I was having issues with DHCP being blocked, so I can a packet capture from the PA to see if I could tell was was blocking the DHCP traffic and if it could possbile be the PA. It shows the mac address of the interface on the PA as the source and then its lists a mac address that I cannot identify as the destination. So if anyone has any ideas of how to figure out what that destination mac belongs too I would appreicate it. The PA has to be reading it from somewhere
DHCP has following steps:
Discover (client sends packet with it's own source mac to destination mac FF:FF:FF:FF:FF:FF).
Offer (DHCP servers reply with their source mac and destination mac is client mac address.
So looks like Offer packet got dropped.
You have to check switch mac address table to identify switchport client mac is connected to.
Do you know what switches you have so we can help you with command?
I would start with
show mac-address-table | include xxxx (replace xxxx with client mac)
Yeah it doesn't get past the discover, but we have already search the switches and the core switches no sign of that address in any of the mac address-table so where did the PA get it
To allow DHCP between zones, you need an inbound policy and outbound. The Client makes hte request, indound. Then the server gets the request and sends a reply, the outbound component. So its sources from each, client and server, thus you need a policy to allow traffic both ways.
If the firewall is not blocking any traffic, need to look at everything else.
Check the ip helper on the vlan
verify the dhcp server is seeing the requests, you can enable logging
verify the reply packet is getting set back via the firewall logs
Hope that helps.
Is the firewall configured as dhcp relay or as a dhcp server for that vlan? I wonder if try to use debug flow basic may give it bit more insight of what the firewall is doing?
At the time this packet capture was taken it was being used as a DHCP relay server, to get it to work we are nowing serving DHCP to that vlan using the PA. I will take a look at the link, course we would have to take the work around off, to do the testing so I need to schedule a time. So the mac address I have as a destination where is it getting that? Could it be bogus?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!