I am using 6.1, but Ive been using a custom perl script to update from
RADIUS accounting since 5.0 so it hasn't changed.
Im using the UDP reflector for L3 DHCP messages now. This wouldn't have
worked when I was using DHCP Relay before.
Im on 5.0. Maybe it was the short lease times for the
registration/isolation network?
On Tue, May 19, 2015 at 10:00 AM, Derek Wuelfrath <[email protected]>
wrote:
> Hello Tim,
>
> First of all, thanks for reporting!
>
> Problem: Palo Alto timeout expects minutes, not seconds (At least on 6.1,
> can't say for sure, so the timeout is set WAY higher than it should be.
> Resolution: $timeout = ( $timeout / 60); in PaloAlto.pm
>
> Were you using Palo Alto before 6.1 ? I’d change it but I don’t want it to
> break previous versions. I’ll have a look at their “Changelog”.
>
> Problem: SSO (And update_iplog in general from pfdhcplistener) use the
> clients REQUESTED lease time for SSO updates. For an iPhone, I
> see 7776000. This isn't what the DHCP server said to use, so its
> inaccurate.
> Solution: Move the call to firewallsso from the parse_dhcp_request sub to
> parse_dhcp_ack sub.
>
> You are effecively right. We should consider the ACK in that case. The
> problem that I see would be when PacketFence is configured to receive a
> copy of the DHCP traffic in L3 environment… in thoses cases, ACK is sent
> unicast to the requesting client which means that PacketFence wouldn’t
> receive a copy of it...
>
> Also. I actually disabled update_iplog in parse_dhcp_request, and for
> DHCPACK CIADDR in parse_dhcp_ack because it seems to generate a TON of
> extra iplog entries every time devices rebind. Ive never seen one with a
> lease time defined, so it seems redundant.
>
> Which version of PacketFence are you running ? Starting with v5, we
> modified iplog so that there’s no new entry beeing created and we are
> “updating” existing ones.
>
> Cheers!
> dw.
>
> --
> Derek Wuelfrath
> [email protected] :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
> Inverse inc. (www.inverse.ca) :: Leaders behind SOGo (www.sogo.nu) and
> PacketFence (www.packetfence.org)
>
> On May 15, 2015 at 12:53:45, Tim DeNike ([email protected]) wrote:
>
> Problem: Palo Alto timeout expects minutes, not seconds (At least on
> 6.1, can't say for sure, so the timeout is set WAY higher than it should be.
> Resolution: $timeout = ( $timeout / 60); in PaloAlto.pm
>
> Problem: SSO (And update_iplog in general from pfdhcplistener) use the
> clients REQUESTED lease time for SSO updates. For an iPhone, I
> see 7776000. This isn't what the DHCP server said to use, so its
> inaccurate.
> Solution: Move the call to firewallsso from the parse_dhcp_request sub to
> parse_dhcp_ack sub.
>
>
> Also. I actually disabled update_iplog in parse_dhcp_request, and for
> DHCPACK CIADDR in parse_dhcp_ack because it seems to generate a TON of
> extra iplog entries every time devices rebind. Ive never seen one with a
> lease time defined, so it seems redundant.
>
>
>
> ------------------------------------------------------------------------------
>
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
>
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
