Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
11-16-2018 06:32 AM
I was having issues with DHCP being blocked, so I can a packet capture from the PA to see if I could tell was was blocking the DHCP traffic and if it could possbile be the PA. It shows the mac address of the interface on the PA as the source and then its lists a mac address that I cannot identify as the destination. So if anyone has any ideas of how to figure out what that destination mac belongs too I would appreicate it. The PA has to be reading it from somewhere
11-16-2018 06:47 AM
DHCP has following steps:
Discover (client sends packet with it's own source mac to destination mac FF:FF:FF:FF:FF:FF).
Offer (DHCP servers reply with their source mac and destination mac is client mac address.
Request
Acnowledge
So looks like Offer packet got dropped.
You have to check switch mac address table to identify switchport client mac is connected to.
Do you know what switches you have so we can help you with command?
I would start with
show mac-address-table
or
show mac-address-table | include xxxx (replace xxxx with client mac)
11-16-2018 07:15 AM
Yeah it doesn't get past the discover, but we have already search the switches and the core switches no sign of that address in any of the mac address-table so where did the PA get it
11-16-2018 07:19 AM
Just out of curious, which stage of the capture are you reviewing? Also, can you share that mac address?
11-16-2018 07:27 AM
I am sharing from the drop traffic and the mac address appears as destination (00:70:76:69:66:00) from the PA during the DHCP discover.
11-16-2018 07:58 AM
Hello,
To allow DHCP between zones, you need an inbound policy and outbound. The Client makes hte request, indound. Then the server gets the request and sends a reply, the outbound component. So its sources from each, client and server, thus you need a policy to allow traffic both ways.
Regards,
11-16-2018 08:01 AM
It has been working for a few years and suddenly stopped working, so we did some packet captures and now trying to hunt down why the 1 vlan quit working correctly
11-16-2018 08:03 AM
Hello,
If the firewall is not blocking any traffic, need to look at everything else.
Check the ip helper on the vlan
verify the dhcp server is seeing the requests, you can enable logging
verify the reply packet is getting set back via the firewall logs
Hope that helps.
11-16-2018 08:11 AM
Is the firewall configured as dhcp relay or as a dhcp server for that vlan? I wonder if try to use debug flow basic may give it bit more insight of what the firewall is doing?
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clf1CAC
11-16-2018 08:18 AM
At the time this packet capture was taken it was being used as a DHCP relay server, to get it to work we are nowing serving DHCP to that vlan using the PA. I will take a look at the link, course we would have to take the work around off, to do the testing so I need to schedule a time. So the mac address I have as a destination where is it getting that? Could it be bogus?
11-16-2018 08:21 AM
I can't verify it.. If I have to take a guess it maybe the internal mac addresses between the data planes and management planes in the firewall.
11-16-2018 09:01 AM
I did not know there could be a mac address between the dataplane and the management plane, never really thought about it
11-16-2018 11:10 AM
If you now serve IPs from PA do you see this mac in firewall?
show dhcp server lease interface all
show dhcp server lease interface all | match xxxx
11-16-2018 01:01 PM
Control Plane and Management Plane is one and the same. Some Palo documentation uses one some other name 😉
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
