cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1921
Views
0
Helpful
7
Replies

ASA 5516-X dhcprelay not working

azrex_22
Level 1
Level 1

Hi,

I have an issue with my ASA FW is not working for dhcprelay. I try to configure just for a basic or simple network setup but it's failed,my client cannot get the ip from server.

DHCP server --> ASA Firewall --> Switch --> Client

#Server Ip - 202.100.1.3

#Ip dhcp - 192.168.100.1/24

This is example of my ASA configuration.

!
interface GigabitEthernet1/4
 nameif inside
 security-level 0
 ip address 192.168.100.254 255.255.255.0

!
interface GigabitEthernet1/5
 nameif SERVER_DMZ
 security-level 100
 ip address 202.100.1.1 255.255.255.0

dhcprelay server 202.100.1.3 SERVER_DMZ
dhcprelay enable inside
dhcprelay setroute inside
dhcprelay timeout 90

7 Replies 7

cofee
Level 5
Level 5

Hi Azrex,

Did you test connectivity between your inside and dmz network? Also what makes you think the firewall is the problem ?are you certain that dhcp packets are making to the firewall by debugging dhcp packets on the firewall?

i am not sure how your switch is configured, but if you are using svi for the client subnet on the switch is it configured with dhcp relay?

config on the firewall that you sent seems to be fine.

Hi cofee,

I am not to expert in this network environment however I'm glad to learn from you and all professional person in here.

I already test my connectivity between inside and dmz, However could you please explain to me about  the test connectivity between inside and dmz more detail because maybe I forgot some step during the troubleshoot.

My switch only configure switch port mode access, there is any configuration I need to add or change it?.

Thanks.

Hello Azrex,

I meant by testing connectivity between inside and dmz if you are able to reach the DMZ environment from your inside network for  example ping/telnet/ssh so we know that connectivity is not an issue.

Please check or answer following things:

a) switchport your end host is connected is it in the right vlan?

b) Do you have an SVI configured for that VLAN on your core switch and is it configured for dhcp relay?

for example -

Int vlan 2

ip helper-address 202.100.1.3

But I am not sure how your network looks like. Let us know if you are using your firewall inside interface as the default gateway for the client or is there a multilayer core switch on the inside network that client is using for default gateway. Can you draw your network and share it? Also is it just one client that's not getting address from the DHCP server or is it all the end hosts connected to inside network having the same issue?

The other thing you can do is look at the firewalls logs and debug commands on the asa:

debug dhcprelay 

So after you initiate the debug command on the ASA, reboot the PC you are working on and when it comes back up it will broadcast DHCPDISCOVER packet. So your job will be to look at the firewall and see if it's getting those packets and what is it doing with them. Logs and debugging on the asa will give you a lot of information. If you don't see anything on the ASA then problem might be something internal like between the switch and end host.

Let me know if you have any questions.

Hi cofee & johnlloyd,

This is example my simple network connection, I have ;-

1- DHCP Server --> firewall --> switch --> client = Failed.

I also try configure my router as a dhcp server and it's working fine.

2- Router ( dhcp enable) --> firewall --> switch --> client = Successful. 

The configuration works when my router as a dhcp server. Problem become when I change to use my DHCP server only.

Firewall Configuration;-

- dhcprelay server 202.100.1.3 SERVER_DMZ

- dhcprelay enable inside

- dhcprelay setroute inside

- dhcprelay timeout 90

Switch configuration;-

- switchport mode access / default configure.

-no vlan

-no trunk

Do this with the set up that's failing:

directly connect the client with DHCP server and see if it successfully pulls an ip, if not than you know there is something wrong with the configuration on your DHCP server. 

The set up that works the only thing you changed was the DHCP server itself, you didn't mention making any other changes. You can rule out client/switch/firewall 

Hi Cofee,

I also tested with directly connect from DHCP server to client and it's okay.

DHCP server --> switch --> client = OK.

I don't know what need to do anymore..just like my brain freeze for this part.

johnlloyd_13
Level 9
Level 9

hi,

your inside has a lower security-level 0 while SERVER_DMZ has higher (100), which means you'll need to explicitly create ACL/allow DHCP relay ports from inside (untrusted) to SERVER_DMZ (trusted).

Review Cisco Networking for a $25 gift card