DHCP Relay not returning address from MS AD DHCP Server

Reply
Highlighted
L1 Bithead

DHCP Relay not returning address from MS AD DHCP Server

We setup a DHCP relay to a MS 2008R2 DHCP server, server recieves the relay and passes a client address back to PA 2050 running 4.1.3, the address does not get passed through to client, logs show only thr DHCP request going out but nothing back, no blocks in logs, we know the address packet is being returned to the server side PALO NIC.

we even opened all protocols both ways, but still nothing going back and no blocks or system errors.

anyone have any ideas?

Thanks

Kind regards

H

Tags (1)
Highlighted
L0 Member

Re: DHCP Relay not returning address from MS AD DHCP Server

Hi,

We ran into this problem as well when we were running Active-Active HA.  When one is Suspended, it works fine.  Do you by any chance run your setup that way?

Regards,

Kevin

Highlighted
L1 Bithead

Re: DHCP Relay not returning address from MS AD DHCP Server

Hi,

No, we only run single 2050.

Kind regards

H

Highlighted
Not applicable

Re: DHCP Relay not returning address from MS AD DHCP Server

We have one PA2050, with PANOS v3.1.9 with 2 virtual routers. A inner and outer router.

The outer router routes traffic to our external sites.

We also have problems with dhcp-replies from our MS 2008 R2 DHCP server.

I can se the dhcp-requests in the dhcp log on the dhcp-server.

I see the dhcp-requests from the external routers in PA monitor and i see the replies back to the routers in the monitor.

The dhcp server updates the leasetime for the scopes and all looks fine.

But, the clients does not receive the dhcp replies.

I rebooted the PA 2 days ago because of several subnets without dhcp-replies coming through.

Yesterday all looked good.

Today i have 2 other subnets with dhcp problems.

I also lost dhcp to several subnets when i commited some small changes 2 days ago.

I cant see any logic in ths strange behaviour.

It's always subnets connected to the outer PA virtual router (external sites) that experiencs these problems.

The outer router has about 110 routes.

Wh have just changed our external IP-plan and therefore we have a lot of routes to all the externel subnets while we have changed network by network.

I'm going to delete at least 70 of the routes and replace them with 7 routes with a bigger mask.

I'm a bit stuck right now....

Regards,

Geir

Norway

Highlighted
L0 Member

Re: DHCP Relay not returning address from MS AD DHCP Server

I'm not sure if this is helpful or not, but one of our other DHCP issues we run into is due to the route to the DHCP server being dropped.

Example:

On the PA, we have zone X which provides services to a particular set of clients. We then have zone Y which connects the main part of our network, including the DHCP server.  Zone X router does a DHCP relay to the DHCP server through the PA.  This works fine normally.  However, sometimes, the switch between the PA and the router controlling our main network reboots. When that happens, our DHCP from zone X begins failing.

Going into session browser on the PA shows that because the route to the DHCP server was lost when the PA dropped its OSPF connection to the main network router, the DHCP requests started being sent to the "Outside" zone and essentially the session just locks.  When I delete that session, it starts going back the proper way and DHCP begins working again.

It may be completely unrelated, but the session browser might be a good place to see anything odd happening.

Regards

Kevin

Highlighted
L1 Bithead

Re: DHCP Relay not returning address from MS AD DHCP Server

Hi,

In our setup we run static routes, so that won't be an issue for us.

We are going to test again when we move to 4.6 soon, to see if that resolves

Regards

H

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!