cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3210
Views
10
Helpful
6
Replies

Cisco FTD DHCP Problem

behrouz6408021
Level 1
Level 1

Hello

I have Collapse Core Network and My Core Switch is 6500 . The Core handling Inter VLAN Routing and it is gateway for my clients . in the next hop after Core Switch i have ASA 5525X . and every things is OK

when replace ASA with FPR4110 all of things OK except DHCP traffic

My DHCP server is Windows Server . when cliente request IP address from DHCP Server Some Client can obtain IP Address and many not obtain IP address .

 

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

in addition to what @balaji.bandi  has mentioned, are all the clients on the same subnet or are they on different subnets?  Is traffic opened for UDP/53 in the FDT firewall for DHCP traffic that needs to traverse the firewall?

--
Please remember to select a correct answer and rate helpful posts

Our Clients are in different subnets and Core Switch (6500) is the gateway of our clients

and all of config related to "IP helper " under Core Switch interface is done .

this scenario is OK with ASA and all of DHCP traffic are allowed in ASA .

when replaced ASA with FTD 4110 ( DHCP Traffic allowed on FTD ) clients cannot obtain IP Address from DHCP server . our DHCP Server is Microsoft windows Server.

One of the things I suspect is DHCP Snooping and DHCP option on our Access Switch and Core Switch. but i cannot test it

DHCP traffic is UDP/67 and UDP/68 .

 

But what is different between Cisco ASA and FTD in DHCP Snooping Options and Packet ?

when ASA is the next hop of Core Switch all of thing about DHCP and IP address obtaining are OK

when replaced with FTD 4110 i cannot seen DHCP requested from Source Interface VLAN on Core Switch .

 

Yes, sorry, I got mixed up with another case when I mentioned UDP/53.

I have seen this issue a few times.  In the situations that I was involved with the connection table showed that connections for DHCP was setup towards the outside interface (i.e. default route for internet was being established before dynamic routing).  A clear connection on the FTD CLI solved the issue.

I had TAC on the case and they did a change...which escapes me right now.  I will try to find the solution they came with

 

--
Please remember to select a correct answer and rate helpful posts

Were you able to find the solution that TAC did?

 

Thanks

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: