FPR 1140 DHCP Relay and DHCP Server does not work

rueckertd · ‎08-17-2023

Hello,

I've configured DCHP Relay at the FPR1140 via FMC, how it is decribed in all documentation, but it doesn't work. The DCHP Relay statistics are emtpy. Then I've removed the DHCP Relay configuration and have the FPR configured as DHCP Server. Unfortunaly also it doesn't work. The clients doesn't recive an IP address. The dhcpd statistics also empty. The capture at the interface, where the DHCP-Clients are located shows the follow output:

1: 12:44:58.456900 802.1Q vlan#1119 P0 0.0.0.0.68 > 255.255.255.255.67: udp 302
2: 12:44:58.485936 802.1Q vlan#1119 P0 arp who-has 169.254.88.51 tell 0.0.0.0
3: 12:44:59.485448 802.1Q vlan#1119 P0 arp who-has 169.254.88.51 tell 0.0.0.0
4: 12:45:00.486425 802.1Q vlan#1119 P0 arp who-has 169.254.88.51 tell 169.254.88.51
5: 12:45:01.564362 802.1Q vlan#1119 P0 0.0.0.0.68 > 255.255.255.255.67: udp 302
6: 12:45:02.486852 802.1Q vlan#1119 P0 arp who-has 169.254.88.51 tell 169.254.88.51
7: 12:45:06.566209 802.1Q vlan#1119 P0 0.0.0.0.68 > 255.255.255.255.67: udp 302
8: 12:45:15.573853 802.1Q vlan#1119 P0 0.0.0.0.68 > 255.255.255.255.67: udp 302
9: 12:45:32.411111 802.1Q vlan#1119 P0 0.0.0.0.68 > 255.255.255.255.67: udp 302

I can't find anywhere, what the code udp 302 mean.

The FPR SW Version is 6.6.7

Has anyone an idea, why an easy thing, how DHCP Relay not work?

Thanks for any ideas to fix this problem.

Daniel

balaji.bandi · ‎08-17-2023

As long as the correct inteface selected and configure it works as expected

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200475-Configure-DHCP-Server-Relay-on-FTD-Using.html

where is your client? connected to switch or directy connect to FW ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

rueckertd · ‎08-17-2023

I've used this manual, but it doesn't work. The client is connected to a switch and this switch is connected to the firewall. When I ping the HA IP interface address from FW1 to FW2, the HA address answer and I can see the MAC addesses of both FWs and the client in the vlan at the switch.

In the CLI output I can see, that the right interface is configured for DHCP-Server / DHCP Relay (depending on what I had configured).

The question is, what does the "udp 302" in the capture mean.

balaji.bandi · ‎08-17-2023

When I ping the HA IP interface address from FW1 to FW2 - is this inside interface IP ?

are you pinging from Switch ?

if the PC connected to Switch and switch belong to same VLAN as Inside interface, the PC should get IP if the DHCP Server configured.

suggest to post show run from switch and explain where the FW inside interface connected and where the PC connected which not getting IP address ?

The question is, what does the "udp 302" in the capture mean. - not sure in this context where you getting this ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

rueckertd · ‎08-17-2023

The switch hasn't an IP address in the vlan. I have pinged from the first FPR CLI to the second FPR. The packet goes over the switch. The FPR interface is an inside interface with serveral sub interfaces. Only one sub interface, here the vlan 1119, need a DHCP Relay. The FPR is the default gateway for this vlan.

Firewall interface:
interface TenGigabitEthernet1/0/3
description Firewall2-Port1/4
switchport trunk allowed vlan 1111-1119
switchport mode trunk
channel-protocol lacp
channel-group 31 mode active

Client interface:
interface TenGigabitEthernet2/0/42
description Test-NB
switchport access vlan 1119
spanning-tree portfast

MHM Cisco World · ‎08-17-2023

I send you message check it