________/|\____________ |</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> |/DHCPDISCOVER | DHCPDISCOVER\|</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> | | |</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> | | |</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> | | ___________/|</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> | | /DHCPOFFER |</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> | |/ |</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> | Selects configuration |</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> | | |</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> | _____________/|\____________ |</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> |/ DHCPREQUEST | DHCPREQUEST\|</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> | | |</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> | | |</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> | | |</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> |\_____________ | ____________/|</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> | DHCPACK \|/ DHCPACK |</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> | | |</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> | Initialization complete | </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> </span><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> <br><br>SERVER A: <br>stash-agent-options true; <br><br>failover peer "iah-kcm" { <br> primary; <br> address x.x.1.248; <br> port 647; <br> peer address x.x.2.248; <br> peer port 647; <br> auto-partner-down 121; <br> max-response-delay 120; <br> max-unacked-updates 10; <br> load balance max seconds 5; <br> mclt 3600; <br> split 128; <br><br>} <br>server-identifier x.x.1.248; <br>ping-check false; <br><br><br>SERVER B: <br>stash-agent-options true; <br><br>failover peer "iah-kcm" { <br><br> secondary; <br> address x.x.2.248; <br> port 647; <br> peer address x.x.1.248; <br> peer port 647; <br> auto-partner-down 121; <br> max-response-delay 120; <br> max-unacked-updates 10; <br> load balance max seconds 5; <br>} <br>server-identifier x.x.2.248; <br>ping-check false; <br><br><br>- Joey D. </span><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br>______________________________________________________________________<br>This email has been scanned by the Symantec Email Security.cloud service.<br>For more information please visit <a href="http://www.symanteccloud.com" target="_blank">http://www.symanteccloud.com</a><br>______________________________________________________________________<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><br clear=all>______________________________________________________________________<br>This email has been scanned by the Symantec Email Security.cloud service.<br>For more information please visit <a href="http://www.symanteccloud.com" target="_blank">http://www.symanteccloud.com</a><br>______________________________________________________________________<o:p></o:p></p><pre>_______________________________________________<o:p></o:p></pre><pre>dhcp-users mailing list<o:p></o:p></pre><pre><a href="mailto:dhcp-users@lists.isc.org" target="_blank">dhcp-users@lists.isc.org</a><o:p></o:p></pre><pre><a href="https://lists.isc.org/mailman/listinfo/dhcp-users" target="_blank">https://lists.isc.org/mailman/listinfo/dhcp-users</a><o:p></o:p></pre></blockquote></blockquote><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></blockquote><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></blockquote><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div></div></div></div></div><p class=MsoNormal> <o:p></o:p></p></div></blockquote><p class=MsoNormal><o:p> </o:p></p></div></body></html>