topic Firepower Threat Defense dropping relayed dhcp from adjacent switch in Network Security https://community.cisco.com/t5/network-security/firepower-threat-defense-dropping-relayed-dhcp-from-adjacent/m-p/4019702#M937157 <P>Hello<BR />We just installed an ASA 5516-X to productions as an east/west routed firewall. It is Firepower Threat Defense 6.4.0.4-34 managed by onboard Firepower Defense Manager.<BR />The DHCP server is 192.168.5.21<BR />The inside of the ASA is 192.168.5.1<BR />The outside of the ASA is 192.168.20.2<BR />The nexthop switch from the ASA is 192.168.20.1<BR />The switch has a l3 interface for VLAN 8 which is 192.168.16.1 and is configured with "ip helper-address 192.168.5.21"<BR />It looks like DHCP requests from VLAN 8 are not making it through the ASA.<BR />"packet-tracer input outside udp 192.168.16.1 4321 192.168.5.21 67" shows the traffic allowed.<BR />"capture cap1 interface outside type raw-data match udp host 192.168.16.1 host 192.168.5.21 eq 67" shows lot of packets.<BR />"caputure cap2 interface outside type asp-drop all match udp host 192.168.16.1 host 192.168.5.21 eq 67" shows 0 packets.<BR />"caputure cap3 interface inside type raw-data match udp host 192.168.16.1 host 192.168.5.21 eq 67" shows 0 packets.</P><P>&nbsp;</P><P>We rolled back the install and have a TAC case open.&nbsp; We are waiting to schedule a maintenance windows when an engineer can help troubleshoot this, but I wanted to see if anyone else has run into this.&nbsp;</P><P>We also tried setting up a DHCP relay on the ASA using a FlexConfig template, and then point the helper on the switch to the ASA so it is a double relay.&nbsp; We didn't get a chance to actually test if that was successful or not though, and its not ideal.&nbsp; The unicast traffic should be able to pass the ASA.</P><P>&nbsp;</P><P>Thanks,<BR />Leon</P> Fri, 21 Feb 2020 17:52:30 GMT Leon Jaimes 2020-02-21T17:52:30Z Firepower Threat Defense dropping relayed dhcp from adjacent switch https://community.cisco.com/t5/network-security/firepower-threat-defense-dropping-relayed-dhcp-from-adjacent/m-p/4019702#M937157 <P>Hello<BR />We just installed an ASA 5516-X to productions as an east/west routed firewall. It is Firepower Threat Defense 6.4.0.4-34 managed by onboard Firepower Defense Manager.<BR />The DHCP server is 192.168.5.21<BR />The inside of the ASA is 192.168.5.1<BR />The outside of the ASA is 192.168.20.2<BR />The nexthop switch from the ASA is 192.168.20.1<BR />The switch has a l3 interface for VLAN 8 which is 192.168.16.1 and is configured with "ip helper-address 192.168.5.21"<BR />It looks like DHCP requests from VLAN 8 are not making it through the ASA.<BR />"packet-tracer input outside udp 192.168.16.1 4321 192.168.5.21 67" shows the traffic allowed.<BR />"capture cap1 interface outside type raw-data match udp host 192.168.16.1 host 192.168.5.21 eq 67" shows lot of packets.<BR />"caputure cap2 interface outside type asp-drop all match udp host 192.168.16.1 host 192.168.5.21 eq 67" shows 0 packets.<BR />"caputure cap3 interface inside type raw-data match udp host 192.168.16.1 host 192.168.5.21 eq 67" shows 0 packets.</P><P>&nbsp;</P><P>We rolled back the install and have a TAC case open.&nbsp; We are waiting to schedule a maintenance windows when an engineer can help troubleshoot this, but I wanted to see if anyone else has run into this.&nbsp;</P><P>We also tried setting up a DHCP relay on the ASA using a FlexConfig template, and then point the helper on the switch to the ASA so it is a double relay.&nbsp; We didn't get a chance to actually test if that was successful or not though, and its not ideal.&nbsp; The unicast traffic should be able to pass the ASA.</P><P>&nbsp;</P><P>Thanks,<BR />Leon</P> Fri, 21 Feb 2020 17:52:30 GMT https://community.cisco.com/t5/network-security/firepower-threat-defense-dropping-relayed-dhcp-from-adjacent/m-p/4019702#M937157 Leon Jaimes 2020-02-21T17:52:30Z Re: Firepower Threat Defense dropping relayed dhcp from adjacent switch https://community.cisco.com/t5/network-security/firepower-threat-defense-dropping-relayed-dhcp-from-adjacent/m-p/4020013#M937159 <P>There was a bug in 6.3.0.x that was fixed a while back and version 6.4.0.4 was a recent recommended (Gold Starred) release and I have not seen others having this issue. With that said, working with TAC is the best next steps for this issue. Please keep us posted on the progress/resolution.</P> <P><EM>Thank you for rating helpful posts!</EM></P> Wed, 29 Jan 2020 04:50:55 GMT https://community.cisco.com/t5/network-security/firepower-threat-defense-dropping-relayed-dhcp-from-adjacent/m-p/4020013#M937159 nspasov 2020-01-29T04:50:55Z