KeaDHCP HA service terminated

[sha256]

Hello all,

We are running two physical firewalls with opnsense (version OPNsense 24.4.3-amd64). If we run the service in HA mode (Settings > HA enabled, configured server name as well as peers with machine names) we run into the following issue:

2025-03-12T13:14:30   Error   kea-dhcp4   ERROR [kea-dhcp4.ha-hooks.0x83a362400] HA_TERMINATED HA service terminated due to an unrecoverable condition. Check previous error message(s), address the problem and restart!

2025-03-12T13:14:30   Error   kea-dhcp4   ERROR [kea-dhcp4.ha-hooks.0x83a362400] HA_LEASE_UPDATE_REJECTS_CAUSED_TERMINATION too many rejected lease updates cause the HA service to terminate

On the documentation for keaDHCP (https://kea.readthedocs.io/en/latest/kea-messages.html) i read that this is due to the current value exceeding the definition in max-rejected-lease-updates. Is there a way to check / change this value in OpnSense?

After HA Mode is Terminated, even changing a lease reservation will cause the dhcp server to crash with:

INFO [kea-dhcp4.ha-hooks.0x83bce5800] HA_TERMINATED_RESTART_PARTNER waiting for the partner in the TERMINATED state to be restarted

INFO [kea-dhcp4.ha-hooks.0x831bea000] HA_LOCAL_DHCP_DISABLE local DHCP service is disabled while the fw1 is in the WAITING state

Informational kea-dhcp4 INFO [kea-dhcp4.dhcp4.0x8341f0000] DHCP4_SHUTDOWN server shutdown

- Would changing the max-rejected-lease-updates value resolve this issue?
- What could be causing the lease updates to fail? We have around 20 VLANs, one VLAN (19 netmask) is being served from external DHCP Server.
- Should we revert to ISC DHCP and/or turn off HA on the KeaDHCP?
- Will there be a fix in a newer version or is this planned?

Thank you for one (or several) answers :)

sha256

[Monviech (Cedrik)]

Hello, please open an issue on github for this so it can be evaluated.

https://github.com/opnsense/core