Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Interface going administratively down during DHCP renewal?

Reply
Thread Tools

Interface going administratively down during DHCP renewal?

 
 
Ronald de Leeuw
Guest
Posts: n/a
 
      10-07-2004
Hello to you all,

I have a Cisco 2621XM router running IOS 12.3.8T3 ADVANCED IP SERVICES with
a NM-4E (4 port Ethernet). Connected to one of the Ethernet ports of the
NM-4E is the Internet connection, supplied by the provider on Ethernet. The
provider says we MUST use DHCP to get our public address assigned, if we
configure it static we won't be able to use the Internet connection. The
configuration of the interface connected to the Internet is as follows:

interface Ethernet1/2
description Internet
ip address dhcp
ip access-group ACL_E12_IN in
ip access-group ACL_E12_OUT out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect FW_E12_IN in
ip inspect FW_E12_OUT out
ip ips IPS_E12_IN in
ip ips IPS_E12_OUT out
ip virtual-reassembly
full-duplex
no cdp enable
crypto map CMP_CVPN_CLIENTS
end

This configuration works, BUT every time the DHCP lease is renewed the
following happens:

Oct 7 10:29:58.199: %LINK-5-CHANGED: Interface Ethernet1/2, changed state
to administratively down
Oct 7 10:29:59.199: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Ethernet1/2, changed state to down
Oct 7 10:30:01.219: %LINK-3-UPDOWN: Interface Ethernet1/2, changed state to
up
Oct 7 10:30:02.219: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Ethernet1/2, changed state to up
Oct 7 10:30:02.311: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1/2 assigned
DHCP address X.X.X.175, mask 255.255.252.0, hostname wa2621-alm
Oct 7 11:30:10.699: %LINK-5-CHANGED: Interface Ethernet1/2, changed state
to administratively down
Oct 7 11:30:13.659: %LINK-3-UPDOWN: Interface Ethernet1/2, changed state to
up
Oct 7 11:30:14.747: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1/2 assigned
DHCP address X.X.X.175, mask 255.255.252.0, hostname wa2621-alm
Oct 7 12:30:23.080: %LINK-5-CHANGED: Interface Ethernet1/2, changed state
to administratively down
Oct 7 12:30:24.080: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Ethernet1/2, changed state to down
Oct 7 12:30:26.100: %LINK-3-UPDOWN: Interface Ethernet1/2, changed state to
up
Oct 7 12:30:27.100: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Ethernet1/2, changed state to up
Oct 7 12:30:27.188: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1/2 assigned
DHCP address X.X.X.175, mask 255.255.252.0, hostname wa2621-alm
Oct 7 13:30:35.396: %LINK-5-CHANGED: Interface Ethernet1/2, changed state
to administratively down
Oct 7 13:30:36.396: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Ethernet1/2, changed state to down
Oct 7 13:30:38.412: %LINK-3-UPDOWN: Interface Ethernet1/2, changed state to
up
Oct 7 13:30:39.412: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Ethernet1/2, changed state to up
Oct 7 13:30:39.500: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1/2 assigned
DHCP address X.X.X.175, mask 255.255.252.0, hostname wa2621-alm

Is there some way to prevent the interface going to administratively down? I
can image during a DHCP renewal the line protocol being down, but the
interface going administratively down is the part I don't get.

Ronald de Leeuw





 
Reply With Quote
 
 
 
 
Martin Gallagher
Guest
Posts: n/a
 
      10-07-2004
On Thu, 07 Oct 2004 14:02:41 +0200, Ronald de Leeuw wrote:

> I have a Cisco 2621XM router running IOS 12.3.8T3 ADVANCED IP SERVICES
> with a NM-4E (4 port Ethernet). Connected to one of the Ethernet ports of
> the NM-4E is the Internet connection, supplied by the provider on
> Ethernet. The provider says we MUST use DHCP to get our public address
> assigned, if we configure it static we won't be able to use the Internet
> connection. The configuration of the interface connected to the Internet
> is as follows:
>
> interface Ethernet1/2
> description Internet
> ip address dhcp
> ip access-group ACL_E12_IN in
> ip access-group ACL_E12_OUT out
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat outside
> ip inspect FW_E12_IN in
> ip inspect FW_E12_OUT out
> ip ips IPS_E12_IN in
> ip ips IPS_E12_OUT out
> ip virtual-reassembly
> full-duplex
> no cdp enable
> crypto map CMP_CVPN_CLIENTS
> end
>
> This configuration works, BUT every time the DHCP lease is renewed the
> following happens:
>
> Oct 7 10:29:58.199: %LINK-5-CHANGED: Interface Ethernet1/2, changed state
> to administratively down
> Oct 7 10:29:59.199: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> Ethernet1/2, changed state to down
> Oct 7 10:30:01.219: %LINK-3-UPDOWN: Interface Ethernet1/2, changed state
> to up
> Oct 7 10:30:02.219: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> Ethernet1/2, changed state to up
> Oct 7 10:30:02.311: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1/2
> assigned DHCP address X.X.X.175, mask 255.255.252.0, hostname wa2621-alm


> Is there some way to prevent the interface going to administratively down?
> I can image during a DHCP renewal the line protocol being down, but the
> interface going administratively down is the part I don't get.
>


It looks to me like you leases are expiring, and a new lease acquired,
rather than renewing.

What does show dhcp lease say the lease time is? If it's 3600 seconds,
then the router will try to renew the lease when the T1 timer expires. T1
is 50% of the lease time by default. It's also in show dhcp lease along
with T2.

What does ACL_E12_IN have to say about udp traffic on ports 67 and 68.
Leases are acquired using broadcast addresses, but renewal is done with a
unicast to the server we got the lease from. If your ACL blocks that then
renewal will fail.

If that happens then we wait for T2, the rebind timer to expire, and
then attempt to renew our lease using broadcasts.

Both renewal and rebinding should be invisible, i.e. they happen with no
change in the interface state.

When the lease expires, the interface will go admin down till it
acquires a new one.

Debug dhcp or debug dhcp detail should give us some clues.

--
Regards,
Martin
 
Reply With Quote
 
 
 
 
Spiritu4l Spiritu4l is offline
Junior Member
Join Date: Jul 2006
Posts: 1
 
      07-27-2006
The problem is cause by the firewall, at least here it is.

015949: *Jul 27 10:32:13.930 PCTime: DHCP: QScan: Renewal..T2 fired..Rebinding
015950: *Jul 27 10:32:13.930 PCTime: DHCP: SRequest attempt # 1 for entry:
015951: *Jul 27 10:32:13.930 PCTime: Temp IP addr: 83.160.158.xx for peer on Interface: BVI1
015952: *Jul 27 10:32:13.930 PCTime: Temp sub net mask: 255.255.255.0
015953: *Jul 27 10:32:13.930 PCTime: DHCP Lease server: 194.159.73.205, state: 4 Rebinding
015954: *Jul 27 10:32:13.930 PCTime: DHCP transaction id: 1564
015955: *Jul 27 10:32:13.930 PCTime: Lease: 3600 secs, Renewal: 1800 secs, Rebind: 3150 secs
015956: *Jul 27 10:32:13.930 PCTime: Temp default-gateway addr: 83.160.158.1
015957: *Jul 27 10:32:13.930 PCTime: Next timer fires after: 00:07:31
015958: *Jul 27 10:32:13.930 PCTime: Retry count: 1 Client-ID: cisco-00a0.c559.5bc6-BV1
015959: *Jul 27 10:32:13.930 PCTime: Client-ID hex dump: 636973636F2D303061302E633535392E
015960: *Jul 27 10:32:13.930 PCTime: 356263362D425631
015961: *Jul 27 10:32:13.930 PCTime: Hostname: 2811-router
015962: *Jul 27 10:32:13.930 PCTime: DHCP: SRequest - ciaddr: 83.160.158.xx
015963: *Jul 27 10:32:13.930 PCTime: DHCP: SRequest placed lease len option: 3600
015964: *Jul 27 10:32:13.930 PCTime: DHCP: SRequest: 304 bytes
015965: *Jul 27 10:32:13.930 PCTime: DHCP: SRequest: 304 bytes
015966: *Jul 27 10:32:13.930 PCTime: B'cast on BVI1 interface from 83.160.158.xx
015967: *Jul 27 10:32:13.986 PCTime: %SEC-6-IPACCESSLOGP: list firewall-demon denied udp 83.161.102.193(67) -> 83.160.158.xx(68), 1 packet

I only permitted bootps to the broadcast address with bootpc as destination port in the firewall:

....
permit udp any eq bootps host 255.255.255.255 eq bootpc
....

so add this to your firewall:
permit udp any eq 67 any eq 68

Best regard,

Mark Verwoerd
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Dhcp Relay Agent And Acl On Sw 3750, DHCP Relay Agent and ACL on Sw 3750 Vimokh Cisco 3 09-06-2006 02:16 AM
Wireless DHCP clients cannot obtain an IP address from the DHCP se =?Utf-8?B?SGVpbkQ=?= Wireless Networking 0 01-08-2006 03:41 PM
Going from higher security level interface to lower security interface- HELP!!! - AM Cisco 4 12-28-2004 09:52 PM
run > ipconfig > net stop dhcp then > net start dhcp Fayza Computer Support 3 05-12-2004 07:10 PM
if Active Directory no DHCP? or: Where ist my DHCP Ingo Hauf Computer Support 2 10-18-2003 02:25 PM



Advertisments