<div dir="ltr"><div class="gmail_default" style="font-size:small">I am not using firewalld, just direct iptables and ip6tables config files.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">--Dan</div><div class="gmail_default" style="font-size:small"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 3, 2023 at 9:52 AM Eric Graham <<a href="mailto:eric.graham@vantagepnt.com">eric.graham@vantagepnt.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg-5205534197742289911">
<div dir="ltr">
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">Dan,</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><br>
</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">Would you be wlling to dump your iptables filter and nat tables
before and after the restart and take a diff? Are you using firewalld on top of iptables, by chance? I've been running into issues with my firewall completely breaking when switching the backend of firewalld from nftables to iptables, but I suspect that's
an entirely different issue.<br>
</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><br>
</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">I do want to add that the article Stefan linked does mention that
the network being "up" varies in definition. I know that I have needed to write retries into some of my own services that require that target, because the network might be "up" and DNS still might not resolve, pings fail, etc.<br>
</span></div>
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div id="m_-5205534197742289911Signature">
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<b>Eric Graham</b></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<i>DevOps Specialist</i></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<span style="font-size:8pt">Direct: 605.990.1859</span><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:8pt;color:rgb(0,0,0);background-color:rgba(0,0,0,0)"></span><i><br>
</i></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<i><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:8pt;color:rgb(0,0,0);background-color:rgba(0,0,0,0)"></span></i><a href="mailto:eric.graham@vantagepnt.com" title="mailto:eric.graham@vantagepnt.com" target="_blank"><span style="font-size:8pt">Eric.Graham@vantagepnt.com</span></a><i><br>
</i></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<i><img style="max-width: 100%;" id="m_-5205534197742289911imageSelected0" src="cid:185792935fb8b25a4e51"><br>
</i></div>
</div>
</div>
</div>
<div id="m_-5205534197742289911appendonsend"></div>
<hr style="display:inline-block;width:98%">
<div id="m_-5205534197742289911divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> Kea-users <<a href="mailto:kea-users-bounces@lists.isc.org" target="_blank">kea-users-bounces@lists.isc.org</a>> on behalf of Dan Oachs <<a href="mailto:doachs@gac.edu" target="_blank">doachs@gac.edu</a>><br>
<b>Sent:</b> Tuesday, January 3, 2023 9:25 AM<br>
<b>To:</b> Stefan G. Weichinger <<a href="mailto:lists@xunil.at" target="_blank">lists@xunil.at</a>><br>
<b>Cc:</b> <a href="mailto:kea-users@lists.isc.org" target="_blank">kea-users@lists.isc.org</a> <<a href="mailto:kea-users@lists.isc.org" target="_blank">kea-users@lists.isc.org</a>><br>
<b>Subject:</b> Re: [Kea-users] Monitoring a Kea cluster</font>
<div> </div>
</div>
<div>
<div style="border-radius:15px;padding:3px 3px 3px 10px;font-size:9pt;font-family:Arial,sans-serif;color:rgb(255,255,255);background-color:rgb(143,16,16)">
<b>CAUTION:</b> This email originated outside the organization. Do not click any links or attachments unless you have verified the sender.
</div>
<div>
<div dir="ltr">
<div style="font-size:small">I have noticed something similar with our Kea servers.</div>
<div style="font-size:small"><br>
</div>
<div style="font-size:small">Running Kea 2.0.3 on Rocky Linux 8.7</div>
<div style="font-size:small"><br>
</div>
<div style="font-size:small">After a server reboot dhcpv6 is running but not handing out leases. There is some issue with the way things start up and the firewall blocking packets. My current workaround is to add a few lines in /etc/rc.local
to stop ip6tables, restart kea-dhcp6, then start ip6tables.</div>
<div style="font-size:small"><br>
</div>
<div style="font-size:small">I'm sure there is a correct way to fix this, but the workaround is functional for me at the moment.</div>
<div style="font-size:small"><br>
</div>
<div style="font-size:small">--Dan</div>
<div style="font-size:small"><br>
</div>
</div>
<br>
<div>
<div dir="ltr">On Tue, Jan 3, 2023 at 2:20 AM Stefan G. Weichinger <<a href="mailto:lists@xunil.at" target="_blank">lists@xunil.at</a>> wrote:<br>
</div>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Am 27.12.22 um 12:46 schrieb Darren Ankney:<br>
<br>
> In any case, I’d be concerned why it was running but not answering <br>
> requests more-so than I would be about how to monitor it using actual <br>
> DHCP. I vaguely remember having some trouble with Kea and systemd <br>
> startup ordering (ie: it started up before the server’s IP was on the <br>
> interface). Setting After=network.target took care of it.<br>
<br>
We saw the behavior again yesterday: no DHCP leases after a reboot until <br>
we restarted kea.<br>
<br>
In the service file there are these lines:<br>
<br>
Wants=network-online.target<br>
After=network-online.target<br>
After=time-sync.target<br>
<br>
<a href="https://systemd.io/NETWORK_ONLINE/" rel="noreferrer" target="_blank">https://systemd.io/NETWORK_ONLINE/</a> gives some information about these
<br>
targets ... "network-online.target" should fit better .. but doesn't <br>
seem to be enough.<br>
<br>
We use raw sockets for kea, but the server listens on multiple <br>
vlan-interfaces:<br>
<br>
{<br>
"Dhcp4": {<br>
"interfaces-config": {<br>
"interfaces": [ "enp0s31f6", "enp0s31f6.101", <br>
"enp0s31f6.102", "enp0s31f6.103", "enp0s31f6.200" ],<br>
"dhcp-socket-type": "raw"<br>
},<br>
<br>
<br>
-- <br>
ISC funds the development of this software with paid support subscriptions. Contact us at
<a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
To unsubscribe visit <a href="https://lists.isc.org/mailman/listinfo/kea-users" rel="noreferrer" target="_blank">
https://lists.isc.org/mailman/listinfo/kea-users</a>.<br>
<br>
Kea-users mailing list<br>
<a href="mailto:Kea-users@lists.isc.org" target="_blank">Kea-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/kea-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/kea-users</a><br>
</blockquote>
</div>
</div>
</div>
</div>
</div></blockquote></div>