[CentOS] ISC DHCP failover

Wed Sep 23 22:20:21 UTC 2015
Tony Mountifield <tony at softins.co.uk>

In article <20150923194959.GE2874 at cmadams.net>,
Chris Adams <linux at cmadams.net> wrote:
> Anybody have any experience with setting up dhcpd in failover mode
> between two servers?  I set this up on a couple of servers, and it seems
> to be working, but I don't think it is working "right".  It appears both
> servers are replying to all requests (which for renewals works okay
> because they both give the same address, but new requests get two
> different responses).  I thought that only one server would reply to a
> particular request.
> 
> Also, every DHCPACK is followed by a message like this in the log:
> 
> Sep 23 15:45:50 rad2 dhcpd: bind update on x.x.x.x from mypeer rejected: incoming update is less critical than outgoing update
> 
> Any ideas?  I subscribed and asked over on the ISC-operated dhcp-users
> list but haven't had any responses.  Google finds others asking about
> the same log message, and the only responses seem to be "well, if you
> get it for every update, there's probably some configuration issue" (but
> nobody ever says what issue might lead to it).

Well it would probably help if you showed us your dhcpd.conf file from
each server.

But anyway, if it helps, here is what I have working:

SYSTEM 1 (192.168.100.3)
------------------------

#
# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp*/dhcpd.conf.sample
#   see 'man 5 dhcpd.conf'
#

authoritative;
ddns-update-style none;

failover peer "dhcp-failover" {
        primary; # declare this to be the primary server
        mclt 1800;      # only on primary
        split 128;      # only on primary

        #secondary; # declare this to be the secondary server

        address 192.168.100.3;  # my address
        port 647;
        peer address 192.168.100.4;     # peer's address
        peer port 647;
        max-response-delay 30;
        max-unacked-updates 10;
        load balance max seconds 3;
}

subnet 192.168.100.0 netmask 255.255.255.0 {
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.100.255;
        option routers 192.168.100.1;
        option domain-name-servers 192.168.100.1;
        option domain-name "example.co.uk";
        pool {
                failover peer "dhcp-failover";
                deny dynamic bootp clients;
                range 192.168.100.100 192.168.100.149;
                default-lease-time 86400;
                max-lease-time 172800;
        }
}

SYSTEM 2 (192.168.100.4)
------------------------

#
# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp*/dhcpd.conf.sample
#   see 'man 5 dhcpd.conf'
#

authoritative;
ddns-update-style none;

failover peer "dhcp-failover" {
        #primary; # declare this to be the primary server
        #mclt 1800;     # only on primary
        #split 128;     # only on primary

        secondary; # declare this to be the secondary server

        address 192.168.100.4;  # my address
        port 647;
        peer address 192.168.100.3;     # peer's address
        peer port 647;
        max-response-delay 30;
        max-unacked-updates 10;
        load balance max seconds 3;
}

subnet 192.168.100.0 netmask 255.255.255.0 {
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.100.255;
        option routers 192.168.100.1;
        option domain-name-servers 192.168.100.1;
        option domain-name "example.co.uk";
        pool {
                failover peer "dhcp-failover";
                deny dynamic bootp clients;
                range 192.168.100.100 192.168.100.149;
                default-lease-time 86400;
                max-lease-time 172800;
        }
}

Note the differences between the "failover peer" sections. One must say
primary, and the other secondary. You must omit mclt and split on the
secondary, and must swap the address and peer address over.

Cheers
Tony
-- 
Tony Mountifield
Work: tony at softins.co.uk - http://www.softins.co.uk
Play: tony at mountifield.org - http://tony.mountifield.org