DHCP Mystery

This topic contains 8 replies, has 5 voices, and was last updated by Avatar chrisau 4 years, 9 months ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • Avatar
    ido hamdi
    Member
    #164911

    Hallo!
    we have a problem…
    in a specific v-lan scope our dhcp is not leasing any addresses.
    (with static ip address all works fine)
    in other V-lans the dhcp works fine…
    all the configurations are correct’ and firewall roles are valid and correct…
    we do not have a clue what went wrong here.

    i Would appreciate any help!
    Thanks!

    Avatar
    uk_network
    Member
    #307953

    Re: DHCP Mystery

    Do you have a dhcp relay agent setup, or Ip Helper which forwards requests from clients on the vlan to the dhcp server?

    Avatar
    Ossian
    Moderator
    #190315

    Re: DHCP Mystery

    Is the DHCP server in the same subnet as the VLan?
    If not, do you have a DHCP relay agent in place?
    Has it ever worked?

    Avatar
    chrisau
    Member
    #390757

    Re: DHCP Mystery

    as far as i know, and its not much.., we need to use the relay agent in case of 2 different networks.. there is a PrtScn of the dhcp if it will help…

    Avatar
    chrisau
    Member
    #390758

    Re: DHCP Mystery

    and one more thing, some clients in the scope are getting address! and some not…

    Avatar
    Ossian
    Moderator
    #190316

    Re: DHCP Mystery

    Can you clarify your first and most recent post

    In the problem VLAN, are any clients getting IPs or not – in your first post you say not, then you say “some clients” are getting addresses

    Are there problems in any other VLANs?

    Do you have enough free leases?

    Avatar
    chrisau
    Member
    #390759

    Re: DHCP Mystery

    im sorry for the disinformation.
    the thing is that some clients do work but we not sure if its the 8 days lease – in other words, if we release the address i cant be sure it will be posible to renew..
    it is important that the clients will continue to work, so i cant try release/renew.
    the problem is on a specific VLAN. we did a test and we changed the interface of a switch port from one Vlan to another ant BOOM we got dhcp address..

    we did migrate from FG firewall to CP.. with CP experts that told us “all configured properly”

    the FW is our DHCP relay agent
    maybe somthing to check there ?

    Ps
    sorry for my spelling issues

    Avatar
    Ossian
    Moderator
    #190318

    Re: DHCP Mystery

    Can you please review the various questions you have been asked and make sure they are all answered?

    Can you also post an IPConfig from a problem computer and from one that is OK?

    Avatar
    universal
    Member
    #388774

    Re: DHCP Mystery

    ido hamdi;290043 wrote:
    all the configurations are correct’ and firewall roles are valid and correct…

    Well, if all the devices involved were configured correctly, your setup should work. Since it doesn’t, something is obviously misconfigured or broken.

    When you say “some clients in the scope get addresses”, do you mean to say that some clients in the problem VLAN are in fact getting IP addresses in the correct scope for that VLAN, while others don’t? If so, what do the working client systems have in common? Same hardware, same OS, same physical location, same uplink switch, or something else entirely?

    If I understand you correctly, you have confirmed that the layer 2/3 setup is working by configuring clients with static IP addresses. If that is the case, no further troubleshooting of network cabling, VLAN memberships, trunk definitions or IP routing is necessary.

    If on the other hand clients with static IP addresses are having issues as well, you should run a simple ping/arp test against the gateway IP. If that fails, the problem lies with the VLAN setup (wrong VLAN number, trunk not allowing the VLAN in question, missing VLAN definition on a switch somewhere between the client and the gateway) or there’s a physical problem (bad cable, defective switch port).

    Assuming the layer 2 connections are working and IP routing is properly configured, check that the firewall rule allows incoming UDP packets (broadcasts from from 0.0.0.0 to 255.255.255.255) from UDP port 68 to UDP port 67 on the (VLAN) interface in question.

    A common mistake is to create a rule that allows traffic from the IP network in that VLAN instead of the interface or the IP address “0.0.0.0”. Allowing the IP network won’t work, since a DHCP client that’s just come online by definition doesn’t have an IP address, and therefore belongs to no network or subnet. Also, make sure nothing’s preventing the firewall from sending broadcast replies (to 255.255.255.255) to these requests.

    Next, verify that the DHCP Relay Agent is configured to forward the requests to the IP address of the DHCP server, and that the firewall allows both outbound traffic from the Relay Agent, and the inbound unicast replies that will come from the DHCP server.

    On some Relay Agents you can specify what the source IP address of the relayed packets should be. Make sure the address matches the firewall rule(s), and that packets from the DHCP server to that address will be routed properly.

    If you have a packet sniffing tool (like Wireshark) on either the server or a client PC, you should be able to verify connectivity pretty easily. On the server, you should see unicast packets from and to the IP address of the firewall (the Relay Agent), while the client should be transmitting DHCP Discover messages and receiving DHCP Offers from the Relay Agent/gateway.

    It may be possible to inspect network traffic on the switches or the firewall as well, but I’d have to know the make/model of these devices to be more specific.

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.