04-18-2019 05:52 AM - edited 04-18-2019 05:54 AM
I have configured port Gi1/2-Gi1/8 as follows with the nameif incrementing such as inside2, inside3 etc. A small DHCP pool has been created as well.
interface GigabitEthernet1/2
bridge-group 1
nameif inside1
security-level 100
When I connect my laptop to any of these ports it get's an IP but immediately drops it and then gets another. A debug of dhcpd shows me that after the ack is sent to my laptop it then rejects the IP. The ASA then tries the next IP in the pool. Wireshark shows my laptop joining a multicast group and leaving. It also shows a DHCP decline from my laptop. A colleague has tried his laptop and experiences the same issue.
Any ideas what is causing this?
Solved! Go to Solution.
04-18-2019 09:04 AM
So the Duplicate ip address detection is on the client machine, does not matter what your DHCP server is. ASA does proxy arp by default, but only when there is a corresponding NAT statement. Proxy arp is usually not a required feature on your inside interface, so you can disable this for testing.
04-18-2019 06:07 AM
04-18-2019 06:43 AM
It could be the MS duplicate ip address detection kicking in. Does your ASA have any NAT rules that makes it proxy for that assigned ip address? If this is the case, the client might be testing arp for its newly received ip address. IF the ASA proxy arp's, the client releases it assuming that it is already used in the network.
04-18-2019 06:27 AM
in order to help you it would be better if you share your ASA configuration.
04-18-2019 08:16 AM
DHCP is being hosted on a 3850, this is not Microsoft DHCP. It appears the reoslution may have been the 'sysopt noproxyarp' command on every single interface. Previously I had only enabled it on the outside interface. I found this link and it seems this is my issue.
https://gtacknowledge.extremenetworks.com/articles/Solution/DHCP-Clients-sending-DHCPDECLINE-packets
04-18-2019 09:04 AM
So the Duplicate ip address detection is on the client machine, does not matter what your DHCP server is. ASA does proxy arp by default, but only when there is a corresponding NAT statement. Proxy arp is usually not a required feature on your inside interface, so you can disable this for testing.
04-19-2019 06:50 AM - edited 04-19-2019 06:51 AM
Once I disabled proxy-arp on the BVI and all of the bridged interfaces the problem is gone.
The problem was not duplicate IP's. The problem was that it kept sending a decline and then DHCP would try another IP.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: