This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

DHCP Issue

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DHCP Issue

FarzanaMustafa
L4 Transporter

‎11-13-2019 09:55 PM

We have 2 VLANS that terminate on a PA-3020 firewall.  One VLAN (100) uses DHCP relay and works without any issues. 
 
The DHCP relay exists on the firewall for VLAN 100, but this relays to an internal DHCP server on our network.
 
The other VLAN (200) uses the PA-3020 as a DHCP server, but this is not working. The DHCP server for VLAN 200 is hosted on the firewall itself.
 
In the packet captures of the DHCP discover & DHCP offer packet for vlan 200, we see the BOOTP FLAG which is set to broadcast.
 
In the DHCP offer packet for VLAN 100, the BOOTP flag is set to unicast in this one.
 
How can we fix this issue?
0 Likes Likes
6 REPLIES 6

S.Cantwell
Cyber Elite
Cyber Elite

‎11-14-2019 01:10 AM

Hello

 

What version of code are you running on the 3020?

 

I just did a packet capture of my VM firewall and it does perform a unicast as you confirmed.

So, if your FW is sending the dhcp as a broadcast, something in the underlying code may be causing this.

Hence the reason to ask about the software version.

 

thanks

 

 

Help the community: Like helpful comments and mark solutions
0 Likes Likes

FarzanaMustafa
L4 Transporter
In response to S.Cantwell

‎11-14-2019 01:12 AM

Hi @S.Cantwell 

 

Using 8.1.9.

 

 

0 Likes Likes

ddelcourt
L2 Linker
In response to FarzanaMustafa

‎11-14-2019 07:01 AM - edited ‎11-14-2019 07:36 AM

@FarzanaMustafa looking thru the RFC the Broadcast bit is set by the client and only when the client is not able to receive IP unicast messages before its IP stack is fully configured. Per the RFC if the flag is set to "1" then then the server SHOULD send as an IP broadcast, if the flag is set to "0" then the server SHOULD send as an IP unicast, the latter being pretty typical these days with modern IP stacks. In either case the DHCP server SHOULD honor the client request.

 

Can you clarify what you are seeing and if you are seeing this at the client or server or FW?

0 Likes Likes

FarzanaMustafa
L4 Transporter
In response to ddelcourt

‎11-17-2019 09:50 PM

Thanks @ddelcourt  & @S.Cantwell 

 

We had a remote session with PA TAC team and they found below.

 

>In the PA captures, we could see DHCP discover being received and DHCP offer being sent out.
>However on the client, DHCP discover was not reaching.
>As confirmation the packet sent from PA, we did a port mirror on the switch and we could see DHCP discover was reaching there.

Customer will now explore more on switch side.

0 Likes Likes

rmfalconer
L5 Sessionator
In response to FarzanaMustafa

‎11-18-2019 08:34 AM

When they say client, do they mean the workstation trying to get the IP address? That machine shouldn't receive a discover since it's the one broadcasting. The discover goes to the server, which responds with an offer. 

Is the offer being received by the client?

 

0 Likes Likes

FarzanaMustafa
L4 Transporter
In response to rmfalconer

‎11-19-2019 05:04 PM

Yes client=workstation in this case.

 

Anyway, customer has abandoned the DHCP server config on the Palo Alto. 

They are now using the firewall to DHCP relay to an internal DHCP server.

 

0 Likes Likes
  • 6683 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks