Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1496
Views
0
Helpful
1
Replies

Firepower Threat Defense dropping relayed dhcp from adjacent switch

Leon Jaimes
Level 1
Level 1

‎01-28-2020 09:55 AM - edited ‎02-21-2020 09:52 AM

Hello
We just installed an ASA 5516-X to productions as an east/west routed firewall. It is Firepower Threat Defense 6.4.0.4-34 managed by onboard Firepower Defense Manager.
The DHCP server is 192.168.5.21
The inside of the ASA is 192.168.5.1
The outside of the ASA is 192.168.20.2
The nexthop switch from the ASA is 192.168.20.1
The switch has a l3 interface for VLAN 8 which is 192.168.16.1 and is configured with "ip helper-address 192.168.5.21"
It looks like DHCP requests from VLAN 8 are not making it through the ASA.
"packet-tracer input outside udp 192.168.16.1 4321 192.168.5.21 67" shows the traffic allowed.
"capture cap1 interface outside type raw-data match udp host 192.168.16.1 host 192.168.5.21 eq 67" shows lot of packets.
"caputure cap2 interface outside type asp-drop all match udp host 192.168.16.1 host 192.168.5.21 eq 67" shows 0 packets.
"caputure cap3 interface inside type raw-data match udp host 192.168.16.1 host 192.168.5.21 eq 67" shows 0 packets.

 

We rolled back the install and have a TAC case open.  We are waiting to schedule a maintenance windows when an engineer can help troubleshoot this, but I wanted to see if anyone else has run into this. 

We also tried setting up a DHCP relay on the ASA using a FlexConfig template, and then point the helper on the switch to the ASA so it is a double relay.  We didn't get a chance to actually test if that was successful or not though, and its not ideal.  The unicast traffic should be able to pass the ASA.

 

Thanks,
Leon

1 person had this problem
Labels:
0 Helpful
1 Reply 1

nspasov
Cisco Employee
Cisco Employee

‎01-28-2020 08:50 PM

There was a bug in 6.3.0.x that was fixed a while back and version 6.4.0.4 was a recent recommended (Gold Starred) release and I have not seen others having this issue. With that said, working with TAC is the best next steps for this issue. Please keep us posted on the progress/resolution.

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card