Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1593
Views
0
Helpful
3
Replies

question on DHCP relay behavior on ASA with multiple relays

matthewatt
Level 1
Level 1

‎09-11-2018 06:47 AM - edited ‎02-21-2020 08:13 AM

It is my understanding that you can configure up to 4 DHCP servers on an ASA. So if an ASA was configured this way, (with 4 relays configured on the same interface) does the firewall go through the list of the 4 relays in the config in order? If the first one listed replies, do the other 3 even become used? Is there any way to influence the ASA to use more than one, assuming all 4 DHCP servers are reachable at any given time? Or is it the case as long as the first one listed is replying, the other's in the config are really there for "backup purposes". Please advise

thanks

0 Helpful
3 Replies 3

Ajay Saini
Level 7
Level 7

‎09-12-2018 01:55 AM

Hello,

 

Referring to the document below, it seems that ASA sends the request from client to all the configured DHCP servers as unicast request and I would assume that it is left for the servers and clients to decide who replies or which reply the client uses to obtain the ip address. Also, 10 DHCP servers can be configured:

 

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116265-configure-product-00.html

 

Snippet from the same link:

 

DHCP Relay with Multiple DHCP Servers

You can define up to ten DHCP servers. When a client sends a DHCP Discover packet, it is forwarded to all of the DHCP servers.

Here is an example:

dhcprelay server 198.51.100.2 outside
dhcprelay server 198.51.100.3 outside
dhcprelay server 198.51.100.4 outside
dhcprelay enable inside
dhcprelay setroute inside

Debugs with Multiple DHCP Servers

Here are some example debugs when multiple DHCP servers are used:

DHCP: Received a BOOTREQUEST from interface 2 (size = 300)
DHCPRA: relay binding found for client 000c.291c.34b5.
DHCPRA: setting giaddr to 192.0.2.1.
dhcpd_forward_request: request from 000c.291c.34b5 forwarded to 198.51.100.2.
dhcpd_forward_request: request from 000c.291c.34b5 forwarded to 198.51.100.3.
dhcpd_forward_request: request from 000c.291c.34b5 forwarded to 198.51.100.4.

Captures with Multiple DHCP Servers

Here is an example packet capture when multiple DHCP servers are used:

ASA# show cap out

3 packets captured

 1: 18:48:41.211628       192.0.2.1.67 > 198.51.100.2.67:  udp 300 
 2: 18:48:41.211689       192.0.2.1.67 > 198.51.100.3.67:  udp 300 
 3: 18:48:41.211704       192.0.2.1.67 > 198.51.100.4.67:  udp 300 

 

HTH
AJ

 

0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎09-12-2018 04:22 AM

ASA will forward the relay to all servers, the 1st response received will
be forwarded to the client to be used (if it contains an IP). Basically 1st
come 1st serve
0 Helpful

mkazam001
Level 3
Level 3

‎11-03-2018 05:53 PM

I recently configured a lab for multiple dhcp relays, it was from a switch as opposed to an asa, as the previous guy said, i can confirm multiple discover packets will be sent but the first dhcp server to respond will be used.

A potential workaround is if you can randomly delay the responses from the server - im not a windows guy though!

Hope that helps.

Azam

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card