CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Page 1 of 2 12 LastLast
Results 1 to 20 of 30

Thread: DHCPD incorrectly handles tagged packages

  1. #1
    Join Date
    2013-03-05
    Posts
    58
    Rep Power
    7

    Default DHCPD incorrectly handles tagged packages

    On the 14xx there exists a problem with VLAN-handling and DHCP.

    If you have an interface which gets VLAN-tagged traffic, the DHCP-server for the untagged interface answers the request.

    It is this ISC-DHCPD bug: https://bugs.launchpad.net/ubuntu/+s...p/+bug/1167614.

    I checked it, by using a new ISC DHCPD 4.3.5, which has the bug fixed and it worked then.

    "- Modified linux packet handling such that packets received via VLAN are now
    seen only by the VLAN interface. Prior to this, such packets were seen by
    both the VLAN interface and its parent (physical) interface, causing the
    server to respond to both. Note this remains an issue for non-Linux OSs.
    Thanks to Jiri Popelka at Red Hat for the patch.
    [ISC-Bugs #37415]
    [ISC-Bugs #37133]
    [ISC-Bugs #36668]
    [ISC-Bugs #36652]"
    " (from the ISC 4.3.2 release notes"

    A SR is open, but bug will not be fixed.
    Last edited by peter42; 2017-02-20 at 07:30.

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: DHCPD incorrectly handles tagged packages

    It looks like Embedded Gaia R77.20.x uses ISC DHCPD 4.0.0b3
    While I have my doubts that the version of the DHCPD code will be upgraded (at least as part of a maintenance release), it's at least plausible the fix could be backported.
    An SR/Task with CFG is definitely the right course of action here.
    Can you share the SR with me in a PM?
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2013-03-05
    Posts
    58
    Rep Power
    7

    Default Re: DHCPD incorrectly handles tagged packages

    Yes 4.0.0b3 is used in Embedded Gaia.

    I forwarded youthe SR#.

    Here is the correct behaviour with an updated DHCPD:

    /tmp/dhcpd -d -cf /etc/dhcpd.conf.LAN15 -lf /var/dhcpd.leases.LAN15 -pf /var/run/dhcpd.pid.LAN15 LAN15 Internet Systems Consortium DHCP Server 4.3.5 Copyright 2004-2016 Internet Systems Consortium.
    All rights reserved.
    For info, please visit https://www.isc.org/software/dhcp/
    Config file: /etc/dhcpd.conf.LAN15
    Database file: /var/dhcpd.leases.LAN15
    PID file: /var/run/dhcpd.pid.LAN15
    Wrote 0 leases to leases file.
    Listening on LPF/LAN15/00:1c:7f:73:7b:ce/192.168.200.0/24
    Sending on LPF/LAN15/00:1c:7f:73:7b:ce/192.168.200.0/24
    Sending on Socket/fallback/fallback-net
    Server starting service.
    DHCPDISCOVER from 24:d9:21:4e:3d:af via LAN15 DHCPOFFER on 192.168.200.2 to 24:d9:21:4e:3d:af (AVX4E3DAF) via LAN15 DHCPREQUEST for 192.168.200.2 (192.168.200.1) from 24:d9:21:4e:3d:af (AVX4E3DAF) via LAN15 DHCPACK on 192.168.200.2 to 24:d9:21:4e:3d:af (AVX4E3DAF) via LAN15

    Now we get the expected behavior, that the tagged DHCP-requests are ignored and the untagged are answered:

    tcpdump -i LAN15
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on LAN15, link-type EN10MB (Ethernet), capture size 262144 bytes 13:28:38.138240 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 24:d9:21:4e:3d:af (oui Unknown), length 300
    13:28:49.136942 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 24:d9:21:4e:3d:af (oui Unknown), length 300 13:28:54.136940 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 24:d9:21:4e:3d:af (oui Unknown), length 300
    13:29:04.137034 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 24:d9:21:4e:3d:af (oui Unknown), length 300
    13:29:14.137082 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 24:d9:21:4e:3d:af (oui Unknown), length 300
    13:29:23.137149 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 24:d9:21:4e:3d:af (oui Unknown), length 300
    13:29:33.137199 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 24:d9:21:4e:3d:af (oui Unknown), length 300
    13:29:45.138577 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 24:d9:21:4e:3d:af (oui Unknown), length 300

    Above are the tagged request, which are ignored and below is the untagged and then answered request.

    13:29:46.142881 IP my.firewall.bootps > 192.168.200.2.bootpc: BOOTP/DHCP, Reply, length 370
    13:29:47.149656 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 24:d9:21:4e:3d:af (oui Unknown), length 300
    13:29:47.150022 IP my.firewall.bootps > 192.168.200.2.bootpc: BOOTP/DHCP, Reply, length 370
    13:29:47.463489 ARP, Request who-has 192.168.200.2 (Broadcast) tell 0.0.0.0, length 46
    13:29:48.464027 ARP, Request who-has 192.168.200.2 (Broadcast) tell 0.0.0.0, length 46

  4. #4
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,657
    Rep Power
    10

    Default Re: DHCPD incorrectly handles tagged packages

    Let me know if phoneboy can't help get this addressed on the backend (Which seems like should be possible).

  5. #5
    Join Date
    2013-03-05
    Posts
    58
    Rep Power
    7

    Default Re: DHCPD incorrectly handles tagged packages

    OK I will - thank you.

  6. #6
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: DHCPD incorrectly handles tagged packages

    The SR suggests it's a configuration issue, thus "operating as designed."
    And I'll be honest, reading through the SR, I'm not clear on what the configuration is.
    Is the port the device is connected to configured with a port-based VLAN or not?
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  7. #7
    Join Date
    2013-03-05
    Posts
    58
    Rep Power
    7

    Default Re: DHCPD incorrectly handles tagged packages

    Quote Originally Posted by PhoneBoy View Post
    The SR suggests it's a configuration issue, thus "operating as designed."
    And I'll be honest, reading through the SR, I'm not clear on what the configuration is.
    Is the port the device is connected to configured with a port-based VLAN or not?
    No it is not a configuration issue. The supporter just did not get the main issue.

    In the configuration (which works on the 1100 with an older Linux kernel), that we want to use there is no VLAN configured on the port.

    An Avaya phone is connected to the port, which first boots up in whichever VLAN it was before and does a DHCP request there. If it does not get an answer within 60s, it reboots and falls back to the default VLAN and tries DHCP there.

    As the port is not in the VLAN and no DHCP is configured for this VLAN, the DHCPD must not answer it - thats the bug shown above.

    If you like I can provide you captures, which show the problem.

    When you have the VLAN of the phone configured, then both DHCPD send out an offer.

    The supporter just looked at the case, that the base interface was not configured and only the phone's VLAN (which is not known normally) is configured, which worked.

    As it is a known bug in the combination of linux 3.10 with that DHCPD release, it is clearly a bug.

    I hope this explained the issue.

    From the Avaya docs:
    "Another system value you can administer is VLANTEST. VLANTEST defines the number of seconds the 9600 IP Series Telephone waits for a DHCPOFFER message when using a non-zero VLAN ID. The VLANTEST default is “60” seconds. Using VLANTEST ensures that the telephone returns to the default VLAN if an invalid VLAN ID is administered or if the phone moves to a port where the L2QVLAN value is invalid. The default value is long, allowing for the scenario that a major power interruption is causing the phones to restart. Always allow time for network routers, the DHCP servers, etc. to be returned to service. If the telephone restarts for any reason and the VLANTEST time limit expires, the telephone assumes the administered VLAN ID is invalid. The telephone then initiates registration with the default VLAN ID."
    Last edited by peter42; 2017-02-21 at 17:25.

  8. #8
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,657
    Rep Power
    10

    Default Re: DHCPD incorrectly handles tagged packages

    I just noticed you said you already tried a more recent dhcpd. Did you put on that your firewall? I think that would be nail in the coffin of this being a dhcpd bug. If not you can follow my blog post about making a debian based chroot, then compiling it staticly or cross compiling dhcpd staticly.

    This is an example of installing a kali chroot.

    http://blog.spikefishsolutions.com/2...point-750.html

    space is an issue so you'll need a sd card or usb drive.

    good luck!

  9. #9
    Join Date
    2013-03-05
    Posts
    58
    Rep Power
    7

    Default Re: DHCPD incorrectly handles tagged packages

    Quote Originally Posted by jflemingeds View Post
    I just noticed you said you already tried a more recent dhcpd. Did you put on that your firewall? I think that would be nail in the coffin of this being a dhcpd bug. If not you can follow my blog post about making a debian based chroot, then compiling it staticly or cross compiling dhcpd staticly.

    This is an example of installing a kali chroot.

    http://blog.spikefishsolutions.com/2...point-750.html

    space is an issue so you'll need a sd card or usb drive.

    good luck!
    Yes thats what I did - crosscompiled the new DHCPD, put it on the 14xx and voila it worked.

    The bug is fixed in 4.3.2:

    ": ftp://ftp.isc.org/isc/dhcp/4.3.2/dhcp-4.3.2-RELNOTES

    "
    - Modified linux packet handling such that packets received via VLAN are now
    seen only by the VLAN interface. Prior to this, such packets were seen by
    both the VLAN interface and its parent (physical) interface, causing the
    server to respond to both. Note this remains an issue for non-Linux OSs.
    Thanks to Jiri Popelka at Red Hat for the patch.
    [ISC-Bugs #37415]
    [ISC-Bugs #37133]
    [ISC-Bugs #36668]
    [ISC-Bugs #36652]"

    Here is one of the matching ISC bugs: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=643564"

    Once again it is clearly a bug and not working as designed.

  10. #10
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: DHCPD incorrectly handles tagged packages

    Quote Originally Posted by peter42 View Post
    Yes thats what I did - crosscompiled the new DHCPD, put it on the 14xx and voila it worked.

    The bug is fixed in 4.3.2:

    ": ftp://ftp.isc.org/isc/dhcp/4.3.2/dhcp-4.3.2-RELNOTES

    "
    - Modified linux packet handling such that packets received via VLAN are now
    seen only by the VLAN interface. Prior to this, such packets were seen by
    both the VLAN interface and its parent (physical) interface, causing the
    server to respond to both. Note this remains an issue for non-Linux OSs.
    Thanks to Jiri Popelka at Red Hat for the patch.
    [ISC-Bugs #37415]
    [ISC-Bugs #37133]
    [ISC-Bugs #36668]
    [ISC-Bugs #36652]"

    Here is one of the matching ISC bugs: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=643564"

    Once again it is clearly a bug and not working as designed.
    I am pretty sure compiling your own binaries puts you into "not supported" situation with Check Point.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  11. #11
    Join Date
    2013-03-05
    Posts
    58
    Rep Power
    7

    Smile Re: DHCPD incorrectly handles tagged packages

    Quote Originally Posted by varera View Post
    I am pretty sure compiling your own binaries puts you into "not supported" situation with Check Point.
    Sure, I just did it to prove the error. Not to use the binary in production (it is a POC installation anyhow).
    Last edited by peter42; 2017-02-22 at 05:37.

  12. #12
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: DHCPD incorrectly handles tagged packages

    Quote Originally Posted by peter42 View Post
    Sure, I just did it to prove the error. Not to use the binary in production (it is a POC installation anyhow).
    Thanks for sharing. Did Check Point refuse to correct the issue, actually?
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  13. #13
    Join Date
    2013-03-05
    Posts
    58
    Rep Power
    7

    Default Re: DHCPD incorrectly handles tagged packages

    Quote Originally Posted by varera View Post
    Thanks for sharing. Did Check Point refuse to correct the issue, actually?
    Yes, they recommend to do an RFE...

  14. #14
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: DHCPD incorrectly handles tagged packages

    Quote Originally Posted by peter42 View Post
    Yes, they recommend to do an RFE...
    If there is a project in stake, escalate through sales channels.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  15. #15
    Join Date
    2013-03-05
    Posts
    58
    Rep Power
    7

    Default Re: DHCPD incorrectly handles tagged packages

    Quote Originally Posted by varera View Post
    If there is a project in stake, escalate through sales channels.
    We tried that as well.

  16. #16
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: DHCPD incorrectly handles tagged packages

    Quote Originally Posted by peter42 View Post
    We tried that as well.
    Ouch...
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  17. #17
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: DHCPD incorrectly handles tagged packages

    The good news is that the included DHCPD is expected to be upgraded to a more current version in an upcoming firmware release.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  18. #18
    Join Date
    2013-03-05
    Posts
    58
    Rep Power
    7

    Default Re: DHCPD incorrectly handles tagged packages

    Quote Originally Posted by PhoneBoy View Post
    The good news is that the included DHCPD is expected to be upgraded to a more current version in an upcoming firmware release.
    When will this happen and did our case trigger it?

  19. #19
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: DHCPD incorrectly handles tagged packages

    The planned upgrade of DHCPD was unrelated to your bug, but by upcoming features.
    However, I can say for sure R&D is now aware of your issue
    Timeframe is the next few months.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  20. #20
    Join Date
    2013-03-05
    Posts
    58
    Rep Power
    7

    Default Re: DHCPD incorrectly handles tagged packages

    Quote Originally Posted by PhoneBoy View Post
    The planned upgrade of DHCPD was unrelated to your bug, but by upcoming features.
    However, I can say for sure R&D is now aware of your issue
    Timeframe is the next few months.
    Thanks and lets hope it will be fairly quick.

Page 1 of 2 12 LastLast

Similar Threads

  1. Convert DHCP scope reservations to Linux dhcpd.conf
    By Eddie_Norman in forum Beginner
    Replies: 0
    Last Post: 2016-12-01, 12:51
  2. Replies: 0
    Last Post: 2009-03-31, 11:41
  3. Replies: 1
    Last Post: 2009-03-03, 20:47
  4. ClusterXL incorrectly says interface is disconnected
    By jmcgrady in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 5
    Last Post: 2008-02-06, 20:23
  5. Smartmonitor reports HA incorrectly
    By jmcgrady in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 1
    Last Post: 2007-09-16, 10:03

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •