Server handing out different addresses every time??
ptwinn at cimtel.net
Thu Jun 16 21:08:09 UTC 2011
I have run into a strange problem which I've not seen before.
I'm not sure if it was introduced by upgrading to 4.2.1-P1 or what.
We are noticing that about half of our DSL routers are set to have ICMP
ping responses enabled, and about half don't.
Of the ones that do have ping enabled, in the event that the DSL router is
cold booted, it will always get it's last address (so long as it's still
a valid lease in the server's memory/leases file). This is presumably due
to the fact that nobody on the net has his last address and thus, no ICMP
ping responses come back to the dhcpd when it checks.
The second scenario, which is the one hurting us, is this...
In the event of a DSL line reset/re-train, the wan interface of the DSL
router remains "up" and upon completion of the re-train, it sends a
dhcpdiscover packet to the world in hopes of renewing it's IP address.
When the dhcpd receives the request, it sends the usual ICMP ping packet
out and gets a response from the device asking for the address because the
wan interface thinks it is still up on it's old address for the time being.
Since it always, consistently complains that "someone" has that address
already, it throws it out and offers a new address. This bears the effect
of handing out a new address *every time* you have a line re-train, where
if it was just checking the mac address in the ICMP ping reply against the
one in the current lease on that IP, it would see a match and hand the
same IP address back to the client rather than tossing it out thinking
someone else has it and giving him a new IP. This *is* very reproducible.
Perhaps it is doing such a mac check (I haven't dug in the code to verify),
but if it is, something in there is broken.
We tried dropping a rule into iptables to block outbound ICMP pings to the
subnets in question which corrected the behavior and we always got the
same address. In doing that however, we broke things on the other side
of the fence. For those who DO have ping enabled, they will answer to a
ping from the server and let it know someone has a given IP (under the
right circumstances). With ping blocked, those ones won't answer and the
server hands out the address multiple times...causing duplicates.
Not a good thing.
We've been running ISC's dhcpd for at least a year or so now and only
recently ran into these problems. A little help and insight would be
Thanks for listening and I hope this all made sense to someone..
Patrick T. Winn
Senior Systems Engineer
Cimarron Telephone Co.
(918) 865-3311 x280 - office
(918) 606-6602 - cell
More information about the dhcp-users