Bug #18269
open
DHCP allocates wrong address or no addresses if hosts do not respond to icmp
Description
We are using foreman-proxy and dhcp isc on a server in a secure subnet that is servicing DHCP requests via DHCPRELAY for multiple subnets. Many of these subnets have no direct communication with the DHCP server except via the relay.
The subnets are setup with the following config in /etc/dhcp/dhcpd.conf
subnet 10.250.130.192 netmask 255.255.255.240 {
pool {
failover peer "dhcppeer";
range 10.250.130.195 10.250.130.206;
deny dynamic bootp clients;
}
option routers 10.250.130.193;
}
We've then entered a subnet with a start and end address of 10.250.130.195 and 10.250.130.206 in foreman. On using IP autosuggest for these subnets we get the following in the proxy.log
D, [2017-01-25T17:47:32.504604 #20035] DEBUG -- : accept: 10.250.143.9:47062
D, [2017-01-25T17:47:32.507528 #20035] DEBUG -- : Rack::Handler::WEBrick is invoked.
D, [2017-01-25T17:47:32.508451 #20035] DEBUG -- : verifying remote client 10.250.143.9 against trusted_hosts katello-dev.solutions.localdns1.solutions.local
D, [2017-01-25T17:47:32.508748 #20035] DEBUG -- : Loading subnets for 127.0.0.1
D, [2017-01-25T17:47:32.509025 #20035] DEBUG -- : Loading subnet data for 10.250.130.192/255.255.255.240
D, [2017-01-25T17:47:32.509200 #20035] DEBUG -- : trying to find an ip address, we got {:to=>"10.250.130.206", :from=>"10.250.130.195"}
D, [2017-01-25T17:47:32.511267 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.197
D, [2017-01-25T17:47:32.512040 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
D, [2017-01-25T17:47:32.512135 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.198
D, [2017-01-25T17:47:32.513028 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
D, [2017-01-25T17:47:32.513126 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.199
D, [2017-01-25T17:47:32.513962 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
D, [2017-01-25T17:47:32.514083 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.200
D, [2017-01-25T17:47:32.514799 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
D, [2017-01-25T17:47:32.514898 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.201
D, [2017-01-25T17:47:32.515542 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
D, [2017-01-25T17:47:32.515643 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.202
D, [2017-01-25T17:47:32.516243 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
D, [2017-01-25T17:47:32.516414 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.203
D, [2017-01-25T17:47:32.517020 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
D, [2017-01-25T17:47:32.517111 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.204
D, [2017-01-25T17:47:32.517815 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
D, [2017-01-25T17:47:32.517910 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.205
D, [2017-01-25T17:47:32.518539 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
D, [2017-01-25T17:47:32.518638 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.206
D, [2017-01-25T17:47:32.519212 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
D, [2017-01-25T17:47:32.519361 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.195
D, [2017-01-25T17:47:32.519960 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
W, [2017-01-25T17:47:32.520055 #20035] WARN -- : No free IPs at 10.250.130.192/255.255.255.240
I, [2017-01-25T17:47:32.521864 #20035] INFO -- : 10.250.143.9 - - [25/Jan/2017 17:47:32] "GET /dhcp/10.250.130.192/unused_ip?from=10.250.130.195&to=10.250.130.206 HTTP/1.1" 200 11 0.0138
and no ip address is suggested.
If we remove the start and end address we get an ip address allocated by autosuggest, however, it always appears to suggest the first address which is not in the address pool and is the router address. The log for that request is below.
D, [2017-01-25T17:46:07.461799 #20035] DEBUG -- : accept: 10.250.143.9:47058
D, [2017-01-25T17:46:07.465218 #20035] DEBUG -- : Rack::Handler::WEBrick is invoked.
D, [2017-01-25T17:46:07.466170 #20035] DEBUG -- : verifying remote client 10.250.143.9 against trusted_hosts katello-dev.solutions.localdns1.solutions.local
D, [2017-01-25T17:46:07.466563 #20035] DEBUG -- : Loading subnets for 127.0.0.1
D, [2017-01-25T17:46:07.466861 #20035] DEBUG -- : Loading subnet data for 10.250.130.192/255.255.255.240
D, [2017-01-25T17:46:07.467121 #20035] DEBUG -- : trying to find an ip address, we got {:to=>nil, :from=>nil}
D, [2017-01-25T17:46:07.469323 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.194
D, [2017-01-25T17:46:07.470478 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
D, [2017-01-25T17:46:07.470577 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.195
D, [2017-01-25T17:46:07.471200 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
D, [2017-01-25T17:46:07.471372 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.197
D, [2017-01-25T17:46:07.472019 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
D, [2017-01-25T17:46:07.472111 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.198
D, [2017-01-25T17:46:07.473152 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
D, [2017-01-25T17:46:07.473245 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.199
D, [2017-01-25T17:46:07.473973 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
D, [2017-01-25T17:46:07.474064 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.200
D, [2017-01-25T17:46:07.474756 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
D, [2017-01-25T17:46:07.474848 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.201
D, [2017-01-25T17:46:07.475540 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
D, [2017-01-25T17:46:07.475634 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.202
D, [2017-01-25T17:46:07.476403 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
D, [2017-01-25T17:46:07.476497 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.203
D, [2017-01-25T17:46:07.477117 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
D, [2017-01-25T17:46:07.477208 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.204
D, [2017-01-25T17:46:07.477838 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
D, [2017-01-25T17:46:07.477967 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.205
D, [2017-01-25T17:46:07.478601 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
D, [2017-01-25T17:46:07.478704 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.206
D, [2017-01-25T17:46:07.479426 #20035] DEBUG -- : Found a pingable IP address which does not have a Proxy::DHCP record
D, [2017-01-25T17:46:07.479538 #20035] DEBUG -- : Searching for free IP - pinging 10.250.130.193
D, [2017-01-25T17:46:09.506491 #20035] DEBUG -- : Found free IP 10.250.130.193 out of a total of 13 free IPs
I, [2017-01-25T17:46:09.508771 #20035] INFO -- : 10.250.143.9 - - [25/Jan/2017 17:46:09] "GET /dhcp/10.250.130.192/unused_ip HTTP/1.1" 200 23 2.0428
We've tried this on a pingable subnet - i.e. the local one and it works correctly, however, this means it cannot work inside our infrastructure without opening ICMP up to every subnet from the dhcp servers.
Updated by Anonymous 
Updated by