DHCP Relay and virtual routers

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

DHCP Relay and virtual routers

L3 Networker

Hi,

I have a PA500 configured with 2 virtual routers

In both virtual routers I have some zone, interfaces and networks.

For example:

VR1

- Zone1: Network Ethernet1/1.1 - Interface Type Layer3 - Tag 1 - IP 10.168.100.1 / 16

- Zone2: Network Ethernet1/1.2 - Interface Type Layer3 - Tag 2 - IP 192.168.50.1 / 24

VR2

- Zone3: Network Ethernet1/2.1 - Interface Type Layer3 - Tag 3 - IP 192.168.1.1 / 24

- Zone4: Network Ethernet1/2.2 - Interface Type Layer3 - Tag 4 - IP 192.168.2.1 / 24

In both virtual routers I configured static routes for internal routing.

In VR1 I configured

route for 192.168.1.0 / 24 via next VR - VR2

route for 192.168.2.0 / 24 via next VR - VR2

in VR2 I configured

route for 10.168.0.0 / 16 via next VR - VR1

route for 192.168.50.0 / 24 via next VR - VR1

I have a DHCP server on Zone4

DHCP Server IP: 192.168.2.100 mask 255.255.255.0

Gateway: 192.168.2.1

If I configure my PA500 as DHCP relay for Ethernet1/2.1 (DHCP server 192.168.2.100) all works fine

But when I configure DHCP relay for Ethernet1/1.1 (DHCP server 192.168.2.100) I see packet go correctly to DHCP server but they cannot come back.

In monitor I see allowed packets from 10.168.100.1 to 192.168.2.100 - application DHCP

Can DHCP realy works in a virtual routers scenario?

How?

Thanks

Regards

9 REPLIES 9

L3 Networker

I forgot to wrote PAN OS version...

5.0.3

L5 Sessionator

Can you look at counters to see if we are dropping the dhcp offer packet from 192.168.2.100 to 10.168.100.1.

So set up a filter which has the src ip of 192.168.2.100 and the destn ip :- 10.168.100.1.

second filter:- src ip:- 10.168.100.1 to destn ip  0.0.0.0

enable it(turn on the filter) and run the following command a couple of times:-

> show counter global filter packet-filter yes delta yes

Hi,

here the result:

Global counters:

Elapsed time since last sampling: 166.235 seconds

name                                   value     rate severity  category  aspect    description

--------------------------------------------------------------------------------

pkt_sent                                   6        0 info      packet    pktproc   Packets transmitted

pkt_outstanding                            6        0 info      packet    pktproc   Outstanding packet to be transmitted

session_allocated                          1        0 info      session   resource  Sessions allocated

session_installed                          1        0 info      session   resource  Sessions installed

flow_qos_pkt_enque                         3        0 info      flow      qos       Packet enqueued to QoS module

flow_host_pkt_xmt                          3        0 info      flow      mgmt      Packets transmitted to control plane

flow_host_service_allow                    3        0 info      flow      mgmt      Device management session allowed

appid_proc                                 1        0 info      appid     pktproc   The number of packets processed by Application identification

dfa_sw                                     1        0 info      dfa       pktproc   The total number of dfa match using software

aho_sw                                     3        0 info      aho       pktproc   The total usage of software for AHO

ctd_pkt_slowpath                           6        0 info      ctd       pktproc   Packets processed by slowpath

--------------------------------------------------------------------------------

Total counters shown: 11

--------------------------------------------------------------------------------

I capture DHCP packets and I see

- DHCP Discover session from 10.168.100.1 to 192.168.2.100

- DHCP Offer Transaction from 192.168.2.100 to 10.168.100.1

          Client IP address: 0.0.0.0 (0.0.0.0)

          Your (client) IP address: 10.168.100.50 (10.168.100.50)

          Next server IP address: 192.168.2.100 (192.168.2.100)

          Relay agent IP address: 10.168.100.1 (10.168.100.1)

I think problem is routing between VR2 to VR1

Ping tests:

Ping from a VR1 host (10.168.100.2) to VR2 host 192.168.2.100 works

Ping from a VR1 host (10.168.100.2) to VR2 INTERFACE 192.168.2.1 works

Ping from a VR2 host (192.168.2.100) to VR1 host 10.168.100.2 works

Ping from a VR2 host (192.168.2.100) to VR1 INTERFACE 10.168.100.1 does not work (but I see in monitor it match an allow rule)

Can you enable pre-parse match under packet captures and look at the counters again.

admin@Firewall1> show counter global filter packet-filter yes delta yes

Global counters:

Elapsed time since last sampling: 139.941 seconds

name                                   value     rate severity  category  aspect    description

--------------------------------------------------------------------------------

pkt_recv                              191853     1370 info      packet    pktproc   Packets received

pkt_sent                                  27        0 info      packet    pktproc   Packets transmitted

pkt_outstanding                           27        0 info      packet    pktproc   Outstanding packet to be transmitted

pkt_alloc                                 15        0 info      packet    resource  Packets allocated

session_allocated                          2        0 info      session   resource  Sessions allocated

session_installed                          2        0 info      session   resource  Sessions installed

flow_rcv_dot1q_tag_err                    28        0 drop      flow      parse     Packets dropped: 802.1q tag not configured

flow_no_interface                         28        0 drop      flow      parse     Packets dropped: invalid interface

flow_qos_pkt_enque                         5        0 info      flow      qos       Packet enqueued to QoS module

flow_host_pkt_rcv                       1496       10 info      flow      mgmt      Packets received from control plane

flow_host_pkt_xmt                         22        0 info      flow      mgmt      Packets transmitted to control plane

flow_host_service_allow                    7        0 info      flow      mgmt      Device management session allowed

appid_proc                                 2        0 info      appid     pktproc   The number of packets processed by Application identification

dfa_sw                                     2        0 info      dfa       pktproc   The total number of dfa match using software

aho_sw                                     5        0 info      aho       pktproc   The total usage of software for AHO

ctd_pkt_slowpath                           8        0 info      ctd       pktproc   Packets processed by slowpath

--------------------------------------------------------------------------------

Total counters shown: 16

--------------------------------------------------------------------------------

admin@Firewall1> show counter global filter packet-filter yes delta yes

Global counters:

Elapsed time since last sampling: 8.178 seconds

name                                   value     rate severity  category  aspect    description

--------------------------------------------------------------------------------

pkt_recv                               10218     1249 info      packet    pktproc   Packets received

pkt_sent                                   2        0 info      packet    pktproc   Packets transmitted

pkt_outstanding                            2        0 info      packet    pktproc   Outstanding packet to be transmitted

flow_rcv_dot1q_tag_err                     1        0 drop      flow      parse     Packets dropped: 802.1q tag not configured

flow_no_interface                          1        0 drop      flow      parse     Packets dropped: invalid interface

flow_host_pkt_rcv                         82       10 info      flow      mgmt      Packets received from control plane

flow_host_pkt_xmt                          2        0 info      flow      mgmt      Packets transmitted to control plane

flow_host_service_allow                    2        0 info      flow      mgmt      Device management session allowed

--------------------------------------------------------------------------------

Total counters shown: 8

--------------------------------------------------------------------------------

Other tests:

I configure a DHCP server responding on interface 10.168.0.0/16 (VR1)

Then I configure DHCP realy from interface 192.168.2.0/24 (VR2) to DHCP Server on VR1

It works!

There is some bug that do not correctly routes packet from new virtual routers to default virtual router IP interfaces?

Problem concern only firewall interfaces IP addresses and not the entire subnet.

Probably. Please open a case with support so that we can investigate to see if its a bug.

L3 Networker

Hey guys I have the same problem.


Did you know how to fix it ?


Regards!

  • 4797 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!