I have a gateway server at a clients office and it has a WAN and a LAN.
Today was very weird as the LAN IP completely dropped off for no reason what so ever. I had to go into interfaces on the web interface and edit it and click on ok for it to get it back again. This was a static IP address not one using DHCP so it was even weirder it happened.
Also weird is the fact there are alot of dhclient requests for eth1 (LAN IP) in /var/log/messages
This happened up to the time I set up an IP address again and has seemed to have calmed down. Don't know if this is relevant but snort also did a report 5 minutes after this.
I checked yesterdays log for eth1 and noticed it was doing the same thing. As this has happened only this one time I want to maybe chalk this up for a random situation however looking at my other clearos servers that are gateway and do dhcp none of them have this much dhclient requests like this one does which does have me a bit paranoid. Has anyone come across this before?
Today was very weird as the LAN IP completely dropped off for no reason what so ever. I had to go into interfaces on the web interface and edit it and click on ok for it to get it back again. This was a static IP address not one using DHCP so it was even weirder it happened.
Also weird is the fact there are alot of dhclient requests for eth1 (LAN IP) in /var/log/messages
Oct 20 00:04:26 maat dhclient[17062]: DHCPREQUEST on eth1 to 255.255.255.255 port 67 (xid=0x585209c1)
Oct 20 00:04:40 maat dhclient[17062]: DHCPREQUEST on eth1 to 255.255.255.255 port 67 (xid=0x585209c1)
Oct 20 00:04:55 maat dhclient[17062]: DHCPREQUEST on eth1 to 255.255.255.255 port 67 (xid=0x585209c1)
Oct 20 00:05:02 maat dhclient[17062]: DHCPREQUEST on eth1 to 255.255.255.255 port 67 (xid=0x585209c1)
Oct 20 00:05:16 maat dhclient[17062]: DHCPREQUEST on eth1 to 255.255.255.255 port 67 (xid=0x585209c1)
Oct 20 00:05:34 maat dhclient[17062]: DHCPREQUEST on eth1 to 255.255.255.255 port 67 (xid=0x585209c1)
Oct 20 00:05:52 maat dhclient[17062]: DHCPREQUEST on eth1 to 255.255.255.255 port 67 (xid=0x585209c1)
Oct 20 00:06:08 maat dhclient[17062]: DHCPREQUEST on eth1 to 255.255.255.255 port 67 (xid=0x585209c1)
Oct 20 00:06:28 maat dhclient[17062]: DHCPREQUEST on eth1 to 255.255.255.255 port 67 (xid=0x585209c1)
Oct 20 00:06:38 maat dhclient[17062]: DHCPREQUEST on eth1 to 255.255.255.255 port 67 (xid=0x585209c1)
Oct 20 00:06:53 maat dhclient[17062]: DHCPREQUEST on eth1 to 255.255.255.255 port 67 (xid=0x585209c1)
Oct 20 00:07:14 maat dhclient[17062]: DHCPREQUEST on eth1 to 255.255.255.255 port 67 (xid=0x585209c1)
Oct 20 00:07:33 maat dhclient[17062]: DHCPREQUEST on eth1 to 255.255.255.255 port 67 (xid=0x585209c1)
Oct 20 00:07:41 maat dhclient[17062]: DHCPREQUEST on eth1 to 255.255.255.255 port 67 (xid=0x585209c1)
This happened up to the time I set up an IP address again and has seemed to have calmed down. Don't know if this is relevant but snort also did a report 5 minutes after this.
I checked yesterdays log for eth1 and noticed it was doing the same thing. As this has happened only this one time I want to maybe chalk this up for a random situation however looking at my other clearos servers that are gateway and do dhcp none of them have this much dhclient requests like this one does which does have me a bit paranoid. Has anyone come across this before?
In IP Settings
Share this post:
Responses (4)
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Nick,
Thanks for the reply. Looking at the yum log I haven't gotten updates since Jul 16
Apr 26 00:14:52 Updated: authconfig-6.1.12-23.el6.x86_64
Apr 26 00:14:52 Updated: tzdata-2015c-2.el6.noarch
Apr 26 00:14:52 Updated: freetype-2.3.11-15.el6_6.1.x86_64
Apr 26 00:14:52 Updated: polkit-0.96-11.el6.x86_64
May 08 14:04:28 Erased: app-network-detail-report
May 08 14:04:29 Erased: app-network-detail-report-core
May 08 14:04:29 Erased: pmacct
Jul 16 11:08:02 Erased: zarafa-webapp-files
Jul 16 11:08:33 Erased: zarafa-webapp-sugarcrm
Jul 16 11:09:25 Erased: zarafa-webapp-quickitems
Jul 16 11:09:25 Erased: zarafa-webapp-contactfax
Jul 16 11:09:25 Erased: zarafa-webapp-zperformance
Here is the only info related to syncaction but it's quite old from last year.
/var/log/secure-20140914
Sep 8 10:21:48 maat sudo: clearsync : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/syncaction samba configuration_change_event
Sep 11 23:21:25 maat sudo: clearsync : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/syncaction mail_filter
/var/log/secure-20140921
/var/log/secure-20140928
/var/log/secure-20141005
Oct 1 01:38:24 maat sudo: clearsync : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/syncaction web_server configuration_change_event -
Accepted Answer
The log is like eth1 is a dynamic (DHCP) IP. It would be very odd for an interface to switch from static to dynamic on its own. In your logs was there anything like a "syncaction" reported at the time. I think syncaction goes into /var/log/system but I can't remember. Also can you check your yum.log for that time?
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »