Хорошо

S5720/S6720 DHCP Relay problem

Опубликовано 2021-9-14 10:45:49Последний ответ Sep 21, 2021 08:47:21 608 7 9 0 0
  Награжденные Форбаллы: 0 (Проблема решена)

Hello, we are faced with the problem of incorrect operation of dhcp relay on S5720/S6720.
After receiving the ip address from the DHCP server, the client sends DHCP REQUEST to extend the lease, but the switch responds with a DHCP NAK message (option56:Requested IP address not in pool), after that the client switches to a full cycle through the DISCOVER/OFFER/REQUEST/ACK and receiving the ip address again. And so it repeats after half time of lease time.

what could be the problem and how to fix it?

Config:
interface LoopBack1
 ip address 10.0.16.201 255.255.255.248
 isis enable 1
 isis circuit-level level-2

interface Vlanif329
  ip address unnumbered interface LoopBack1
  dhcp select relay
 dhcp relay server-ip 10.0.16.225
 dhcp relay information enable
 dhcp relay information strategy keep

soft: V200R019C10SPC500

Пост синхронизирован: Траблшутинг коммутаторов S-серии

  • x

Избранные ответы
mkabanov
MVE Author Опубликовано 2021-9-14 22:10:35

I propose to understand further
1) In general, a NAC message can be issued if the router (in the role of a DHCP relay) believes that the response to the request is issued in the wrong direction:
1-1) conditionally, this can be represented as protection against the translation of internal DHCP to external interfaces
1-2)

That is, the router (relay-agent) does not issue DHCP responses to the "wrong" direction

2) So privide full config :)

Развернуть
  • x

Рекомендуемые ответы

Victorovski
Опубликовано 2021-9-14 11:26:40
can you share any debug information?
Maybe this can be useful for you - solution is restart DHCP-server:
https://support.huawei.com/enterprise/en/knowledge/EKB1001273893
Развернуть
  • x

Все ответы
Victorovski
Victorovski Опубликовано 2021-9-14 11:26:40
can you share any debug information?
Maybe this can be useful for you - solution is restart DHCP-server:
https://support.huawei.com/enterprise/en/knowledge/EKB1001273893
Развернуть
  • x

mkabanov
mkabanov MVE Author Опубликовано 2021-9-14 11:58:27
1) Can you try to NOT use loopback?
2) software upgrade - ?
Развернуть
  • x

user_4200661
user_4200661 Опубликовано 2021-9-14 13:39:49

thanks for the answer, but unfortunately this is not our case.
we have no problems with Cisco ASR920 and the same DHCP server, the problem is only with S5720 and it started after replacing ME3400 with S5720.
before switching to S5720, the logs on the DHCP server were like this:

2021-08-16 12:05 3426167601 REQUEST: [28:28:5d:de:bd:75] via (85.34.48.1) circuit: [0x45746865726e6574302f302f323a323032372e343039362047617374656c6c6f2c34392f302f302f302f302f30] remote_id: [0xcccc814715ff] ...
2021-08-16 12:05 3426167601 ACK: 85.34.49.46 to [28:28:5d:de:bd:75] ...  circuit: [] ... real-mac: []
2021-08-16 12:05 3426167601 REQUEST: [28:28:5d:de:bd:75] via 85.34.48.1) circuit: [0x45746865726e6574302f302f323a323032372e343039362047617374656c6c6f2c34392f302f302f302f302f30] remote_id: [0xcccc814715ff] ...
2021-08-16 12:05 3426167601 ACK: 85.34.49.46 to [28:28:5d:de:bd:75] ...  circuit: [] ... real-mac: []
2021-08-16 12:05 3426167601 REQUEST: [28:28:5d:de:bd:75] via (85.34.48.1) circuit: [0x45746865726e6574302f302f323a323032372e343039362047617374656c6c6f2c34392f302f302f302f302f30] remote_id: [0xcccc814715ff] ...
2021-08-16 12:05 3426167601 ACK: 85.34.49.46 to [28:28:5d:de:bd:75] ...  circuit: [] ... real-mac: []

after switching logs with problem :

2021-08-16 12:05 3426167601 REQUEST: [28:28:5d:de:bd:75] via (85.34.48.1) circuit: [0x45746865726e6574302f302f323a323032372e343039362047617374656c6c6f2c34392f302f302f302f302f30] remote_id: [0xcccc814715ff] ...
2021-08-16 12:05 3426167601 ACK: 85.34.49.46 to [28:28:5d:de:bd:75] ...  circuit: [] ... real-mac: []
2021-08-16 12:05 3426167601 REQUEST: [28:28:5d:de:bd:75] via (85.34.48.1) circuit: [0x45746865726e6574302f302f323a323032372e343039362047617374656c6c6f2c34392f302f302f302f302f30] remote_id: [0xcccc814715ff] ...
2021-08-16 12:05 3426167601 ACK: 85.34.49.46 to [28:28:5d:de:bd:75] ...  circuit: [] ... real-mac: []
2021-08-16 12:05 3426167601 REQUEST: [28:28:5d:de:bd:75] via (85.34.48.1) circuit: [0x45746865726e6574302f302f323a323032372e343039362047617374656c6c6f2c34392f302f302f302f302f30] remote_id: [0xcccc814715ff] ...
2021-08-16 12:05 3426167601 ACK: 85.34.49.46 to [28:28:5d:de:bd:75] ...  circuit: [] ... real-mac: []
2021-08-16 12:05 3426167601 REQUEST: [28:28:5d:de:bd:75] via (85.34.48.1) circuit: [0x45746865726e6574302f302f323a323032372e343039362047617374656c6c6f2c34392f302f302f302f302f30] remote_id: [0xcccc814715ff] ...
2021-08-16 12:05 3426167601 ACK: 85.34.49.46 to [28:28:5d:de:bd:75] ...  circuit: [] ... real-mac: []
2021-08-16 12:05 3426167601 REQUEST: [28:28:5d:de:bd:75] via (85.34.48.1) circuit: [0x45746865726e6574302f302f323a323032372e343039362047617374656c6c6f2c34392f302f302f302f302f30] remote_id: [0xcccc814715ff] ...
2021-08-16 12:05 3426167601 ACK: 85.34.49.46 to [28:28:5d:de:bd:75] ...  circuit: [] ... real-mac: []
2021-08-16 12:05 3426167601 DISCOVER: [28:28:5d:de:bd:75] via (85.34.48.1) Keenetic_Start circuit: [0x45746865726e6574302f302f323a323032372e343039362047617374656c6c6f2c34392f302f302f302f302f30] remote_id: [0xcccc814715ff] real-mac: []
2021-08-16 12:05 3426167601 OFFER: 85.34.49.46 to [28:28:5d:de:bd:75] ...
2021-08-16 12:05 3426167601 REQUEST: [28:28:5d:de:bd:75] via (85.34.48.1) circuit: [0x45746865726e6574302f302f323a323032372e343039362047617374656c6c6f2c34392f302f302f302f302f30] remote_id: [0xcccc814715ff] ...
2021-08-16 12:05 3426167601 ACK: 85.34.49.46 to [28:28:5d:de:bd:75] ...  circuit: [] ... real-mac:

client cannot get ip address for 11 minutes

in logs S5720 it looks like this :

Sep 14 2021 11:39:50.90.1+04:00 HUAWEI5720 DHCP/7/DEBUG:[DHCP-pkt]:Receive DHCP NAK message.orgif:null srcif:null L3if:null DstIf:GE0/0/1 srcmac:68cc-6ea8-027f dstmac:ffff-ffff-ffff vsi:- vlan:329/0 srcip:17.9.6.201 dstip:255.255.255.255 VPN:- src-port:67 dst-port:68 msgtype:BOOT-REPLY dhcp msgtype:DHCP NAK bflag:uc chaddr:c434-6b07-22b1 ciaddr:0.0.0.0 reqip:0.0.0.0 giaddr:0.0.0.0 serverid:17.9.6.201 yiaddr:0.0.0.0 xid:0x14de2feb

Sep 14 2021 11:39:50.90.2+04:00 HUAWEI5720 DHCP/7/DEBUG:[DHCP-info]:The packet with option56:Requested IP address not in pool

1)Can you try to NOT use loopback?  yes, did not help
2)software upgrade - ?  we have the last version




Развернуть
  • x

mkabanov
mkabanov MVE Author Опубликовано 2021-9-14 22:10:35

I propose to understand further
1) In general, a NAC message can be issued if the router (in the role of a DHCP relay) believes that the response to the request is issued in the wrong direction:
1-1) conditionally, this can be represented as protection against the translation of internal DHCP to external interfaces
1-2)

That is, the router (relay-agent) does not issue DHCP responses to the "wrong" direction

2) So privide full config :)

Развернуть
  • x

user_4200661
user_4200661 Опубликовано 2021-9-20 09:08:28

the problem remains,
the configuration is the simplest as in the example of the Huawei Hedex (example for configuring a dhcp relay agent - dhcp relay agent and dhcp server on the same network).

directly connected vlan where is the dhcp server:

interface XGigabitEthernet0/0/1
 port link-type hybrid
port hybrid tagged vlan 380 389

interface Vlanif380
ip address 17.9.6.209 255.255.255.252

and vlan for users:

interface Vlanif329
ip address 17.9.6.201 255.255.255.248
dhcp select relay
dhcp relay server-ip 17.9.6.210


interface GigabitEthernet0/0/1
 port link-type hybrid
 port hybrid tagged vlan 329


dhcp enable

Sep 20 2021 10:04:51.174.1+04:00 HUAWEI5720_Michurina74 DHCP/7/DEBUG:[DHCP-pkt]:Receive DHCP packet (srcif:-1-null orgif:-1-null destif:GigabitEthernet0/0/1 length:383 mflg:BC/BC).

Sep 20 2021 10:04:51.174.2+04:00 HUAWEI5720_Michurina74 DHCP/7/DEBUG:[DHCP-info]:Message with options: 53 54 56 82

Sep 20 2021 10:04:51.174.3+04:00 HUAWEI5720_Michurina74 DHCP/7/DEBUG:[DHCP-pkt]:Receive DHCP NAK message.orgif:null srcif:null L3if:null DstIf:GE0/0/1 srcmac:68cc-6ea8-027f dstmac:ffff-ffff-ffff vsi:- vlan:329/0 srcip:17.9.6.201 dstip:255.255.255.255 VPN:- src-port:67 dst-port:68 msgtype:BOOT-REPLY dhcp msgtype:DHCP NAK bflag:uc chaddr:50ff-2024-121b ciaddr:0.0.0.0 reqip:0.0.0.0 giaddr:0.0.0.0 serverid:17.9.6.201 yiaddr:0.0.0.0 xid:0xbf187c23

Sep 20 2021 10:04:51.174.4+04:00 HUAWEI5720_Michurina74 DHCP/7/DEBUG:[DHCP-info]:The packet with option56:Requested IP address not in pool

Sep 20 2021 10:04:51.174.5+04:00 HUAWEI5720_Michurina74 DHCP/7/DEBUG:[DHCPSNP-pkt]:Receive DHCP NAK message.(srcif:null, srcl2if:null, dstif:GE0/0/1, vsi:65535, vlan(O/I:329/0), mac(client:50ff-2024-121b src:68cc-6ea8-027f dst:ffff-ffff-ffff), port(src:67 dst:68), bd:0, vxlan(src:0.0.0.0,dst0.0.0.0,src-ipv6:::,dst-ipv6:::))

Развернуть
  • x

mkabanov
mkabanov Опубликовано 2021-9-20 22:06 (0) (0)
please, provide full config (dis cur)  
user_4200661
user_4200661 Опубликовано 2021-9-21 08:47:21


<HUAWEI5720>dis cur
!Software Version V200R019C10SPC500
#
sysname HUAWEI5720
#
FTP server enable
#

#
vcmp role silent
#
vlan batch 329 380 389 400 510
#
lnp disable
#
loopback-detect auto disable
#
multicast routing-enable
#                                        

igmp-snooping enable
#

undo lldp enable
#

#
arp learning ip-network-cross enable
#
ecmp local-preference disable
#
route low-priority enable
#
set flow-change-ratio input-broadcast-detect disable
#                                        
dhcp enable
#
dhcp snooping enable
#
undo portal url-encode enable
portal pass dns enable
#
diffserv domain default
#

mpls lsr-id 10.44.44.7
mpls
#
mpls l2vpn
#
vsi 510 static
pwsignal ldp
 vsi-id 510
 peer 10.44.44.11
mtu 1580
encapsulation ethernet                  
#
mpls ldp
graceful-restart
#
#
mpls ldp remote-peer nag136
remote-ip 10.44.44.11
#
pki realm default
#
acl number 2000
rule 5 permit source 232.0.0.0 0.255.255.255
acl number 2009
rule 5 deny
#

acl name mvr_in 3999
rule 5 deny tcp destination-port eq 139
rule 10 deny udp destination-port eq 135
rule 15 deny tcp destination-port eq 445
rule 18 permit ip destination 232.0.0.0 0.255.255.255
rule 25 permit ip destination 224.2.127.254 0
rule 30 deny ip
#
keychain isis mode absolute
receive-tolerance 100
key-id 1
 algorithm md5
 key-string cipher xxxxx
 default send-key-id
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
drop-profile default
#
vlan 400
igmp-snooping enable
igmp-snooping ssm-policy 2009
#
#                                        
aaa
authentication-scheme default
 authentication-mode local
authentication-scheme radius
 authentication-mode radius
authorization-scheme default
 authorization-mode local
accounting-scheme default
 accounting-mode none
domain default
 authentication-scheme default
 accounting-scheme default
domain default_admin
 authentication-scheme default
 accounting-scheme default
undo local-user admin

#
isis 1
is-level level-2
cost-style wide
timer lsp-generation 5 1 20 level-2
flash-flood level-2
ldp-sync enable
network-entity 49.0001.0010.4444.0007.00
timer spf 5 1 20
log-peer-change
timer lsp-max-age 65535
timer lsp-refresh 65000
#
ntp-service server disable
ntp-service ipv6 server disable
ntp-service unicast-peer 192.168.32.123
#
interface Vlanif1
#
interface Vlanif329
ip address unnumbered interface LoopBack1
dhcp select relay
dhcp relay server-ip 17.9.6.210
dhcp relay information enable            
dhcp relay information strategy keep
#
interface Vlanif380
ip address 17.9.6.209 255.255.255.252
#
interface Vlanif389
description ISIS_link to_N136
mtu 9216
ip address 17.9.6.243 255.255.255.254
isis enable 1
isis circuit-type p2p
isis circuit-level level-2
isis authentication-mode md5 cipher xxx
isis ldp-sync
pim sm
mpls
mpls mtu 1580
mpls ldp
#
interface Vlanif400
description MVR
ip address 172.16.3.9 255.255.255.254
pim sm
igmp enable                              
igmp ssm-mapping enable
#
interface Vlanif510
l2 binding vsi 510
#
interface MEth0/0/1
ip address 192.168.32.7 255.255.255.128
#
interface GigabitEthernet0/0/1
port link-type hybrid
port hybrid tagged vlan 329 400 510
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#                                        
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#                                        
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface GigabitEthernet0/0/25
#
interface GigabitEthernet0/0/26
#
interface GigabitEthernet0/0/27
#
interface GigabitEthernet0/0/28
#
interface XGigabitEthernet0/0/1
description to_N136
port link-type hybrid
port hybrid tagged vlan 380 389
#
interface XGigabitEthernet0/0/2          
#
interface XGigabitEthernet0/0/3
#
interface XGigabitEthernet0/0/4
#
interface NULL0
#
interface LoopBack0
ip address 10.44.44.7 255.255.255.255
isis enable 1
isis circuit-level level-2
#
interface LoopBack1
ip address 17.9.6.201 255.255.255.248
isis enable 1
isis circuit-level level-2
#
igmp
ssm-mapping 232.0.0.0 255.255.255.0 217.79.16.193
#
pim
ssm-policy 2000
#
ip route-static 192.168.0.0 255.255.0.0 192.168.32.123
#

#
stelnet server enable
#
TFTP client-source -i LoopBack0
#
easy-operation dtls disable
#

#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#                                        
ops
#
return

Развернуть
  • x

Комментарий

Выполните вход в систему, чтобы ответить на пост. Вход | Регистрация
Отправить

Внимание! В целях защиты правовых интересов Вас, сообщества и третьих лиц, не публикуйте любой материал, содержащий политические высказывания, порнографию, упоминание азартных игр, употребление наркотиков, а также материал, нарушающий коммерческую тайну или содержащий персональные данные пользователей. Также не предоставляйте данные от вашей учетной записи. Вы будете нести ответственность за все действия, выполняемые под вашим аккаунтом. Подробная информация: “Пользовательское соглашение.”

My Followers

Авторизуйтесь и пользуйтесь всеми преимуществами участника!

Вход

Заблокировать
Вы уверены, что хотите заблокировать этого пользователя?
Пользователи из вашего черного списка не могут комментировать ваши посты, не могут упоминать вас, не могут отправлять личные сообщения.
Напоминание
Пожалуйста, привяжите свой мобильный номер чтобы получить бонус за приглашение.
О защите информации
Благодарим за использование Huawei ICT Club! Мы хотим рассказать вам о том, как мы собираем, используем и храним ваши данные. Пожалуйста, внимательно ознакомьтесь с Политикой конфиденциальности и Пользовательским соглашением.