DHCP cannot provide more IP dinamically

Publication Date:  2016-11-08 Views:  482 Downloads:  0
Issue Description

Topology: 


Software Version for both USG.

Huawei Versatile Security Platform Software

Software Version: USG6600 V100R001C30SPC600  (VRP (R) Software, Version 5.30)

Copyright (C) 2013-2016 Huawei Technologies Co., Ltd.

Configuration USG6600_FW1_FUAC

#

dhcp enable

#

hrp mirror session enable

 hrp enable

 undo hrp ospfv3-cost adjust-enable

 hrp loadbalance-device

 hrp interface GigabitEthernet1/0/0 remote 10.0.0.2

 hrp interface GigabitEthernet1/0/2 remote 172.16.1.102

#

interface GigabitEthernet2/0/5

 description To_WiFi

 alias To_WIFI

 ip address 172.16.48.2 255.255.240.0

 dhcp select interface

 dhcp server ip-range 172.16.48.100 172.16.63.254

 dhcp server forbidden-ip 172.16.16.1 172.16.16.10

 dhcp server forbidden-ip 172.16.17.1 172.16.17.10

 dhcp server forbidden-ip 172.16.18.1 172.16.18.10

 dhcp server forbidden-ip 172.16.19.1 172.16.19.10

 dhcp server gateway-list 172.16.48.1

 dhcp server dns-list 186.154.251.230 4.2.2.3

 dhcp server domain-name fuac.edu.co

 dhcp server expired day 0 hour 0 minute 15

 vrrp vrid 7 virtual-ip 172.16.48.1 active

 hrp track active

 hrp track standby

 lldp enable

 lldp tlv-enable basic-tlv all

 service-manage https permit

 service-manage ping permit

 service-manage ssh permit

 bandwidth ingress 30000

 bandwidth egress 30000

#

firewall zone name WIFI

 description WIFI_FUAC

 set priority 40

 add interface GigabitEthernet2/0/5

#

ip address-set WiFi_172.16.48.0 type object

 description WiFi

 address 0 172.16.48.0 mask 20

#

ip address-set "GATEWAY WIFI" type object

 description GATEWAY WIFI

 address 0 172.16.16.2 mask 32

#

security-policy

  rule name WiFi_To_INET

   policy logging

   session logging

   source-zone WIFI

   destination-zone untrust

   source-address address-set WiFi_172.16.48.0

   action permit

  rule name Gestion_Equipos_LAN

   description Gestion_Equipos

   policy logging

   session logging

   source-zone WIFI

   destination-zone LAN

   action permit

  rule name "DMZ TO FIREWALL  TO DHCP"

   description DMZ TO FIREWALL  TO DHCP

   disable

   source-zone dmz

   destination-zone trust

   destination-address address-set "GATEWAY WIFI"

   action permit

Configuration USG6600_FW2_FUAC

#

dhcp enable

#

hrp mirror session enable

 hrp enable

 undo hrp ospfv3-cost adjust-enable

 hrp loadbalance-device

 hrp interface GigabitEthernet1/0/0 remote 10.0.0.1

 hrp interface GigabitEthernet1/0/2 remote 172.16.1.104

#

interface GigabitEthernet2/0/5

 description To_WiFi

 alias To_WIFI

 ip address 172.16.48.3 255.255.240.0

 dhcp select interface

 dhcp server ip-range 172.16.48.100 172.16.63.254                            

 dhcp server forbidden-ip 172.16.16.1 172.16.16.10

 dhcp server forbidden-ip 172.16.17.1 172.16.17.10

 dhcp server forbidden-ip 172.16.18.1 172.16.18.10

 dhcp server forbidden-ip 172.16.19.1 172.16.19.10

 dhcp server gateway-list 172.16.48.1

 dhcp server dns-list 186.154.251.230 4.2.2.3

 dhcp server domain-name fuac.edu.co

 dhcp server expired day 0 hour 0 minute 15

 vrrp vrid 7 virtual-ip 172.16.48.1 standby

 hrp track active                                                             

 hrp track standby

 lldp enable

 lldp tlv-enable basic-tlv all

 service-manage https permit

 service-manage ping permit

 service-manage ssh permit

 bandwidth ingress 30000

 bandwidth egress 30000

#

firewall zone name WIFI

 description WIFI_FUAC

 set priority 40

 add interface GigabitEthernet2/0/5

#

ip address-set WiFi_172.16.48.0 type object

 description WiFi

 address 0 172.16.48.0 mask 20

#

ip address-set "GATEWAY WIFI" type object

 description GATEWAY WIFI

 address 0 172.16.16.2 mask 32

#

security-policy

 rule name WiFi_To_INET

   policy logging

   session logging

   source-zone WIFI

   destination-zone untrust

   source-address address-set WiFi_172.16.48.0

   action permit

 rule name Gestion_Equipos_LAN

   description Gestion_Equipos

   policy logging

   session logging

   source-zone WIFI

   destination-zone LAN

   action permit

 rule name "DMZ TO FIREWALL  TO DHCP"

  description DMZ TO FIREWALL  TO DHCP

  disable

  source-zone dmz

  destination-zone trust

  destination-address address-set "GATEWAY WIFI"

  action permit

#

 

Symptom:

Users connected on WiFi Network should get IP-Address dynamically, but around 300 users can get IP successfully others cannot, even the Pool support 4094 Host.

 

DHCP Server configured on Interface GigabitEthernet 2/0/5

 

GigabitEthernet2/0/5 current state : UP

Line protocol current state : UP

The Maximum Transmit Unit : 1500 bytes

input packets : 71834, bytes : 9377678, multicasts : 70553

output packets : 3910, bytes : 343776, multicasts : 3368

Directed-broadcast packets:

 received packets:          915, sent packets:           34

 forwarded packets:           0, dropped packets:           0

ARP packet input number:       22730

  Request packet:              22649

  Reply packet:                   81

  Unknown packet:                  0

Internet Address is 172.16.48.2/20

Broadcast address : 172.16.63.255

TTL invalid packet number:         0

ICMP packet input number:         10

  Echo reply:                      9

  Unreachable:                     1

  Source quench:                   0

  Routing redirect:                0

  Echo request:                    0

  Router advert:                   0

  Router solicit:                  0

  Time exceed:                     0

  IP header bad:                   0

  Timestamp request:               0

  Timestamp reply:                 0

  Information request:             0

  Information reply:               0

  Netmask request:                 0

  Netmask reply:                   0

  Unknown type:                    0

DHCP packet deal mode:  interface


Handling Process

  • Verifying DHCP Server is working through the statistics.

 

HRP_A<USG6600_FW2_FUAC> dis dhcp server statistics

10:58:12  2016/09/30

    Global Pool:

     Pool Number:             0

     Binding

      Auto:                   0

      Manual:                 0

      Expire:                 0

    Interface Pool:

     Pool Number:             2

     Binding

      Auto:                   56

      Manual:                 0

      Expire:                 109

    Boot Request:             166329

     Dhcp Discover:           45575

     Dhcp Request:            116303

     Dhcp Decline:            6

     Dhcp Release:            0

     Dhcp Inform:             4445

    Boot Reply:               38645

     Dhcp Offer:              29414

     Dhcp Ack:                226

     Dhcp Nak:                9005

    Bad Messages:             44

 

    HRP Message:

     Actice send msg:         0

     Standby recv msg:        0

     Actice send lease:       0

     Standby recv lease:      0

  • Confirm if DHCP Server is providing IP-Address dynamically.

 

HRP_A<USG6600_FW2_FUAC>dis dhcp server ip-in-use interface g 2/0/5

10:57:52  2016/09/30

 IP address        Hardware address    Lease expiration            Type

 172.16.48.26      50f0-d35b-94fa      2016-10-01 09:56:53         Auto:COMMITED

 172.16.48.65      e098-61c9-f780      2016-10-01 09:57:23         Auto:COMMITED

 172.16.48.45      e490-7eeb-a1e9      2016-10-01 09:57:07         Auto:COMMITED

 172.16.48.134     e0f5-c670-c19e      2016-09-30 10:58:46         Auto:OFFERED

 172.16.48.39      a8fa-d8f1-dba7      2016-10-01 10:37:50         Auto:COMMITED

 172.16.48.50      3075-1245-2381      2016-10-01 10:32:06         Auto:COMMITED

 172.16.48.52      6809-27cb-332c      2016-10-01 10:15:59         Auto:COMMITED

 172.16.48.99      b85a-735a-0225      2016-09-30 10:58:20         Auto:OFFERED

 172.16.48.70      3010-b32d-b82e      2016-10-01 10:29:21         Auto:COMMITED

 172.16.48.11      6051-2c6b-33bf      2016-10-01 09:56:47         Auto:COMMITED

 172.16.48.75      5848-22dc-11ac      2016-10-01 09:57:34         Auto:COMMITED

 172.16.48.58      1821-9573-67c0      2016-10-01 09:57:16         Auto:COMMITED

 172.16.48.151     8832-9b5b-3f7a      2016-09-30 10:58:36         Auto:OFFERED

 172.16.48.20      1c1a-c006-88e8      2016-10-01 10:52:16         Auto:COMMITED

 172.16.48.62      4078-6aac-0b97      2016-10-01 09:57:20         Auto:COMMITED

 172.16.48.113     5c51-88b9-454a      2016-09-30 10:58:49         Auto:OFFERED

 172.16.48.21      7011-24c9-b068      2016-10-01 10:14:38         Auto:COMMITED

 172.16.48.30      bc44-8610-dc20      2016-10-01 09:56:56         Auto:COMMITED

 172.16.48.127     2054-76da-8847      2016-09-30 10:58:51         Auto:OFFERED

 172.16.48.61      00eb-2d83-b750      2016-10-01 10:26:40         Auto:COMMITED

 172.16.48.49      206e-9c56-36fb      2016-10-01 09:57:12         Auto:COMMITED

 172.16.48.31      4c8d-79cc-227a      2016-10-01 10:42:50         Auto:COMMITED

 172.16.48.16      9068-c31e-24be      2016-10-01 09:56:48         Auto:COMMITED

 172.16.48.27      2c6e-8596-52b7      2016-10-01 10:46:46         Auto:COMMITED

 172.16.48.59      9cd9-17ad-9907      2016-09-30 10:58:35         Auto:OFFERED

 172.16.48.107     64a6-51fc-671b      2016-09-30 10:58:46         Auto:OFFERED

 172.16.48.13      24da-9b46-ed22      2016-09-30 10:58:52         Auto:OFFERED

 172.16.48.120     b418-d10a-9eb4      2016-10-01 10:33:23         Auto:COMMITED

 172.16.48.89      accf-8513-dc0b      2016-09-30 10:58:22         Auto:OFFERED

 172.16.48.104     c81e-e731-dd20      2016-09-30 10:58:49         Auto:OFFERED

 172.16.48.84      94d8-59a3-7c19      2016-10-01 10:53:12         Auto:COMMITED

 172.16.48.79      1430-c6c8-f147      2016-10-01 10:43:48         Auto:COMMITED

 172.16.48.82      c407-2fdf-7ab8      2016-10-01 10:55:41         Auto:COMMITED

 172.16.48.67      9068-c379-805d      2016-10-01 10:06:02         Auto:COMMITED

 172.16.48.42      04e6-7690-32f9      2016-10-01 09:57:04         Auto:COMMITED

 172.16.48.64      d09d-ab70-4064      2016-10-01 09:57:25         Auto:COMMITED

 172.16.48.150     d85d-e2c9-3a13      2016-09-30 10:58:52         Auto:OFFERED

 172.16.48.25      1436-c6d2-c58c      2016-10-01 10:49:39         Auto:COMMITED

 172.16.48.155     24a2-e18f-1de7      2016-09-30 10:58:57         Auto:OFFERED

 172.16.48.95      8c00-6d85-d6f8      2016-10-01 10:54:16         Auto:COMMITED

 172.16.48.41      8c7b-9d43-e981      2016-10-01 10:06:58         Auto:COMMITED

 172.16.48.51      74e2-f59a-551c      2016-10-01 10:51:41         Auto:COMMITED

 172.16.48.48      a470-d686-2dc4      2016-10-01 09:57:11         Auto:COMMITED

 172.16.48.160     a08d-16f8-e74a      2016-09-30 10:59:00         Auto:OFFERED

 172.16.48.57      d051-62a2-dc83      2016-10-01 09:57:16         Auto:COMMITED

 172.16.48.66      b8bc-1b99-ff63      2016-10-01 10:34:52         Auto:COMMITED

 172.16.48.76      accf-5c64-b2af      2016-10-01 10:44:14         Auto:COMMITED

 172.16.48.4       f4dc-f970-6401      2016-10-01 09:56:51         Auto:COMMITED

 172.16.48.17      8870-8c84-f6a5      2016-10-01 10:53:31         Auto:COMMITED

 172.16.48.162     60be-b5bf-3ae3      2016-09-30 10:59:01         Auto:OFFERED

 172.16.48.29      50f0-d39e-2afd      2016-10-01 10:09:32         Auto:COMMITED

 

  • Debbuging DHCP service.

 

*0.399153280 USG6600_FW2_FUAC DHCPS/7/DHCPS_DEBUG_COMMON:

DhcpServer: receive DHCPDISCOVER from 4CFB-4564-A371

*0.399153280 USG6600_FW2_FUAC DHCPS/7/DHCPS_DEBUG_COMMON:

DhcpServer: Sending ICMP ECHO to Target IP: 172.16.48.103

*0.399153280 USG6600_FW2_FUAC DHCPS/7/DHCPS_DEBUG_COMMON:

DhcpServer: User Accept Other's Offer

*0.399153280 USG6600_FW2_FUAC DHCPS/7/DHCPS_DEBUG_COMMON:

DhcpServer: User Accept Other's Offer, interface pool 

*0.399153280 USG6600_FW2_FUAC DHCPS/7/DHCPS_DEBUG_COMMON:

DhcpServer: add IP to free ip-list

*0.399154280 USG6600_FW2_FUAC DHCPS/7/DHCPS_DEBUG_COMMON:

DhcpServer: Send DHCPOFFER to MAC=> 4CFB-4564-A371 Offer IP=> 172.16.48.103 through 172.16.48.103

*0.399154380 USG6600_FW2_FUAC DHCPS/7/DHCPS_DEBUG_COMMON:

DhcpServer: receive DHCPREQUEST from 4CFB-4564-A371

*0.399159000 USG6600_FW2_FUAC DHCPS/7/DHCPS_DEBUG_COMMON:

DhcpServer: receive DHCPREQUEST from 4CFB-4564-A371

*0.399154380 USG6600_FW2_FUAC DHCPS/7/DHCPS_DEBUG_COMMON:

DhcpServer:User Accept Other's Offer

*0.399154380 USG6600_FW2_FUAC DHCPS/7/DHCPS_DEBUG_COMMON:

DhcpServer: User Accept Other's Offer, interface pool

*0.399154380 USG6600_FW2_FUAC DHCPS/7/DHCPS_DEBUG_COMMON:

DhcpServer: add IP to free ip-list

 

  • Capturing Packets from Client.

Root Cause

According with the capture done on one PC-Client (A4DB-3017-FA76) is getting a ‘DHCP-Offer’ with an IP-Address 172.16.48.15 from DHCP-Server(172.16.48.1).



Client-PC (A4DB-3017-FA76) send a ‘DHCP-Request’ to get the IP-Address 172.16.48.15 but no ‘DHCP-Reply’ from DHCP-Server.



The same behavior happens on other PC-Client, no ‘DHCP-ACK’ from DHCP-Server.


Customer describes, that DHCP was working fine before an upgrade on USG from V100R001C10 to V100R001C30.

 

According with the configuration USG are works in HRP mode and VRRP in ‘Load-Balace’, so DHCP works in this way.

 

When status of HRP and VRRP are both “Active” on one USG, the DHCP server can allocate the IP-address to the clients, but if the status is different, the DHCP server will not respond the DHCP request from clients, it means clients can’t get IP successfully.

 

So we can find that why the “DHCP server” can work normally before upgrade,  because the status of HRP and VRRP on G2/0/5 are both “Active”:

HRP_A<USG6600_FW1_FUAC>

=====================================================

  ===============display hrp state===============

=====================================================

13:12:03  2016/09/30

The firewall's config state is: ACTIVE

 

Backup channel usage: 0.22%

Time elapsed after the last switchover: 0 days, 1 hours, 14 minutes

Current state of virtual routers configured as active:

           GigabitEthernet1/0/9.6    vrid  85 : initialize (down)

           GigabitEthernet1/0/9.5    vrid  84 : initialize (down)

           GigabitEthernet1/0/9.4    vrid  83 : initialize (down)

           GigabitEthernet1/0/9.3    vrid  82 : initialize (down)

           GigabitEthernet1/0/9.2    vrid  81 : initialize (down)

           GigabitEthernet1/0/9.1    vrid  80 : initialize (down)

             GigabitEthernet2/0/4    vrid   2 : active

             GigabitEthernet2/0/5    vrid   7 : active

         GigabitEthernet1/0/8.503    vrid   6 : active

             GigabitEthernet1/0/4    vrid  30 : initialize (down)

             GigabitEthernet1/0/2    vrid   1 : active

 

 

But after upgrade, the USG have switched the status of HRP, the Status of HRP and VRRP is not same (Fw1 switch to standby and Fw2 turn to Active, but the VRRP of G2/0/5 is  still standby on Fw2):

 

So when the HRP mode of USG work on “loadbalance-device”, we can’t ensure the status keep same with VRRP of G2/0/5,

It should be change to “hrp track active” or “hrp track standby”, then we can guarantee just one USG can be “active” at the same time, and keep synchronization with the VRRP.


Solution

Because the amount of traffic on the current network, customer decide to configure DHCP-Server on Core-SW, letting USG working in ‘Load-Balance’. So, USG will work on ‘Active’ & ‘Standby’ mode.

END