About Atarimasu

@RFalconer wrote: Are the interfaces on the PA in vlan 10 and 20 in different zones? If so, you will need to have a policy to permit the traffic. The relay configuration should be on the interface where your clients are, vlan 10 subinterface, forwarding to the server on vlan 20. Is the DHCP server on the same subnet as the vlan 20 interface of the PA? If you give a static address to a host on vlan 10, can it access the DHCP server, just with a ping?   Thanks for your reply RFalconer,   The interfaces are in different zones and I also created the Rule to allow DHCP traffic in between. The PA is not in a VLAN of a DHCP Server, so we route the DHCP Relayed packets. The clients cannot ping or initiate traffic to other subnets as per security-requirement, so I cannot test that. But connectivity from the FW to the DHCP server is fine.    We have now tested many different things and have found out that I forgot to set DHCP snooping trust on the Switch..... Unfortunately, this dumb mistake was not the source of the problem. The DHCP Relay works now - but only with 1 DHCP Relay Server... As soon as I add a 2nd Server the DHCP Relay stops working ...    I have also found a known issue in 7.0.5 which would explain the PA sending the relayed Packets out the same interface it received the discovery on. 92934 Fixed an issue where a firewall configured for DHCP relay (with multiple DHCP relays or in certain firewall virtual system configurations) rebroadcast a DHCP packet on the same interface that received the packet, which caused a broadcast storm. With this fix, the firewall drops duplicate broadcasts instead of retransmitting them.     This probably means that it's a general bug in 7.0.5 and we'll have to find another solution until we get approval for the PAN-OS upgrade. But thank you all for your help!!! :-) ... View more