Checking DHCP Services With Nagios

[Ric_]

I'm reconfiguring my Nagios box as I move it over to a VM. I want to add DHCP monitoring but I can't quite get my head around it.

I have 1 DHCP server (a Server 2003 box). I also have a WDS server - WDS makes this act as a DHCP proxy.

What I'm trying to figure out is this.... should I always receive my DHCP offer from the WDS box (as it appears from manually running check_dhcp) or will I sometimes get a lease from the DHCP server? Also, how should I set up the dependencies?

It's far too early to be thinking about this stuff!

[Geoff]

One should only have one DHCP server per Ethernet segment, unless your doing fancy fail over/redundancy stuff.

So therefore you need two DHCP checks, one for the segment where your WDS proxy lives and one for the segment where your 2k3 server is.

As you only have one nagios box, you'll need to use the remote checks (e.g. a remote Linux box running NRPE) to check the non-local Ethernet segment.

[Ric_]

@Geoff: The WDS box is not a DHCP server... it appears as a DHCP proxy and, from what I can see, the client machines believe that their request is fullfilled by this box.

See the following debug data:

Code:

monitoring:/usr/local/nagios/libexec# ./check_dhcp -m 00110abba1f8 -r 192.168.1.100 -v -s 192.168.0.11
Requested server address: 192.168.0.11
DHCP socket: 3
DHCPDISCOVER to 255.255.255.255 port 67
DHCPDISCOVER XID: 837531199 (0x31EBB63F)
DHCDISCOVER ciaddr:  0.0.0.0
DHCDISCOVER yiaddr:  0.0.0.0
DHCDISCOVER siaddr:  0.0.0.0
DHCDISCOVER giaddr:  0.0.0.0
send_dhcp_packet result: 548




recv_result_1: 300
recv_result_2: 300
receive_dhcp_packet() result: 300
receive_dhcp_packet() source: 192.168.0.3
Result=OK
DHCPOFFER from IP address 192.168.0.11 via 192.168.0.3
DHCPOFFER XID: 837531199 (0x31EBB63F)
DHCPOFFER chaddr: 00110ABBA1F8
DHCPOFFER ciaddr: 0.0.0.0
DHCPOFFER yiaddr: 192.168.1.100
DHCPOFFER siaddr: 192.168.0.11
DHCPOFFER giaddr: 0.0.0.0
Option: 53 (0x01)
Option: 1 (0x04)
Option: 58 (0x04)
Option: 59 (0x04)
Lease Time: 0 seconds
Renewal Time: 345600 seconds
Rebinding Time: 604800 seconds
Added offer from server @ 192.168.0.11 of IP address 192.168.1.100


No (more) data received (nfound: 0)
Result=ERROR
Total responses seen on the wire: 1
Valid responses for this machine: 1
DHCP Server Match: Offerer=192.168.0.11 Requested=192.168.0.11
OK: Received 1 DHCPOFFER(s), 1 of 1 requested servers responded, requested address (192.168.1.100) was offered, max lease time = 0 sec.

That probably doesn't make things very much clearer but it kind of shows how I don't have 2 DHCP servers.

[Geoff]

Ok fair enough. The WDS server is your DHCP source. Configure Nagios as appropirate.

Don't forget you can still do event log and service status checks on the other machine though if you want 'more' detail of your DHCP service status. e.g. to work out which box broke.

[Ric_]

@Geoff: I could monitor the event logs, etc. but that doesn't show that clients are getting DHCP leases from the correct place... I need to configure both to cover all bases. I have reservations that I know the leases for so can check I don't have a 'rogue' DHCP server (assuming some clever should hasn't worked out my reservations of course but what are the chances?).

[Geoff]

Indeed you should really do both to 'cover' every possible failure situation. Otherwise you will end up with Nagios lying to you about what's going on. Mis-information is worse than no information at all!

With check_dhcp you can ask it to make sure the DHCP OFFER is coming from the correct IP address. So you can use that to check for rogue DHCP servers.

Code:

root@praxis:/usr/local/nagios/libexec# ./check_dhcp -h
check_dhcp v2018 (nagios-plugins 1.4.13)
Copyright (c) 2001-2004 Ethan Galstad (nagios@nagios.org)
Copyright (c) 2001-2007 Nagios Plugin Development Team
        <nagiosplug-devel@lists.sourceforge.net>

This plugin tests the availability of DHCP servers on a network.


Usage: check_dhcp [-v] [-u] [-s serverip] [-r requestedip] [-t timeout]
                  [-i interface] [-m mac]

Options:
 -h, --help
    Print detailed help screen
 -V, --version
    Print version information
 -v, --verbose
    Show details for command-line debugging (Nagios may truncate output)
 -s, --serverip=IPADDRESS
    IP address of DHCP server that we must hear from
 -r, --requestedip=IPADDRESS
    IP address that should be offered by at least one DHCP server
 -t, --timeout=INTEGER
    Seconds to wait for DHCPOFFER before timeout occurs
 -i, --interface=STRING
    Interface to to use for listening (i.e. eth0)
 -m, --mac=STRING
    MAC address to use in the DHCP request
 -u, --unicast
    Unicast testing: mimic a DHCP relay, requires -s

Send email to nagios-users@lists.sourceforge.net if you have questions
regarding use of this software. To submit patches or suggest improvements,
send email to nagiosplug-devel@lists.sourceforge.net

[Ric_]

With check_dhcp you can ask it to make sure the DHCP OFFER is coming from the correct IP address. So you can use that to check for rogue DHCP servers.

This is what led to my question though. Nobody I have spoken to can seem to give a definitive answer whether the DHCP lease should always appear to come from the DHCP proxy or if it may also come from the DHCP server.

[Geoff]

That depends on your setup. As I tried to explain normally you'd use a DHCP relay on a router, that can see the 'extra' subnet(s) that the DHCP server can't (because broadcasts don't propagate over layer 3).

Your setup isn't normal. It's some weird windowism. Therefore your out on your own. What I would suggest to diagnose the situation is to sniff the network while requesting a DHCP lease and see what replies. Basically if all else fails, go and test it for real.

[petectid]

If your workstations can see your 2003 DHCP server ie. it can receive their requests on the network for an address then the process will complete without going through the DHCP Proxy. Is that what you are asking Ric. In the past I've split the scope between servers and the only way of knowing which DHCP server has issued the address is by looking at which part of the scope it was from and knowing that that came from server A and not server B. Therefore if your DHCP server responds before your proxy the address comes from there albeit from the same scope, makes a proxy a bit redundant don't you think. You could use Wireshark to view whats going on when a lease is requested you will soon find out which machine is quickest to respond, one of my servers was much faster and its address pool would often expire before the second smaller pool was used.