This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

DHCP Relay with Source Nat blocked

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

DHCP Relay with Source Nat blocked

JuergenHolzer
L1 Bithead

‎02-03-2020 07:33 AM

Hi,

 

a customer has two PA VMs in the Azure cloud with internal loadbalancers configured. Unfortunately the DHCP server is also running there. In order to perform symmetric return a source nat is needed on the firewall. However this breaks the DHCP flow between DHCP relay and windows DHCP server. The DHCP server always replies to the relay agent (switch or on-premise firewall) address instead of the source IP which is the firewall ip. When the DHCP server sends the DHCP Offer message back to the relay agent address the packet is blocked, which is also described in this knowledge article:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZUCA0

 

My question is why it is blocking the DHCP Offer, the protocol is UDP and shouldn't the firewall just see it as a new session?

 

Thanks

 

 

0 Likes Likes
1 REPLY 1

AnalysisMan
L3 Networker

‎02-03-2020 10:32 AM

It's hard to pinpoint the issue without details, but the article says as below.
"This incorrect flow was dropped by the firewall, which caused the end hosts to not receive the IP address because the DHCP Offer never reached the DHCP relay device."

 

1) I recommend you to check the network reachability.
2) Check the firewall rules.
3) You may use the following CLI commands if the packets are dropping, or do a packet capture on the firewall.

> show counter global filter severity drop
> show counter global filter delta yes severity drop

 

Hope this helps,

 

--
"The Simplicity is the ultimate sophistication." - Leonardo da Vinci.
0 Likes Likes
  • 2951 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks