Why Does the Palo Alto Networks Firewall Send a DHCP NAK Message to the DHCP Client?

Why Does the Palo Alto Networks Firewall Send a DHCP NAK Message to the DHCP Client?

27487
Created On 09/25/18 18:50 PM - Last Modified 06/09/23 02:56 AM


Resolution


Overview

This document explains why the Palo Alto Network firewall, acting as a DHCP server, sends a DHCP NAK message to the DHCP client.

 

Details

An interface on the Palo Alto Networks firewall, acting as a DHCP server, is unable to allocate an IP to the requesting DHCP client and sends a DHCP NAK message to the client. In the following Wireshark PCAP snippet, taken on the DHCP client, 192.168.96.1 is the DHCP server sending a DHCP NAK message for every DHCP discover message received from the client:

 

No.     Time                          Source                Destination           Protocol Length Info

   1700 2015-01-15 04:31:57.664754000 0.0.0.0               255.255.255.255       DHCP     342    DHCP Discover - Transaction ID 0x86a86df9

No.     Time                          Source                Destination           Protocol Length Info

   1701 2015-01-15 04:31:57.665832000 192.168.96.1          255.255.255.255       DHCP     342    DHCP NAK      - Transaction ID 0x86a86df9

 

Frame 1701: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits) on interface 0

Ethernet II, Src: PaloAlto_f8:a8:13 (00:1b:17:f8:a8:13), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Internet Protocol Version 4, Src: 192.168.96.1 (192.168.96.1), Dst: 255.255.255.255 (255.255.255.255)

User Datagram Protocol, Src Port: bootps (67), Dst Port: bootpc (68)

Bootstrap Protocol

    Message type: Boot Reply (2)

    Hardware type: Ethernet (0x01)

    Hardware address length: 6

    Hops: 0

    Transaction ID: 0x86a86df9

    Seconds elapsed: 42

    Bootp flags: 0x0000 (Unicast)

    Client IP address: 0.0.0.0 (0.0.0.0)

    Your (client) IP address: 0.0.0.0 (0.0.0.0)

    Next server IP address: 0.0.0.0 (0.0.0.0)

    Relay agent IP address: 0.0.0.0 (0.0.0.0)

    Client MAC address: Apple_12:50:06 (80:49:71:12:50:06)

    Client hardware address padding: 00000000000000000000

    Server host name not given

    Boot file name not given

    Magic cookie: DHCP

    Option: (53) DHCP Message Type

        Length: 1

        DHCP: NAK (6)

    Option: (54) DHCP Server Identifier

        Length: 4

        DHCP Server Identifier: 192.168.96.1 (192.168.96.1)

    Option: (255) End

        Option End: 255

    Padding

 

This event occurs when the DHCP server has ran out of IP pool and a corresponding system log entry is generated, as shown below:

img1-edit.png

 

Users can either clear the DHCP lease by using the following CLI command, or increase the IP pool range:

> clear dhcp lease interface ethernet1/4

> expired-only   clear expired leases

> ip             clear lease for IP address

> mac            clear lease for mac address (format xx:xx:xx:xx:xx:xx)

  <Enter>        Finish input

 

owner: gchandrasekaran
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRDCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language