Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1196
Views
0
Helpful
8
Replies

FWSM and DHCP Relay

Ian Beck
Level 1
Level 1

‎05-19-2011 04:57 AM - last edited on ‎03-25-2019 05:46 PM by Community Manager

HI,

Have an issue with FWSM (4.1.3) and DHCP Relay.

Where the DHCP request is being forwarded and the reply receieved but it is not getting to the Server (which is in continue request state) to obtain the IP Address.

XXXXXXXXX/TC3inside# DHCPRA: relay binding found for client 78e7.d15a.f0b0.
DHCPD: setting giaddr to 172.23.29.254.
dhcpd_forward_request: request from 78e7.d15a.f0b0 forwarded to XXXXXXX.
DHCPRA: Received a BOOTREPLY from interface 131073
DHCPRA: relay binding found for client 78e7.d15a.f0b0.
DHCPRA: forwarding reply to client 78e7.d15a.f0b0.
DHCPRA: relay binding found for client 78e7.d15a.f0b0.
DHCPD: setting giaddr to 172.23.29.254.
dhcpd_forward_request: request from 78e7.d15a.f0b0 forwarded to XXXXXXXX.
DHCPRA: Received a BOOTREPLY from interface 131073
DHCPRA: relay binding found for client 78e7.d15a.f0b0.
DHCPRA: forwarding reply to client 78e7.d15a.f0b0.
DHCPRA: relay binding found for client 78e7.d15a.f0b0.
DHCPD: setting giaddr to 172.23.29.254.
dhcpd_forward_request: request from 78e7.d15a.f0b0 forwarded to XXXXXXXX.
DHCPRA: Received a BOOTREPLY from interface 131073
DHCPRA: relay binding found for client 78e7.d15a.f0b0.
DHCPRA: forwarding reply to client 78e7.d15a.f0b0.

Any ideas ?

Labels:
0 Helpful
8 Replies 8

brquinn
Level 1
Level 1

‎05-19-2011 05:54 AM

Ian,

Theres no smoking gun in the debugs. Was this  working previously? If yes, did anything change? If not, does DHCP Relay  work with any other routers? Are the DHCP Relay packets passing through more than one Context on your FWSM? Are they passing through any other firewalls?

I would want to examine captures on the inside and  outside interfaces of the FWSM so we can verify that the Firewall is  actually receiving the packets and not forwarding them. This would also  give us some insight into how the firewall might handle the packets.

Since this may not be an easy problem to solve, you may want to consider opening a TAC case.

Thanks,

Brendan

0 Helpful

Ian Beck
Level 1
Level 1
In response to brquinn

‎05-19-2011 06:28 AM

Hi,

This is the first time we are using DHCP Relay.

I know the packets are passing to the DHCP Server and being returned, as yes they are passing through another Firewall which I had to get the packets through.

Both Interfaces are on the same Context as we have built a seperate lan just for Server Builds, which need DHCP to build correctly (automated).

All I can see at the moment is the FWSM is not forwarding to the Server.

Thanks

Ian

0 Helpful

brquinn
Level 1
Level 1
In response to Ian Beck

‎05-19-2011 06:37 AM

Ian,

The replies will be destined to the giaddr, which is address closest to the client. The relay packets form the FWSM will be sourced from the interface closest to DHCP server. Since these addresses are most likely different, did you account for this in your firewall rules on the external firewall?

Thanks,

Brendan

0 Helpful

Ian Beck
Level 1
Level 1
In response to brquinn

‎05-19-2011 06:58 AM

Hi Breden,

The Inner Firewall was configured to allow the packets for the external Supernet and pass through it happily. I have checked the DHCP Server and seen the packets arrive and be returned, with a lease. We had to enable a return rule for the DHCP-reply to get it to pass to the FWSM, that is done.

Now I need to get it back to the Server, where I have the issue with the FWSM !

Thanks

0 Helpful

Ian Beck
Level 1
Level 1
In response to Ian Beck

‎05-19-2011 07:00 AM

As you can see

UKTC3-N01-FFW01/TC3inside# debug dhcprelay even
debug dhcprelay event enabled at level 1
UKTC3-N01-FFW01/TC3inside# DHCPD: setting giaddr to 172.23.29.254.
DHCPRA: Inserting session in NP's for src 131073/UKTC3-RDP01/67, dst 131077/172.23.29.254/67, timeout: 3, funcID: 36
dhcpd_forward_request: request from 78e7.d15a.f0b0 forwarded to UKTC3-RDP01.
DHCPRA: forwarding reply to client 78e7.d15a.f0b0.
DHCPD: setting giaddr to 172.23.29.254.
DHCPRA: Inserting session in NP's for src 131073/UKTC3-RDP01/67, dst 131077/172.23.29.254/67, timeout: 3, funcID: 36
dhcpd_forward_request: request from 78e7.d15a.f0b0 forwarded to UKTC3-RDP01.
DHCPRA: forwarding reply to client 78e7.d15a.f0b0.
DHCPD: setting giaddr to 172.23.29.254.
DHCPRA: Inserting session in NP's for src 131073/UKTC3-RDP01/67, dst 131077/172.23.29.254/67, timeout: 3, funcID: 36
dhcpd_forward_request: request from 78e7.d15a.f0b0 forwarded to UKTC3-RDP01.
DHCPRA: forwarding reply to client 78e7.d15a.f0b0.
DHCPD: setting giaddr to 172.23.29.254.
DHCPRA: Inserting session in NP's for src 131073/UKTC3-RDP01/67, dst 131077/172.23.29.254/67, timeout: 3, funcID: 36
dhcpd_forward_request: request from 78e7.d15a.f0b0 forwarded to UKTC3-RDP01.
DHCPRA: forwarding reply to client 78e7.d15a.f0b0.

0 Helpful

brquinn
Level 1
Level 1
In response to Ian Beck

‎05-19-2011 07:00 AM

Understood. The debugs didn't tell us anything, so the next step is packet captures as I indicated in my first reply.

Thanks,

Brendan

0 Helpful

Ian Beck
Level 1
Level 1
In response to brquinn

‎05-19-2011 07:07 AM

Ok. I will have a play

Thanks

0 Helpful

Ian Beck
Level 1
Level 1
In response to Ian Beck

‎05-19-2011 07:51 AM

Hi,

Once I was able to see the Offer packet the other side, we found it was the DHCP Server and its Apps where causing a 0.0.0.0 client address.

So problem is now resolved !

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card