a customer has two PA VMs in the Azure cloud with internal loadbalancers configured. Unfortunately the DHCP server is also running there. In order to perform symmetric return a source nat is needed on the firewall. However this breaks the DHCP flow between DHCP relay and windows DHCP server. The DHCP server always replies to the relay agent (switch or on-premise firewall) address instead of the source IP which is the firewall ip. When the DHCP server sends the DHCP Offer message back to the relay agent address the packet is blocked, which is also described in this knowledge article:
My question is why it is blocking the DHCP Offer, the protocol is UDP and shouldn't the firewall just see it as a new session?
It's hard to pinpoint the issue without details, but the article says as below.
"This incorrect flow was dropped by the firewall, which caused the end hosts to not receive the IP address because the DHCP Offer never reached the DHCP relay device."
1) I recommend you to check the network reachability.
2) Check the firewall rules.
3) You may use the following CLI commands if the packets are dropping, or do a packet capture on the firewall.
> show counter global filter severity drop
> show counter global filter delta yes severity drop
Hope this helps,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!