03-14-2018 09:09 AM - edited 02-21-2020 07:30 AM
Hi all,
I'm having an issue with DHCP relay on my ASA.
My clients are in a DMZ and my DHCP server is behind the inside interface.
DHCPrelay is configured correctly, but clients are not getting an IP address.
After troubleshooting, I'm under the impression that the problem is that packets sourced from the ASA (which DHCPrelay does) are getting dropped.
When doing a packet trace with source IP the IP address of the ASA's DMZ interface to the DHCP server, the packet is dropped, eventhough I have an explicit rule allowing this.
All examples I run in to with regards to DHCPrelay on ASA, are always with clients on the inside and DHCP server on the DMZ/outside; being the packet going from a higher security level to a lower one. In my case, it is the opposite.
Anyone that can help?
Thanks,
Dario
03-14-2018 09:17 AM
- Check wether any of the items discussed in this thread can be helpfull to you.
M.
03-14-2018 09:21 AM
03-14-2018 09:23 AM
- I understand, but the article just discusses that 'only' (!).
M.
03-15-2018 05:13 AM
After some more digging, I found in the ASP drops that the ASA is dropping DHCP related messages, coming from our internal server.
4: 13:08:04.482991 x.x.x.x.67 > 255.255.255.255.68: udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
5: 13:08:04.531039 x.x.x.x.67 > 255.255.255.255.68: udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
6: 13:08:04.731407 x.x.x.x.67 > 255.255.255.255.68: udp 314 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
7: 13:08:05.176550 x.x.x.x.67 > 255.255.255.255.68: udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
8: 13:08:05.809528 x.x.x.x.67 > 255.255.255.255.68: udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
9: 13:08:06.231524 x.x.x.x.67 > 255.255.255.255.68: udp 314 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
10: 13:08:06.481450 x.x.x.x.67 > 255.255.255.255.68: udp 314 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
11: 13:08:06.887878 x.x.x.x.67 > 255.255.255.255.68: udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
12: 13:08:07.590927 x.x.x.x.67 > 255.255.255.255.68: udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
13: 13:08:07.718361 x.x.x.x.67 > 255.255.255.255.68: udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
14: 13:08:08.017790 x.x.x.x.67 > 255.255.255.255.68: udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
15: 13:08:08.531192 x.x.x.x.67 > 255.255.255.255.68: udp 318 Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
Reason is 'flow denied due to resource limitation'.
According to this page: https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/show_asp_drop/show_asp_drop.html
03-15-2018 06:31 AM
03-15-2018 07:44 AM
03-16-2018 03:47 AM
Thanks for the reply!
I see you have a pretty up to date OS running on the firewall.
What I would do
1. Open a TAC case if possible
2. No matter no1 option, I would review
show conn, show cpu, show memory. Even better if you have all these three resources graphed out on a daily base usage. Next I would retest DHCP relay service on the least busy period of the day.
3. Last but not least since this is not working for you currently, I would clean up one of the two DHCP servers from config. Maybe this will make things easier for your busy firewall.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide