topic Re: Destination mac in General Topics

Destination mac

jdprovine — Fri, 16 Nov 2018 14:32:11 GMT

I was having issues with DHCP being blocked, so I can a packet capture from the PA to see if I could tell was was blocking the DHCP traffic and if it could possbile be the PA. It shows the mac address of the interface on the PA as the source and then its lists a mac address that I cannot identify as the destination. So if anyone has any ideas of how to figure out what that destination mac belongs too I would appreicate it. The PA has to be reading it from somewhere

Re: Destination mac

Raido_Rattameister — Fri, 16 Nov 2018 14:47:10 GMT

DHCP has following steps:

Discover (client sends packet with it's own source mac to destination mac FF:FF:FF:FF:FF:FF).

Offer (DHCP servers reply with their source mac and destination mac is client mac address.

Request

Acnowledge

So looks like Offer packet got dropped.

You have to check switch mac address table to identify switchport client mac is connected to.

Do you know what switches you have so we can help you with command?

I would start with

show mac-address-table

show mac-address-table | include xxxx (replace xxxx with client mac)

Re: Destination mac

jdprovine — Fri, 16 Nov 2018 15:15:31 GMT

@Raido_Rattameister

Yeah it doesn't get past the discover, but we have already search the switches and the core switches no sign of that address in any of the mac address-table so where did the PA get it

Re: Destination mac

nextgenhappines — Fri, 16 Nov 2018 15:19:15 GMT

Just out of curious, which stage of the capture are you reviewing? Also, can you share that mac address?

Re: Destination mac

jdprovine — Fri, 16 Nov 2018 15:27:31 GMT

@nextgenhappines

I am sharing from the drop traffic and the mac address appears as destination (00:70:76:69:66:00) from the PA during the DHCP discover.

Re: Destination mac

OtakarKlier — Fri, 16 Nov 2018 15:58:00 GMT

Hello,

To allow DHCP between zones, you need an inbound policy and outbound. The Client makes hte request, indound. Then the server gets the request and sends a reply, the outbound component. So its sources from each, client and server, thus you need a policy to allow traffic both ways.

Regards,

Re: Destination mac

jdprovine — Fri, 16 Nov 2018 16:01:13 GMT

@OtakarKlier

It has been working for a few years and suddenly stopped working, so we did some packet captures and now trying to hunt down why the 1 vlan quit working correctly

Re: Destination mac

OtakarKlier — Fri, 16 Nov 2018 16:03:39 GMT

Hello,

If the firewall is not blocking any traffic, need to look at everything else.

Check the ip helper on the vlan

verify the dhcp server is seeing the requests, you can enable logging

verify the reply packet is getting set back via the firewall logs

Hope that helps.

Re: Destination mac

nextgenhappines — Fri, 16 Nov 2018 16:11:50 GMT

Is the firewall configured as dhcp relay or as a dhcp server for that vlan? I wonder if try to use debug flow basic may give it bit more insight of what the firewall is doing?

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clf1CAC

Re: Destination mac

jdprovine — Fri, 16 Nov 2018 16:18:52 GMT

@nextgenhappines

At the time this packet capture was taken it was being used as a DHCP relay server, to get it to work we are nowing serving DHCP to that vlan using the PA. I will take a look at the link, course we would have to take the work around off, to do the testing so I need to schedule a time. So the mac address I have as a destination where is it getting that? Could it be bogus?

Re: Destination mac

nextgenhappines — Fri, 16 Nov 2018 16:21:08 GMT

I can't verify it.. If I have to take a guess it maybe the internal mac addresses between the data planes and management planes in the firewall.

Re: Destination mac

jdprovine — Fri, 16 Nov 2018 17:01:07 GMT

@nextgenhappines

I did not know there could be a mac address between the dataplane and the management plane, never really thought about it

Re: Destination mac

Raido_Rattameister — Fri, 16 Nov 2018 19:10:46 GMT

If you now serve IPs from PA do you see this mac in firewall?

show dhcp server lease interface all

show dhcp server lease interface all | match xxxx

Re: Destination mac

jdprovine — Fri, 16 Nov 2018 20:44:14 GMT

@nextgenhappines

Is it called the control plane?

Re: Destination mac

Raido_Rattameister — Fri, 16 Nov 2018 21:01:42 GMT

Control Plane and Management Plane is one and the same. Some Palo documentation uses one some other name 😉

Re: Destination mac

jdprovine — Fri, 16 Nov 2018 21:05:04 GMT

@Raido_Rattameister

Thanks I thought that would be the case, so that is my mystery mac address, so should it be listing that management plan and not the mac address of the server that the PA is trying to relay it too, it lists the destination IP for the DHCP server correctly but gives the mac address of the management plane as the destination not the mac of the DHCP server

Re: Destination mac

nextgenhappines — Fri, 16 Nov 2018 21:10:08 GMT

Those internal mac addresses are not listed on the management plane. If you still have the packets with all the other stages (recevie, transmit, firewall and drop). Check on the other capture if that mystery mac address is present.

Re: Destination mac

jdprovine — Fri, 16 Nov 2018 21:16:47 GMT

@nextgenhappines

I think I only have the drop, so does that mean that the management plane is failing to pass the traffic on , it show the IP address of the DHCP server in the capture but then list the managemen plane and the destination mac, that doesn't seem right, LOL

Re: Destination mac

nextgenhappines — Fri, 16 Nov 2018 22:01:26 GMT

It is diificult to determine the cause without additiional information. It could due to many thing, for example, security policy block and others. It will be helpful to have a debug flow basic and show counter global filter packet-filter yes delta yes output to provide more information.

Is this the only dhcp relay configured on the firewall? Do you have a network diagram that can provide additional information about the setup. Also, as others already said, any packet captures or logs on the DHCP server end?

Re: Destination mac

jdprovine — Fri, 16 Nov 2018 22:11:41 GMT

@Raido_Rattameister

support sent me a doc
based on that he says the management plane is something completely different from the control plane. I think it shows the are one and the same

https://media.paloaltonetworks.com/documents/Single_Pass_Parallel_Processing_Architecture.pdf