DHCP client on wan interface - ip cleared

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DHCP client on wan interface - ip cleared

L1 Bithead

The wan interface on a PA-200 (PANOS 4.1.6) is set up as DHCP client, receiving ip-address from the ISP. When the lease period is out, the ip address is cleared with this message in System Log:

DHCP client cleared IP address on interface:ethernet1/1 due to: Lease expiry

The problem is that an admin has to manually request a new ip address, this is pretty annoying, especially when the ISP is using a lease time of 2 hours.

Anyone who knows a way to ensure that the ip address is not cleard, or at least automatically renewed?

Regards, Einar.

1 accepted solution

Accepted Solutions

Hello, we have addressed two issues in PAN-OS 4.1.10 which I believe may be affecting you.  Here are the relevant details from the addressed issues section of the 4.1.10 release notes:

• 46477 – The DHCP client on the firewall was sending an invalid option (option 54) in its renewal requests, causing the DHCP server to ignore the requests. This issue has been resolved.

• 40137 – The firewall was not able to renew its DCHP settings with certain ISP network connections. In this case, a Verizon FiOS connection was in place and during a DHCP refresh that occurred every hour, the request timed out. Issue was due to an interoperability problem between the firewall’s DHCP client and the DHCP services on the ISP network, which has been resolved in this release.

I recommend upgrading to PAN-OS 4.1.10.

View solution in original post

13 REPLIES 13

L5 Sessionator

Are you enabling HA function?

I see similar issue when I enabled HA.

Single device works fine with automatic update of DHCP client function.

Regards,

Do you happen to be on a network segment that 'sees' multiple dhcp-servers ?

There is a bug in the 4.1.x version where the PA will send it's DHCP renewal to the last DHCP server it sees on the 'broadcast segment', which may not be the correct dhcp server.

For example, I experience this problem on the segment behind my cable modem, and when there is a DHCP renewal seen from my Digital TV recorder just before the PA needs to renew, the PA sends the DHCP renewal to this (private) IP address, which doesn't work for renewing it's own IP address.

You could try to sniff all DHCP traffic on your interface, and check if the PA sends the renewal to the correct DHCP server. That's how I found the issue.

My ticket has been open for more than 2 months now, but from what I've heard this is already fixed for upcoming version 5.0 and will probably get backported to some 4.1.x version

Thank's for your response, emr, but there is no HA enabled here. Single device with one external connection to ISP modem.

Thank you for this info KPeetermans. The issue with multiple DHCP servers might be the case here, with an ISP using a possible large broadcast network. This connection works OK with a Juniper though, but I will check the DHCP traffic as suggested.

KPeetermans wrote:

Do you happen to be on a network segment that 'sees' multiple dhcp-servers ?

There is a bug in the 4.1.x version where the PA will send it's DHCP renewal to the last DHCP server it sees on the 'broadcast segment', which may not be the correct dhcp server.

For example, I experience this problem on the segment behind my cable modem, and when there is a DHCP renewal seen from my Digital TV recorder just before the PA needs to renew, the PA sends the DHCP renewal to this (private) IP address, which doesn't work for renewing it's own IP address.

You could try to sniff all DHCP traffic on your interface, and check if the PA sends the renewal to the correct DHCP server. That's how I found the issue.

My ticket has been open for more than 2 months now, but from what I've heard this is already fixed for upcoming version 5.0 and will probably get backported to some 4.1.x version

You are very welcome, good luck 😆

FWIW, it's a clear bug and the PA's behaviour is clearly non-rfc compliant. Very annoying as well.

Other devices (Cisco, PC's etc) have no issues at all either over here.

In fact, I am now using a cisco router to renew my DHCP lease, and have given the PA a static IP address = same as dhcp address. As long as the Cisco and the PA have the same IP address, both have the same MAC address (!), and all traffic but DHCP is filtered on the Cisco, it works. Cannot think of a dirtier/stranger way to work around the problem but it works quite well, I too had a lease time of 2 hours and frequent disconnects (I learned the same-MAC-address trick in the days that Checkpoint didn't support DHCP :-)).

Speaking of DHCP leases and bugs this seems to have been a neverending story for manufacturers of broadbandrouters such as D-Link and Netgear among others.

Looks like there are plenty of ISPs out there who does this differently in one way or another.

L0 Member

It seems I'm experiencing the exact same problem (on version 4.1.6), my other routers (Cisco & Draytek) don't have this issue and are getting a lease from the ISP within seconds.

Very annoying, hopefully their will be a patch soon.

Just a heads up that 4.1.7 has just been released, with the fix for the problem discussed here.

Sorry to inform you all, but the 4.1.7 release didn' help. I still got the 'DHCP client cleared IP address on interface:ethernet1/1 due to: Lease expiry'  on my PA-200...

Sorry to hear that, my problem is resolved so you may be hitting another bug.

Maybe try to sniff DHCP (udp 67 and udp 68) traffic for some time and try to correlate this with you PA system log entries. If possible don't use the PA to sniff but for example wireshark, as it *may* be that this kind of traffic (directed to/from PA as well as broadcast) doesn't all show up in the PA captures.

Just guessing here, could service route configuration affect how the dhcp update is being sent?

Guess not, no service route configured here and it's working correctly. No DHCP service route exists in the config.

The Palo Alto is sending the request via the "Data Plane" interface that has dhcp client configured.

Hello, we have addressed two issues in PAN-OS 4.1.10 which I believe may be affecting you.  Here are the relevant details from the addressed issues section of the 4.1.10 release notes:

• 46477 – The DHCP client on the firewall was sending an invalid option (option 54) in its renewal requests, causing the DHCP server to ignore the requests. This issue has been resolved.

• 40137 – The firewall was not able to renew its DCHP settings with certain ISP network connections. In this case, a Verizon FiOS connection was in place and during a DHCP refresh that occurred every hour, the request timed out. Issue was due to an interoperability problem between the firewall’s DHCP client and the DHCP services on the ISP network, which has been resolved in this release.

I recommend upgrading to PAN-OS 4.1.10.

  • 1 accepted solution
  • 12828 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!