Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

DHCP Issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DHCP Issue

L4 Transporter
We have 2 VLANS that terminate on a PA-3020 firewall.  One VLAN (100) uses DHCP relay and works without any issues. 
 
The DHCP relay exists on the firewall for VLAN 100, but this relays to an internal DHCP server on our network.
 
The other VLAN (200) uses the PA-3020 as a DHCP server, but this is not working. The DHCP server for VLAN 200 is hosted on the firewall itself.
 
In the packet captures of the DHCP discover & DHCP offer packet for vlan 200, we see the BOOTP FLAG which is set to broadcast.
 
In the DHCP offer packet for VLAN 100, the BOOTP flag is set to unicast in this one.
 
How can we fix this issue?
6 REPLIES 6

Cyber Elite
Cyber Elite

Hello

 

What version of code are you running on the 3020?

 

I just did a packet capture of my VM firewall and it does perform a unicast as you confirmed.

So, if your FW is sending the dhcp as a broadcast, something in the underlying code may be causing this.

Hence the reason to ask about the software version.

 

thanks

 

 

Help the community: Like helpful comments and mark solutions

Hi @S.Cantwell 

 

Using 8.1.9.

 

 

@FarzanaMustafa looking thru the RFC the Broadcast bit is set by the client and only when the client is not able to receive IP unicast messages before its IP stack is fully configured. Per the RFC if the flag is set to "1" then then the server SHOULD send as an IP broadcast, if the flag is set to "0" then the server SHOULD send as an IP unicast, the latter being pretty typical these days with modern IP stacks. In either case the DHCP server SHOULD honor the client request.

 

Can you clarify what you are seeing and if you are seeing this at the client or server or FW?

Thanks @ddelcourt  & @S.Cantwell 

 

We had a remote session with PA TAC team and they found below.

 

>In the PA captures, we could see DHCP discover being received and DHCP offer being sent out.
>However on the client, DHCP discover was not reaching.
>As confirmation the packet sent from PA, we did a port mirror on the switch and we could see DHCP discover was reaching there.

Customer will now explore more on switch side.

When they say client, do they mean the workstation trying to get the IP address? That machine shouldn't receive a discover since it's the one broadcasting. The discover goes to the server, which responds with an offer. 

Is the offer being received by the client?

 

Yes client=workstation in this case.

 

Anyway, customer has abandoned the DHCP server config on the Palo Alto. 

They are now using the firewall to DHCP relay to an internal DHCP server.

 

  • 6681 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!