S5720/S6720 DHCP Relay problem

mkabanov · Опубликовано 2021-9-14 22:10:35

I propose to understand further
1) In general, a NAC message can be issued if the router (in the role of a DHCP relay) believes that the response to the request is issued in the wrong direction:
1-1) conditionally, this can be represented as protection against the translation of internal DHCP to external interfaces
1-2)

That is, the router (relay-agent) does not issue DHCP responses to the "wrong" direction

2) So privide full config :)

Развернуть

Victorovski · Опубликовано 2021-9-14 11:26:40

can you share any debug information?
Maybe this can be useful for you - solution is restart DHCP-server:
https://support.huawei.com/enterprise/en/knowledge/EKB1001273893

Развернуть

Victorovski · Опубликовано 2021-9-14 11:26:40

can you share any debug information?
Maybe this can be useful for you - solution is restart DHCP-server:
https://support.huawei.com/enterprise/en/knowledge/EKB1001273893

Развернуть

mkabanov · Опубликовано 2021-9-14 11:58:27

1) Can you try to NOT use loopback?
2) software upgrade - ?

Развернуть

user_4200661 · Опубликовано 2021-9-14 13:39:49

thanks for the answer, but unfortunately this is not our case.
we have no problems with Cisco ASR920 and the same DHCP server, the problem is only with S5720 and it started after replacing ME3400 with S5720.
before switching to S5720, the logs on the DHCP server were like this:

2021-08-16 12:05 3426167601 REQUEST: [28:28:5d:de:bd:75] via (85.34.48.1) circuit: [0x45746865726e6574302f302f323a323032372e343039362047617374656c6c6f2c34392f302f302f302f302f30] remote_id: [0xcccc814715ff] ...
2021-08-16 12:05 3426167601 ACK: 85.34.49.46 to [28:28:5d:de:bd:75] ... circuit: [] ... real-mac: []
2021-08-16 12:05 3426167601 REQUEST: [28:28:5d:de:bd:75] via 85.34.48.1) circuit: [0x45746865726e6574302f302f323a323032372e343039362047617374656c6c6f2c34392f302f302f302f302f30] remote_id: [0xcccc814715ff] ...
2021-08-16 12:05 3426167601 ACK: 85.34.49.46 to [28:28:5d:de:bd:75] ... circuit: [] ... real-mac: []
2021-08-16 12:05 3426167601 REQUEST: [28:28:5d:de:bd:75] via (85.34.48.1) circuit: [0x45746865726e6574302f302f323a323032372e343039362047617374656c6c6f2c34392f302f302f302f302f30] remote_id: [0xcccc814715ff] ...
2021-08-16 12:05 3426167601 ACK: 85.34.49.46 to [28:28:5d:de:bd:75] ... circuit: [] ... real-mac: []

after switching logs with problem :

2021-08-16 12:05 3426167601 REQUEST: [28:28:5d:de:bd:75] via (85.34.48.1) circuit: [0x45746865726e6574302f302f323a323032372e343039362047617374656c6c6f2c34392f302f302f302f302f30] remote_id: [0xcccc814715ff] ...
2021-08-16 12:05 3426167601 ACK: 85.34.49.46 to [28:28:5d:de:bd:75] ... circuit: [] ... real-mac: []
2021-08-16 12:05 3426167601 REQUEST: [28:28:5d:de:bd:75] via (85.34.48.1) circuit: [0x45746865726e6574302f302f323a323032372e343039362047617374656c6c6f2c34392f302f302f302f302f30] remote_id: [0xcccc814715ff] ...
2021-08-16 12:05 3426167601 ACK: 85.34.49.46 to [28:28:5d:de:bd:75] ... circuit: [] ... real-mac: []
2021-08-16 12:05 3426167601 REQUEST: [28:28:5d:de:bd:75] via (85.34.48.1) circuit: [0x45746865726e6574302f302f323a323032372e343039362047617374656c6c6f2c34392f302f302f302f302f30] remote_id: [0xcccc814715ff] ...
2021-08-16 12:05 3426167601 ACK: 85.34.49.46 to [28:28:5d:de:bd:75] ... circuit: [] ... real-mac: []
2021-08-16 12:05 3426167601 REQUEST: [28:28:5d:de:bd:75] via (85.34.48.1) circuit: [0x45746865726e6574302f302f323a323032372e343039362047617374656c6c6f2c34392f302f302f302f302f30] remote_id: [0xcccc814715ff] ...
2021-08-16 12:05 3426167601 ACK: 85.34.49.46 to [28:28:5d:de:bd:75] ... circuit: [] ... real-mac: []
2021-08-16 12:05 3426167601 REQUEST: [28:28:5d:de:bd:75] via (85.34.48.1) circuit: [0x45746865726e6574302f302f323a323032372e343039362047617374656c6c6f2c34392f302f302f302f302f30] remote_id: [0xcccc814715ff] ...
2021-08-16 12:05 3426167601 ACK: 85.34.49.46 to [28:28:5d:de:bd:75] ... circuit: [] ... real-mac: []
2021-08-16 12:05 3426167601 DISCOVER: [28:28:5d:de:bd:75] via (85.34.48.1) Keenetic_Start circuit: [0x45746865726e6574302f302f323a323032372e343039362047617374656c6c6f2c34392f302f302f302f302f30] remote_id: [0xcccc814715ff] real-mac: []
2021-08-16 12:05 3426167601 OFFER: 85.34.49.46 to [28:28:5d:de:bd:75] ...
2021-08-16 12:05 3426167601 REQUEST: [28:28:5d:de:bd:75] via (85.34.48.1) circuit: [0x45746865726e6574302f302f323a323032372e343039362047617374656c6c6f2c34392f302f302f302f302f30] remote_id: [0xcccc814715ff] ...
2021-08-16 12:05 3426167601 ACK: 85.34.49.46 to [28:28:5d:de:bd:75] ... circuit: [] ... real-mac:

client cannot get ip address for 11 minutes

in logs S5720 it looks like this :

Sep 14 2021 11:39:50.90.1+04:00 HUAWEI5720 DHCP/7/DEBUG:[DHCP-pkt]:Receive DHCP NAK message.orgif:null srcif:null L3if:null DstIf:GE0/0/1 srcmac:68cc-6ea8-027f dstmac:ffff-ffff-ffff vsi:- vlan:329/0 srcip:17.9.6.201 dstip:255.255.255.255 VPN:- src-port:67 dst-port:68 msgtype:BOOT-REPLY dhcp msgtype:DHCP NAK bflag:uc chaddr:c434-6b07-22b1 ciaddr:0.0.0.0 reqip:0.0.0.0 giaddr:0.0.0.0 serverid:17.9.6.201 yiaddr:0.0.0.0 xid:0x14de2feb

Sep 14 2021 11:39:50.90.2+04:00 HUAWEI5720 DHCP/7/DEBUG:[DHCP-info]:The packet with option56:Requested IP address not in pool

1)Can you try to NOT use loopback? yes, did not help
2)software upgrade - ? we have the last version

Развернуть

mkabanov · Опубликовано 2021-9-14 22:10:35

I propose to understand further
1) In general, a NAC message can be issued if the router (in the role of a DHCP relay) believes that the response to the request is issued in the wrong direction:
1-1) conditionally, this can be represented as protection against the translation of internal DHCP to external interfaces
1-2)

That is, the router (relay-agent) does not issue DHCP responses to the "wrong" direction

2) So privide full config :)

Развернуть

user_4200661 · Опубликовано 2021-9-20 09:08:28

the problem remains,
the configuration is the simplest as in the example of the Huawei Hedex (example for configuring a dhcp relay agent - dhcp relay agent and dhcp server on the same network).

directly connected vlan where is the dhcp server:

interface XGigabitEthernet0/0/1
port link-type hybrid
port hybrid tagged vlan 380 389

interface Vlanif380
ip address 17.9.6.209 255.255.255.252

and vlan for users:

interface Vlanif329
ip address 17.9.6.201 255.255.255.248
dhcp select relay
dhcp relay server-ip 17.9.6.210

interface GigabitEthernet0/0/1
port link-type hybrid
port hybrid tagged vlan 329

dhcp enable

Sep 20 2021 10:04:51.174.1+04:00 HUAWEI5720_Michurina74 DHCP/7/DEBUG:[DHCP-pkt]:Receive DHCP packet (srcif:-1-null orgif:-1-null destif:GigabitEthernet0/0/1 length:383 mflg:BC/BC).

Sep 20 2021 10:04:51.174.2+04:00 HUAWEI5720_Michurina74 DHCP/7/DEBUG:[DHCP-info]:Message with options: 53 54 56 82

Sep 20 2021 10:04:51.174.3+04:00 HUAWEI5720_Michurina74 DHCP/7/DEBUG:[DHCP-pkt]:Receive DHCP NAK message.orgif:null srcif:null L3if:null DstIf:GE0/0/1 srcmac:68cc-6ea8-027f dstmac:ffff-ffff-ffff vsi:- vlan:329/0 srcip:17.9.6.201 dstip:255.255.255.255 VPN:- src-port:67 dst-port:68 msgtype:BOOT-REPLY dhcp msgtype:DHCP NAK bflag:uc chaddr:50ff-2024-121b ciaddr:0.0.0.0 reqip:0.0.0.0 giaddr:0.0.0.0 serverid:17.9.6.201 yiaddr:0.0.0.0 xid:0xbf187c23

Sep 20 2021 10:04:51.174.4+04:00 HUAWEI5720_Michurina74 DHCP/7/DEBUG:[DHCP-info]:The packet with option56:Requested IP address not in pool

Sep 20 2021 10:04:51.174.5+04:00 HUAWEI5720_Michurina74 DHCP/7/DEBUG:[DHCPSNP-pkt]:Receive DHCP NAK message.(srcif:null, srcl2if:null, dstif:GE0/0/1, vsi:65535, vlan(O/I:329/0), mac(client:50ff-2024-121b src:68cc-6ea8-027f dst:ffff-ffff-ffff), port(src:67 dst:68), bd:0, vxlan(src:0.0.0.0,dst0.0.0.0,src-ipv6:::,dst-ipv6:::))

Развернуть

user_4200661 · Опубликовано 2021-9-21 08:47:21

<HUAWEI5720>dis cur
!Software Version V200R019C10SPC500
#
sysname HUAWEI5720
#
FTP server enable
#

#
vcmp role silent
#
vlan batch 329 380 389 400 510
#
lnp disable
#
loopback-detect auto disable
#
multicast routing-enable
#

igmp-snooping enable
#

undo lldp enable
#

#
arp learning ip-network-cross enable
#
ecmp local-preference disable
#
route low-priority enable
#
set flow-change-ratio input-broadcast-detect disable
#
dhcp enable
#
dhcp snooping enable
#
undo portal url-encode enable
portal pass dns enable
#
diffserv domain default
#

mpls lsr-id 10.44.44.7
mpls
#
mpls l2vpn
#
vsi 510 static
pwsignal ldp
vsi-id 510
peer 10.44.44.11
mtu 1580
encapsulation ethernet
#
mpls ldp
graceful-restart
#
#
mpls ldp remote-peer nag136
remote-ip 10.44.44.11
#
pki realm default
#
acl number 2000
rule 5 permit source 232.0.0.0 0.255.255.255
acl number 2009
rule 5 deny
#

acl name mvr_in 3999
rule 5 deny tcp destination-port eq 139
rule 10 deny udp destination-port eq 135
rule 15 deny tcp destination-port eq 445
rule 18 permit ip destination 232.0.0.0 0.255.255.255
rule 25 permit ip destination 224.2.127.254 0
rule 30 deny ip
#
keychain isis mode absolute
receive-tolerance 100
key-id 1
algorithm md5
key-string cipher xxxxx
default send-key-id
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
drop-profile default
#
vlan 400
igmp-snooping enable
igmp-snooping ssm-policy 2009
#
#
aaa
authentication-scheme default
authentication-mode local
authentication-scheme radius
authentication-mode radius
authorization-scheme default
authorization-mode local
accounting-scheme default
accounting-mode none
domain default
authentication-scheme default
accounting-scheme default
domain default_admin
authentication-scheme default
accounting-scheme default
undo local-user admin

#
isis 1
is-level level-2
cost-style wide
timer lsp-generation 5 1 20 level-2
flash-flood level-2
ldp-sync enable
network-entity 49.0001.0010.4444.0007.00
timer spf 5 1 20
log-peer-change
timer lsp-max-age 65535
timer lsp-refresh 65000
#
ntp-service server disable
ntp-service ipv6 server disable
ntp-service unicast-peer 192.168.32.123
#
interface Vlanif1
#
interface Vlanif329
ip address unnumbered interface LoopBack1
dhcp select relay
dhcp relay server-ip 17.9.6.210
dhcp relay information enable
dhcp relay information strategy keep
#
interface Vlanif380
ip address 17.9.6.209 255.255.255.252
#
interface Vlanif389
description ISIS_link to_N136
mtu 9216
ip address 17.9.6.243 255.255.255.254
isis enable 1
isis circuit-type p2p
isis circuit-level level-2
isis authentication-mode md5 cipher xxx
isis ldp-sync
pim sm
mpls
mpls mtu 1580
mpls ldp
#
interface Vlanif400
description MVR
ip address 172.16.3.9 255.255.255.254
pim sm
igmp enable
igmp ssm-mapping enable
#
interface Vlanif510
l2 binding vsi 510
#
interface MEth0/0/1
ip address 192.168.32.7 255.255.255.128
#
interface GigabitEthernet0/0/1
port link-type hybrid
port hybrid tagged vlan 329 400 510
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface GigabitEthernet0/0/25
#
interface GigabitEthernet0/0/26
#
interface GigabitEthernet0/0/27
#
interface GigabitEthernet0/0/28
#
interface XGigabitEthernet0/0/1
description to_N136
port link-type hybrid
port hybrid tagged vlan 380 389
#
interface XGigabitEthernet0/0/2
#
interface XGigabitEthernet0/0/3
#
interface XGigabitEthernet0/0/4
#
interface NULL0
#
interface LoopBack0
ip address 10.44.44.7 255.255.255.255
isis enable 1
isis circuit-level level-2
#
interface LoopBack1
ip address 17.9.6.201 255.255.255.248
isis enable 1
isis circuit-level level-2
#
igmp
ssm-mapping 232.0.0.0 255.255.255.0 217.79.16.193
#
pim
ssm-policy 2000
#
ip route-static 192.168.0.0 255.255.0.0 192.168.32.123
#

#
stelnet server enable
#
TFTP client-source -i LoopBack0
#
easy-operation dtls disable
#

#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
ops
#
return

Развернуть

S5720/S6720 DHCP Relay problem

Лучший ответ

Рекомендуемые ответы

Коммерческая тайна третьего лица

My Followers

Траблшутинг коммутаторов S-серии

Для предприятий

Для потребителей

Корпоративный сайт

Для операторов

S5720/S6720 DHCP Relay problem

Лучший ответ

Рекомендуемые ответы

Коммерческая тайна третьего лица

My Followers

Траблшутинг коммутаторов S-серии