cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4311
Views
0
Helpful
7
Replies

ASA - DHCP relay not working

dario.didio
Enthusiast
Enthusiast

Hi all,

 

I'm having an issue with DHCP relay on my ASA.

My clients are in a DMZ and my DHCP server is behind the inside interface.

DHCPrelay is configured correctly, but clients are not getting an IP address.

 

After troubleshooting, I'm under the impression that the problem is that packets sourced from the ASA (which DHCPrelay does) are getting dropped.

When doing a packet trace with source IP the IP address of the ASA's DMZ interface to the DHCP server, the packet is dropped, eventhough I have an explicit rule allowing this.

 

All examples I run in to with regards to DHCPrelay on ASA, are always with clients on the inside and DHCP server on the DMZ/outside; being the packet going from a higher security level to a lower one. In my case, it is the opposite.

 

Anyone that can help?


Thanks,

Dario

7 Replies 7

marce1000
VIP Mentor VIP Mentor
VIP Mentor

 

 - Check wether any of the items discussed in this thread can be helpfull to you.

  https://supportforums.cisco.com/t5/firewalling/dhcp-relay-on-asa-5505-to-windows-dhcp-server-not-working/td-p/2764667

M.

Hi,
thanks for the answer, much appreciated!
unfortunately, it doesn't solve my problem and I cannot move the DHCP functionality to my ASA, it needs to be relayed.
Thanks,
Dario

 

 - I understand, but the article just discusses that 'only' (!).

M.

dario.didio
Enthusiast
Enthusiast

After some more digging, I found in the ASP drops that the ASA is dropping DHCP related messages, coming from our internal server.

 

   4: 13:08:04.482991       x.x.x.x.67 > 255.255.255.255.68:  udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
   5: 13:08:04.531039       x.x.x.x.67 > 255.255.255.255.68:  udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
   6: 13:08:04.731407       x.x.x.x.67 > 255.255.255.255.68:  udp 314 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
   7: 13:08:05.176550       x.x.x.x.67 > 255.255.255.255.68:  udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
   8: 13:08:05.809528       x.x.x.x.67 > 255.255.255.255.68:  udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
   9: 13:08:06.231524       x.x.x.x.67 > 255.255.255.255.68:  udp 314 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
  10: 13:08:06.481450       x.x.x.x.67 > 255.255.255.255.68:  udp 314 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
  11: 13:08:06.887878       x.x.x.x.67 > 255.255.255.255.68:  udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
  12: 13:08:07.590927       x.x.x.x.67 > 255.255.255.255.68:  udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
  13: 13:08:07.718361       x.x.x.x.67 > 255.255.255.255.68:  udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
  14: 13:08:08.017790       x.x.x.x.67 > 255.255.255.255.68:  udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
  15: 13:08:08.531192       x.x.x.x.67 > 255.255.255.255.68:  udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation

 

Reason is 'flow denied due to resource limitation'.

According to this page: https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/show_asp_drop/show_asp_drop.html

Name: unable-to-create-flow
Flow denied due to resource limitation:
This counter is incremented and the packet is dropped when flow creation fails due to a system resource limitation. The resource limit may be either:
1) system memory
2) packet block extension memory
3) system connection limit
Causes 1 and 2 will occur simultaneously with flow drop reason "No memory to complete flow".
 
Recommendation:
- Observe if free system memory is low.
- Observe if flow drop reason "No memory to complete flow" occurs.
- Observe if connection count reaches the system connection limit with the command "show resource usage".
 
Syslogs:
None
 
None of the above are applicable to us. Could this be a bug? We're running version 9.1(7)23 on an 5510 platform with 1GB memory.

Quick questions:
1. Can you share the output of "show run dhcprelay"
2. What command did you use to see these drops?

Thanks!