DHCP Issue

Reply
L4 Transporter

DHCP Issue

We have 2 VLANS that terminate on a PA-3020 firewall.  One VLAN (100) uses DHCP relay and works without any issues. 
 
The DHCP relay exists on the firewall for VLAN 100, but this relays to an internal DHCP server on our network.
 
The other VLAN (200) uses the PA-3020 as a DHCP server, but this is not working. The DHCP server for VLAN 200 is hosted on the firewall itself.
 
In the packet captures of the DHCP discover & DHCP offer packet for vlan 200, we see the BOOTP FLAG which is set to broadcast.
 
In the DHCP offer packet for VLAN 100, the BOOTP flag is set to unicast in this one.
 
How can we fix this issue?
L4 Transporter

Re: DHCP Issue

Hello

 

What version of code are you running on the 3020?

 

I just did a packet capture of my VM firewall and it does perform a unicast as you confirmed.

So, if your FW is sending the dhcp as a broadcast, something in the underlying code may be causing this.

Hence the reason to ask about the software version.

 

thanks

 

 

L4 Transporter

Re: DHCP Issue

Hi @SteveCantwell 

 

Using 8.1.9.

 

 

L1 Bithead

Re: DHCP Issue

@FarzanaMustafa looking thru the RFC the Broadcast bit is set by the client and only when the client is not able to receive IP unicast messages before its IP stack is fully configured. Per the RFC if the flag is set to "1" then then the server SHOULD send as an IP broadcast, if the flag is set to "0" then the server SHOULD send as an IP unicast, the latter being pretty typical these days with modern IP stacks. In either case the DHCP server SHOULD honor the client request.

 

Can you clarify what you are seeing and if you are seeing this at the client or server or FW?

L4 Transporter

Re: DHCP Issue

Thanks @ddelcourt  & @SteveCantwell 

 

We had a remote session with PA TAC team and they found below.

 

>In the PA captures, we could see DHCP discover being received and DHCP offer being sent out.
>However on the client, DHCP discover was not reaching.
>As confirmation the packet sent from PA, we did a port mirror on the switch and we could see DHCP discover was reaching there.

Customer will now explore more on switch side.

L4 Transporter

Re: DHCP Issue

When they say client, do they mean the workstation trying to get the IP address? That machine shouldn't receive a discover since it's the one broadcasting. The discover goes to the server, which responds with an offer. 

Is the offer being received by the client?

 

L4 Transporter

Re: DHCP Issue

Yes client=workstation in this case.

 

Anyway, customer has abandoned the DHCP server config on the Palo Alto. 

They are now using the firewall to DHCP relay to an internal DHCP server.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!