cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4416
Views
0
Helpful
7
Replies

ASA - DHCP relay not working

dario.didio
Enthusiast
Enthusiast

Hi all,

 

I'm having an issue with DHCP relay on my ASA.

My clients are in a DMZ and my DHCP server is behind the inside interface.

DHCPrelay is configured correctly, but clients are not getting an IP address.

 

After troubleshooting, I'm under the impression that the problem is that packets sourced from the ASA (which DHCPrelay does) are getting dropped.

When doing a packet trace with source IP the IP address of the ASA's DMZ interface to the DHCP server, the packet is dropped, eventhough I have an explicit rule allowing this.

 

All examples I run in to with regards to DHCPrelay on ASA, are always with clients on the inside and DHCP server on the DMZ/outside; being the packet going from a higher security level to a lower one. In my case, it is the opposite.

 

Anyone that can help?


Thanks,

Dario

7 Replies 7

marce1000
VIP Mentor VIP Mentor
VIP Mentor

 

 - Check wether any of the items discussed in this thread can be helpfull to you.

  https://supportforums.cisco.com/t5/firewalling/dhcp-relay-on-asa-5505-to-windows-dhcp-server-not-working/td-p/2764667

M.

Hi,
thanks for the answer, much appreciated!
unfortunately, it doesn't solve my problem and I cannot move the DHCP functionality to my ASA, it needs to be relayed.
Thanks,
Dario

 

 - I understand, but the article just discusses that 'only' (!).

M.

dario.didio
Enthusiast
Enthusiast

After some more digging, I found in the ASP drops that the ASA is dropping DHCP related messages, coming from our internal server.

 

   4: 13:08:04.482991       x.x.x.x.67 > 255.255.255.255.68:  udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
   5: 13:08:04.531039       x.x.x.x.67 > 255.255.255.255.68:  udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
   6: 13:08:04.731407       x.x.x.x.67 > 255.255.255.255.68:  udp 314 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
   7: 13:08:05.176550       x.x.x.x.67 > 255.255.255.255.68:  udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
   8: 13:08:05.809528       x.x.x.x.67 > 255.255.255.255.68:  udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
   9: 13:08:06.231524       x.x.x.x.67 > 255.255.255.255.68:  udp 314 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
  10: 13:08:06.481450       x.x.x.x.67 > 255.255.255.255.68:  udp 314 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
  11: 13:08:06.887878       x.x.x.x.67 > 255.255.255.255.68:  udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
  12: 13:08:07.590927       x.x.x.x.67 > 255.255.255.255.68:  udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
  13: 13:08:07.718361       x.x.x.x.67 > 255.255.255.255.68:  udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
  14: 13:08:08.017790       x.x.x.x.67 > 255.255.255.255.68:  udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
  15: 13:08:08.531192       x.x.x.x.67 > 255.255.255.255.68:  udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation

 

Reason is 'flow denied due to resource limitation'.

According to this page: https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/show_asp_drop/show_asp_drop.html

Name: unable-to-create-flow
Flow denied due to resource limitation:
This counter is incremented and the packet is dropped when flow creation fails due to a system resource limitation. The resource limit may be either:
1) system memory
2) packet block extension memory
3) system connection limit
Causes 1 and 2 will occur simultaneously with flow drop reason "No memory to complete flow".
 
Recommendation:
- Observe if free system memory is low.
- Observe if flow drop reason "No memory to complete flow" occurs.
- Observe if connection count reaches the system connection limit with the command "show resource usage".
 
Syslogs:
None
 
None of the above are applicable to us. Could this be a bug? We're running version 9.1(7)23 on an 5510 platform with 1GB memory.

Quick questions:
1. Can you share the output of "show run dhcprelay"
2. What command did you use to see these drops?

Thanks!

Hi,

1. Output of show run dhcprelay:
dhcprelay server x.x.x.x inside
dhcprelay server x.x.x.x inside
dhcprelay enable DMZ-1
dhcprelay enable DMZ-2
dhcprelay enable DMZ-3
dhcprelay enable DMZ-4
dhcprelay enable DMZ-5
dhcprelay timeout 90

2. I created a capture using 'capture cap type asp-drop all'

Thanks for the reply!

 

I see you have a pretty up to date OS running on the firewall.

What I would do

1. Open a TAC case if possible

2. No matter no1 option, I would review 

 show conn, show cpu, show memory. Even better if you have all these three resources graphed out on a daily base usage. Next I would retest DHCP relay service on the least busy period of the day.

 

3. Last but not least since this is not working for you currently, I would clean up one of the two DHCP servers from config. Maybe this will make things easier for your busy firewall.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: