Interface going administratively down during DHCP renewal?

Discussion in 'Cisco' started by Ronald de Leeuw, Oct 7, 2004.

  1. Hello to you all,

    I have a Cisco 2621XM router running IOS 12.3.8T3 ADVANCED IP SERVICES with
    a NM-4E (4 port Ethernet). Connected to one of the Ethernet ports of the
    NM-4E is the Internet connection, supplied by the provider on Ethernet. The
    provider says we MUST use DHCP to get our public address assigned, if we
    configure it static we won't be able to use the Internet connection. The
    configuration of the interface connected to the Internet is as follows:

    interface Ethernet1/2
    description Internet
    ip address dhcp
    ip access-group ACL_E12_IN in
    ip access-group ACL_E12_OUT out
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip inspect FW_E12_IN in
    ip inspect FW_E12_OUT out
    ip ips IPS_E12_IN in
    ip ips IPS_E12_OUT out
    ip virtual-reassembly
    full-duplex
    no cdp enable
    crypto map CMP_CVPN_CLIENTS
    end

    This configuration works, BUT every time the DHCP lease is renewed the
    following happens:

    Oct 7 10:29:58.199: %LINK-5-CHANGED: Interface Ethernet1/2, changed state
    to administratively down
    Oct 7 10:29:59.199: %LINEPROTO-5-UPDOWN: Line protocol on Interface
    Ethernet1/2, changed state to down
    Oct 7 10:30:01.219: %LINK-3-UPDOWN: Interface Ethernet1/2, changed state to
    up
    Oct 7 10:30:02.219: %LINEPROTO-5-UPDOWN: Line protocol on Interface
    Ethernet1/2, changed state to up
    Oct 7 10:30:02.311: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1/2 assigned
    DHCP address X.X.X.175, mask 255.255.252.0, hostname wa2621-alm
    Oct 7 11:30:10.699: %LINK-5-CHANGED: Interface Ethernet1/2, changed state
    to administratively down
    Oct 7 11:30:13.659: %LINK-3-UPDOWN: Interface Ethernet1/2, changed state to
    up
    Oct 7 11:30:14.747: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1/2 assigned
    DHCP address X.X.X.175, mask 255.255.252.0, hostname wa2621-alm
    Oct 7 12:30:23.080: %LINK-5-CHANGED: Interface Ethernet1/2, changed state
    to administratively down
    Oct 7 12:30:24.080: %LINEPROTO-5-UPDOWN: Line protocol on Interface
    Ethernet1/2, changed state to down
    Oct 7 12:30:26.100: %LINK-3-UPDOWN: Interface Ethernet1/2, changed state to
    up
    Oct 7 12:30:27.100: %LINEPROTO-5-UPDOWN: Line protocol on Interface
    Ethernet1/2, changed state to up
    Oct 7 12:30:27.188: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1/2 assigned
    DHCP address X.X.X.175, mask 255.255.252.0, hostname wa2621-alm
    Oct 7 13:30:35.396: %LINK-5-CHANGED: Interface Ethernet1/2, changed state
    to administratively down
    Oct 7 13:30:36.396: %LINEPROTO-5-UPDOWN: Line protocol on Interface
    Ethernet1/2, changed state to down
    Oct 7 13:30:38.412: %LINK-3-UPDOWN: Interface Ethernet1/2, changed state to
    up
    Oct 7 13:30:39.412: %LINEPROTO-5-UPDOWN: Line protocol on Interface
    Ethernet1/2, changed state to up
    Oct 7 13:30:39.500: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1/2 assigned
    DHCP address X.X.X.175, mask 255.255.252.0, hostname wa2621-alm

    Is there some way to prevent the interface going to administratively down? I
    can image during a DHCP renewal the line protocol being down, but the
    interface going administratively down is the part I don't get.

    Ronald de Leeuw
    Ronald de Leeuw, Oct 7, 2004
    #1
    1. Advertising

  2. On Thu, 07 Oct 2004 14:02:41 +0200, Ronald de Leeuw wrote:

    > I have a Cisco 2621XM router running IOS 12.3.8T3 ADVANCED IP SERVICES
    > with a NM-4E (4 port Ethernet). Connected to one of the Ethernet ports of
    > the NM-4E is the Internet connection, supplied by the provider on
    > Ethernet. The provider says we MUST use DHCP to get our public address
    > assigned, if we configure it static we won't be able to use the Internet
    > connection. The configuration of the interface connected to the Internet
    > is as follows:
    >
    > interface Ethernet1/2
    > description Internet
    > ip address dhcp
    > ip access-group ACL_E12_IN in
    > ip access-group ACL_E12_OUT out
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > ip nat outside
    > ip inspect FW_E12_IN in
    > ip inspect FW_E12_OUT out
    > ip ips IPS_E12_IN in
    > ip ips IPS_E12_OUT out
    > ip virtual-reassembly
    > full-duplex
    > no cdp enable
    > crypto map CMP_CVPN_CLIENTS
    > end
    >
    > This configuration works, BUT every time the DHCP lease is renewed the
    > following happens:
    >
    > Oct 7 10:29:58.199: %LINK-5-CHANGED: Interface Ethernet1/2, changed state
    > to administratively down
    > Oct 7 10:29:59.199: %LINEPROTO-5-UPDOWN: Line protocol on Interface
    > Ethernet1/2, changed state to down
    > Oct 7 10:30:01.219: %LINK-3-UPDOWN: Interface Ethernet1/2, changed state
    > to up
    > Oct 7 10:30:02.219: %LINEPROTO-5-UPDOWN: Line protocol on Interface
    > Ethernet1/2, changed state to up
    > Oct 7 10:30:02.311: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet1/2
    > assigned DHCP address X.X.X.175, mask 255.255.252.0, hostname wa2621-alm


    > Is there some way to prevent the interface going to administratively down?
    > I can image during a DHCP renewal the line protocol being down, but the
    > interface going administratively down is the part I don't get.
    >


    It looks to me like you leases are expiring, and a new lease acquired,
    rather than renewing.

    What does show dhcp lease say the lease time is? If it's 3600 seconds,
    then the router will try to renew the lease when the T1 timer expires. T1
    is 50% of the lease time by default. It's also in show dhcp lease along
    with T2.

    What does ACL_E12_IN have to say about udp traffic on ports 67 and 68.
    Leases are acquired using broadcast addresses, but renewal is done with a
    unicast to the server we got the lease from. If your ACL blocks that then
    renewal will fail.

    If that happens then we wait for T2, the rebind timer to expire, and
    then attempt to renew our lease using broadcasts.

    Both renewal and rebinding should be invisible, i.e. they happen with no
    change in the interface state.

    When the lease expires, the interface will go admin down till it
    acquires a new one.

    Debug dhcp or debug dhcp detail should give us some clues.

    --
    Regards,
    Martin
    Martin Gallagher, Oct 7, 2004
    #2
    1. Advertising

  3. Ronald de Leeuw

    Spiritu4l

    Joined:
    Jul 27, 2006
    Messages:
    1
    Int goes down when DCHP lease expires

    The problem is cause by the firewall, at least here it is.

    015949: *Jul 27 10:32:13.930 PCTime: DHCP: QScan: Renewal..T2 fired..Rebinding
    015950: *Jul 27 10:32:13.930 PCTime: DHCP: SRequest attempt # 1 for entry:
    015951: *Jul 27 10:32:13.930 PCTime: Temp IP addr: 83.160.158.xx for peer on Interface: BVI1
    015952: *Jul 27 10:32:13.930 PCTime: Temp sub net mask: 255.255.255.0
    015953: *Jul 27 10:32:13.930 PCTime: DHCP Lease server: 194.159.73.205, state: 4 Rebinding
    015954: *Jul 27 10:32:13.930 PCTime: DHCP transaction id: 1564
    015955: *Jul 27 10:32:13.930 PCTime: Lease: 3600 secs, Renewal: 1800 secs, Rebind: 3150 secs
    015956: *Jul 27 10:32:13.930 PCTime: Temp default-gateway addr: 83.160.158.1
    015957: *Jul 27 10:32:13.930 PCTime: Next timer fires after: 00:07:31
    015958: *Jul 27 10:32:13.930 PCTime: Retry count: 1 Client-ID: cisco-00a0.c559.5bc6-BV1
    015959: *Jul 27 10:32:13.930 PCTime: Client-ID hex dump: 636973636F2D303061302E633535392E
    015960: *Jul 27 10:32:13.930 PCTime: 356263362D425631
    015961: *Jul 27 10:32:13.930 PCTime: Hostname: 2811-router
    015962: *Jul 27 10:32:13.930 PCTime: DHCP: SRequest - ciaddr: 83.160.158.xx
    015963: *Jul 27 10:32:13.930 PCTime: DHCP: SRequest placed lease len option: 3600
    015964: *Jul 27 10:32:13.930 PCTime: DHCP: SRequest: 304 bytes
    015965: *Jul 27 10:32:13.930 PCTime: DHCP: SRequest: 304 bytes
    015966: *Jul 27 10:32:13.930 PCTime: B'cast on BVI1 interface from 83.160.158.xx
    015967: *Jul 27 10:32:13.986 PCTime: %SEC-6-IPACCESSLOGP: list firewall-demon denied udp 83.161.102.193(67) -> 83.160.158.xx(68), 1 packet

    I only permitted bootps to the broadcast address with bootpc as destination port in the firewall:

    ....
    permit udp any eq bootps host 255.255.255.255 eq bootpc
    ....

    so add this to your firewall:
    permit udp any eq 67 any eq 68

    Best regard,

    Mark Verwoerd
    Spiritu4l, Jul 27, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Doc

    Setting WPA group renewal key

    Doc, Jun 26, 2004, in forum: Wireless Networking
    Replies:
    0
    Views:
    5,185
  2. =?Utf-8?B?SmFrZQ==?=

    IP Address Renewal

    =?Utf-8?B?SmFrZQ==?=, Jun 10, 2005, in forum: Wireless Networking
    Replies:
    6
    Views:
    6,081
    Gary Smith
    Jun 11, 2005
  3. =?Utf-8?B?TWFyayBXaWxzb24=?=

    DHCP renewal suddenly started to fail with WPA-WSK

    =?Utf-8?B?TWFyayBXaWxzb24=?=, Dec 28, 2005, in forum: Wireless Networking
    Replies:
    3
    Views:
    4,814
    =?Utf-8?B?TWFyayBXaWxzb24=?=
    Dec 29, 2005
  4. =?Utf-8?B?TWFnaWNIYXQ=?=

    Renewal Frequency

    =?Utf-8?B?TWFnaWNIYXQ=?=, May 20, 2004, in forum: Microsoft Certification
    Replies:
    2
    Views:
    487
    Jeff Cochran
    May 25, 2004
  5. AM
    Replies:
    4
    Views:
    746
Loading...

Share This Page