topic Re: ASA - DHCP relay not working in Network Security

ASA - DHCP relay not working

dario.didio — Fri, 21 Feb 2020 15:30:53 GMT

Hi all,

I'm having an issue with DHCP relay on my ASA.

My clients are in a DMZ and my DHCP server is behind the inside interface.

DHCPrelay is configured correctly, but clients are not getting an IP address.

After troubleshooting, I'm under the impression that the problem is that packets sourced from the ASA (which DHCPrelay does) are getting dropped.

When doing a packet trace with source IP the IP address of the ASA's DMZ interface to the DHCP server, the packet is dropped, eventhough I have an explicit rule allowing this.

All examples I run in to with regards to DHCPrelay on ASA, are always with clients on the inside and DHCP server on the DMZ/outside; being the packet going from a higher security level to a lower one. In my case, it is the opposite.

Anyone that can help?

Thanks,

Dario

Re: ASA sourced packets dropped

Mark Elsen — Wed, 14 Mar 2018 16:17:24 GMT

- Check wether any of the items discussed in this thread can be helpfull to you.

https://supportforums.cisco.com/t5/firewalling/dhcp-relay-on-asa-5505-to-windows-dhcp-server-not-working/td-p/2764667

Re: ASA sourced packets dropped

dario.didio — Wed, 14 Mar 2018 16:21:27 GMT

Hi,
thanks for the answer, much appreciated!
unfortunately, it doesn't solve my problem and I cannot move the DHCP functionality to my ASA, it needs to be relayed.
Thanks,
Dario

Re: ASA sourced packets dropped

Mark Elsen — Wed, 14 Mar 2018 16:23:44 GMT

- I understand, but the article just discusses that 'only' (!).

Re: ASA - DHCP relay not working

dario.didio — Thu, 15 Mar 2018 12:13:52 GMT

After some more digging, I found in the ASP drops that the ASA is dropping DHCP related messages, coming from our internal server.

   4: 13:08:04.482991       x.x.x.x.67 > 255.255.255.255.68: udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
   5: 13:08:04.531039       x.x.x.x.67 > 255.255.255.255.68: udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
   6: 13:08:04.731407       x.x.x.x.67 > 255.255.255.255.68: udp 314 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
   7: 13:08:05.176550       x.x.x.x.67 > 255.255.255.255.68: udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
   8: 13:08:05.809528       x.x.x.x.67 > 255.255.255.255.68: udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
   9: 13:08:06.231524       x.x.x.x.67 > 255.255.255.255.68: udp 314 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
10: 13:08:06.481450       x.x.x.x.67 > 255.255.255.255.68: udp 314 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
11: 13:08:06.887878       x.x.x.x.67 > 255.255.255.255.68: udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
12: 13:08:07.590927       x.x.x.x.67 > 255.255.255.255.68: udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
13: 13:08:07.718361       x.x.x.x.67 > 255.255.255.255.68: udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
14: 13:08:08.017790       x.x.x.x.67 > 255.255.255.255.68: udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
15: 13:08:08.531192       x.x.x.x.67 > 255.255.255.255.68: udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation

Reason is 'flow denied due to resource limitation'.

According to this page: https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/show_asp_drop/show_asp_drop.html

Name: unable-to-create-flow

Flow denied due to resource limitation:

This counter is incremented and the packet is dropped when flow creation fails due to a system resource limitation. The resource limit may be either:

1) system memory

2) packet block extension memory

3) system connection limit

Causes 1 and 2 will occur simultaneously with flow drop reason "No memory to complete flow".

Recommendation:

- Observe if free system memory is low.

- Observe if flow drop reason "No memory to complete flow" occurs.

- Observe if connection count reaches the system connection limit with the command "show resource usage".

Syslogs:

None

None of the above are applicable to us. Could this be a bug? We're running version 9.1(7)23 on an 5510 platform with 1GB memory.

Re: ASA - DHCP relay not working

Florin Barhala — Thu, 15 Mar 2018 13:31:01 GMT

Quick questions:
1. Can you share the output of "show run dhcprelay"
2. What command did you use to see these drops?

Thanks!

Re: ASA - DHCP relay not working

dario.didio — Thu, 15 Mar 2018 14:44:03 GMT

Hi,

1. Output of show run dhcprelay:
dhcprelay server x.x.x.x inside
dhcprelay server x.x.x.x inside
dhcprelay enable DMZ-1
dhcprelay enable DMZ-2
dhcprelay enable DMZ-3
dhcprelay enable DMZ-4
dhcprelay enable DMZ-5
dhcprelay timeout 90

2. I created a capture using 'capture cap type asp-drop all'

Re: ASA - DHCP relay not working

Florin Barhala — Fri, 16 Mar 2018 10:47:51 GMT

Thanks for the reply!

I see you have a pretty up to date OS running on the firewall.

What I would do

1. Open a TAC case if possible

2. No matter no1 option, I would review

show conn, show cpu, show memory. Even better if you have all these three resources graphed out on a daily base usage. Next I would retest DHCP relay service on the least busy period of the day.

3. Last but not least since this is not working for you currently, I would clean up one of the two DHCP servers from config. Maybe this will make things easier for your busy firewall.