Firepower Threat Defense dropping relayed dhcp from adjacent switch
Hello We just installed an ASA 5516-X to productions as an east/west routed firewall. It is Firepower Threat Defense 126.96.36.199-34 managed by onboard Firepower Defense Manager. The DHCP server is 192.168.5.21 The inside of the ASA is 192.168.5.1 The outside of the ASA is 192.168.20.2 The nexthop switch from the ASA is 192.168.20.1 The switch has a l3 interface for VLAN 8 which is 192.168.16.1 and is configured with "ip helper-address 192.168.5.21" It looks like DHCP requests from VLAN 8 are not making it through the ASA. "packet-tracer input outside udp 192.168.16.1 4321 192.168.5.21 67" shows the traffic allowed. "capture cap1 interface outside type raw-data match udp host 192.168.16.1 host 192.168.5.21 eq 67" shows lot of packets. "caputure cap2 interface outside type asp-drop all match udp host 192.168.16.1 host 192.168.5.21 eq 67" shows 0 packets. "caputure cap3 interface inside type raw-data match udp host 192.168.16.1 host 192.168.5.21 eq 67" shows 0 packets.
We rolled back the install and have a TAC case open. We are waiting to schedule a maintenance windows when an engineer can help troubleshoot this, but I wanted to see if anyone else has run into this.
We also tried setting up a DHCP relay on the ASA using a FlexConfig template, and then point the helper on the switch to the ASA so it is a double relay. We didn't get a chance to actually test if that was successful or not though, and its not ideal. The unicast traffic should be able to pass the ASA.
There was a bug in 6.3.0.x that was fixed a while back and version 188.8.131.52 was a recent recommended (Gold Starred) release and I have not seen others having this issue. With that said, working with TAC is the best next steps for this issue. Please keep us posted on the progress/resolution.
On December 8, FireEye reported that it had been compromised in a sophisticated supply chain attack: more specifically through the SolarWinds Orion IT monitoring and management software. The attackers leveraged business software updates in order to distr...
ISE Node TerminologyISE DeploymentsISE Deployment Scale and LimitsISE Hardware PlatformsISE PSN PerformanceISE TrustSec ScalingISE Storage RequirementsISE ERS ScaleISE WAN Bandwidth CalculatorSources
About this Document
Cisco Secure Endpoint (for...