https://live.paloaltonetworks.com/t5/general-topics/dhcp-relay-with-source-nat-blocked/m-p/309167#M80146 <P>Hi,</P><P>&nbsp;</P><P>a customer has two PA VMs in the Azure cloud with internal loadbalancers configured. Unfortunately the DHCP server is also running there. In order to perform symmetric return a source nat is needed on the firewall. However this breaks the DHCP flow between DHCP relay and windows DHCP server. The DHCP server always replies to the relay agent (switch or on-premise firewall) address instead of the source IP which is the firewall ip. When the DHCP server sends the DHCP Offer message back to the relay agent address the packet is blocked, which is also described in this knowledge article:</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZUCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZUCA0</A></P><P>&nbsp;</P><P>My question is why it is blocking the DHCP Offer, the protocol is UDP and shouldn't the firewall just see it as a new session?</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 03 Feb 2020 15:33:52 GMT JuergenHolzer 2020-02-03T15:33:52Z https://live.paloaltonetworks.com/t5/general-topics/dhcp-relay-with-source-nat-blocked/m-p/309167#M80146 <P>Hi,</P><P>&nbsp;</P><P>a customer has two PA VMs in the Azure cloud with internal loadbalancers configured. Unfortunately the DHCP server is also running there. In order to perform symmetric return a source nat is needed on the firewall. However this breaks the DHCP flow between DHCP relay and windows DHCP server. The DHCP server always replies to the relay agent (switch or on-premise firewall) address instead of the source IP which is the firewall ip. When the DHCP server sends the DHCP Offer message back to the relay agent address the packet is blocked, which is also described in this knowledge article:</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZUCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZUCA0</A></P><P>&nbsp;</P><P>My question is why it is blocking the DHCP Offer, the protocol is UDP and shouldn't the firewall just see it as a new session?</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 03 Feb 2020 15:33:52 GMT https://live.paloaltonetworks.com/t5/general-topics/dhcp-relay-with-source-nat-blocked/m-p/309167#M80146 JuergenHolzer 2020-02-03T15:33:52Z https://live.paloaltonetworks.com/t5/general-topics/dhcp-relay-with-source-nat-blocked/m-p/309219#M80153 <P>It's hard to pinpoint the issue without details, but the article says as below.<BR /><EM>"This incorrect flow was dropped by the firewall, which caused the end hosts to not receive the IP address because the DHCP Offer never reached the DHCP relay device."</EM></P><P>&nbsp;</P><P>1) I recommend you to check the network reachability.<BR />2) Check the firewall rules.<BR />3) You may use the following CLI commands if the packets are dropping, or do a packet capture on the firewall.</P><P>&gt; show counter global filter severity drop<BR />&gt; show counter global filter delta yes severity drop</P><P>&nbsp;</P><P>Hope this helps,</P><P>&nbsp;</P> Mon, 03 Feb 2020 18:32:59 GMT https://live.paloaltonetworks.com/t5/general-topics/dhcp-relay-with-source-nat-blocked/m-p/309219#M80153 AnalysisMan 2020-02-03T18:32:59Z