cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5182
Views
0
Helpful
9
Replies

DHCP Client: Only getting an IP after activating and then deactivating DHCP authentication

mathieupoussin
Level 1
Level 1

Hello.

 

I have a very weird issue with the DHCP client (Saw on 1941 and 2021 on IOS 15)

 

Every time I restart my router, to get new IP's from my ISP through DHCP, I need to do on the WAN interface the following :

 

 

ip dhcp client authentication mode token
<Wait for a DHCP request to be fired and fail>
no ip dhcp client authentication mode
<Wait for a DHCP request to be fired and work>

 

 

There are some debug logs after a boot :

~ ssh 192.168.88.1
Password:
esscg-2921-1 line 388

esscg-2921-1#sh ip int gi0/0.832
GigabitEthernet0/0.832 is up, line protocol is up
  Internet address will be negotiated using DHCP
  Broadcast address is 255.255.255.255
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is ipv4-internet-out
  Inbound  access list is ipv4-internet-in
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is enabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain outside
  BGP Policy Mapping is disabled
  Input features: Common Flow Table, Stateful Inspection, Virtual Fragment Reassembly, Access List, Virtual Fragment Reassembly After IPSec Decryption, NAT Outside, MCI Check
  Output features: Post-routing NAT Outside, Common Flow Table, Stateful Inspection, Firewall (NAT), Access List, Firewall (inspect), NAT ALG proxy
  IPv4 WCCP Redirect outbound is disabled
  IPv4 WCCP Redirect inbound is disabled
  IPv4 WCCP Redirect exclude is disabled
  Outgoing inspection rule is default
  Inbound inspection rule is default
esscg-2921-1#sh run int gi0/0.832
Building configuration...

Current configuration : 577 bytes
!
interface GigabitEthernet0/0.832
 description ORANGE - DATA
 encapsulation dot1Q 832
 ip ddns update hostname xxx.ddns.net
 ip ddns update noip
 ip address dhcp
 ip access-group ipv4-internet-in in
 ip access-group ipv4-internet-out out
 ip nat outside
 ip inspect default in
 ip inspect default out
 ip virtual-reassembly in
 ipv6 address dhcp
 ipv6 address autoconfig
 ipv6 enable
 ipv6 nd autoconfig prefix
 ipv6 nd autoconfig default-route
 ipv6 dhcp client pd orange-pd
 ipv6 inspect default in
 ipv6 inspect default out
 ipv6 traffic-filter ipv6-internet-in in
end

esscg-2921-1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
esscg-2921-1(config)#int gi0/0.832
esscg-2921-1(config-subif)#ip dhcp client authentication mode token
esscg-2921-1#debug dhcp detail
DHCP client activity debugging is on (detailed)
000067: 00:03:54: DHCP: SDiscover attempt # 2 for entry:
000068: 00:03:54: Temp IP addr: 0.0.0.0 for peer on Interface: GigabitEthernet0/0.832
000069: 00:03:54: Temp sub net mask: 0.0.0.0
000070: 00:03:54: DHCP Lease server: 0.0.0.0, state: 3 Selecting
000071: 00:03:54: DHCP transaction id: 1DE
000072: 00:03:54: Lease: 0 secs, Renewal: 0 secs, Rebind: 0 secs
000073: 00:03:54: Next timer fires after: 00:00:04
000074: 00:03:54: Retry count: 2 Client-ID: cisco-1c6a.7a2c.7670-Gi0/0.832
000075: 00:03:54: Client-ID hex dump: 636973636F2D316336612E376132632E
000076: 00:03:54: 373637302D4769302F302E383332
000077: 00:03:54: Hostname: xxx.ddns.net
000078: 00:03:54: DHCP: SDiscover placed class-id option: 636973636F706E70
000079: 00:03:54: DHCP: SDiscover: sending 318 byte length DHCP packet
000080: 00:03:54: DHCP: SDiscover 318 bytes
000081: 00:03:54: B'cast on GigabitEthernet0/0.832 interface from 0.0.0.0
000082: 00:03:54: DHCP: Received a BOOTREP pkt
000083: 00:03:54: DHCP: Scan: Message type: DHCP Offer
000084: 00:03:54: DHCP: Scan: Server ID Option: 81.52.127.254 = 51347FFE
000085: 00:03:54: DHCP: Scan: Lease Time: 86400
000086: 00:03:54: DHCP: Scan: Subnet Address Option: 255.255.252.0
000087: 00:03:54: DHCP: Scan: Router Option: 123.123.191.254
000088: 00:03:54: DHCP: Scan: DNS Name Server Option: 62.36.225.150, 62.37.228.20
000089: 00:03:54: DHCP: Scan: Rebind time: 75600
000090: 00:03:54: DHCP: Scan: Renewal time: 43200
000091: 00:03:54: DHCP: Scan: Token Authen Message Option:
000092: 00:03:54: DHCP: Scan: Domain Name: orange.es
000093: 00:03:54: DHCP: rcvd pkt source: 123.123.191.254, destination: 255.255.255.255
000094: 00:03:54: UDP sport: 43, dport: 44, length: 338
000095: 00:03:54: DHCP op: 2, htype: 1, hlen: 6, hops: 0
000096: 00:03:54: DHCP server identifier: 81.52.127.254
000097: 00:03:54: xid: 1DE, secs: 3, flags: 8000
000098: 00:03:54: client: 0.0.0.0, your: 123.123.188.32
000099: 00:03:54: srvr: 81.52.127.254, gw: 90.74.0.254
000100: 00:03:54: options block length: 90

000101: 00:03:54: DHCP Offer Message Offered Address: 123.123.188.32
000102: 00:03:54: DHCP: Lease Seconds: 86400 Renewal secs: 43200 Rebind secs: 75600
000103: 00:03:54: DHCP: Server ID Option: 81.52.127.254
000104: 00:03:54: DHCP: No authen config but message has authen info - protocol 0 algorithm 0
%Unknown DHCP problem.. No allocation possible

esscg-2921-1(config)#int gi0/0.832
esscg-2921-1(config-subif)#no ip dhcp client authentication mode

000147: 00:04:11: DHCP: Waiting for 10 seconds on interface GigabitEthernet0/0.832
000148: 00:04:21: DHCP: Try 3 to acquire address for GigabitEthernet0/0.832
000149: 00:04:21: DHCP: No configured hostname - not including Hostname option
000150: 00:04:21: DHCP: allocate request
000151: 00:04:21: DHCP: zapping entry in DHC_PURGING state for Gi0/0.832
000152: 00:04:21: DHCP: deleting entry 2975E0D8 0.0.0.0 from list
000153: 00:04:21: Temp IP addr: 0.0.0.0 for peer on Interface: GigabitEthernet0/0.832
000154: 00:04:21: Temp sub net mask: 0.0.0.0
000155: 00:04:21: DHCP Lease server: 0.0.0.0, state: 11 Purging
000156: 00:04:21: DHCP transaction id: 1DE
000157: 00:04:21: Lease: 0 secs, Renewal: 0 secs, Rebind: 0 secs
000158: 00:04:21: Next timer fires after: 00:00:21
000159: 00:04:21: Retry count: 0 Client-ID: cisco-1c6a.7a2c.7670-Gi0/0.832
000160: 00:04:21: Client-ID hex dump: 636973636F2D316336612E376132632E
000161: 00:04:21: 373637302D4769302F302E383332
000162: 00:04:21: Hostname: xxx.ddns.net
000163: 00:04:21: DHCP: new entry. add to queue, interface GigabitEthernet0/0.832
000164: 00:04:21: DHCP: SDiscover attempt # 1 for entry:
000165: 00:04:21: Temp IP addr: 0.0.0.0 for peer on Interface: GigabitEthernet0/0.832
000166: 00:04:21: Temp sub net mask: 0.0.0.0
000167: 00:04:21: DHCP Lease server: 0.0.0.0, state: 3 Selecting
000168: 00:04:21: DHCP transaction id: 1DF
000169: 00:04:21: Lease: 0 secs, Renewal: 0 secs, Rebind: 0 secs
000170: 00:04:21: Next timer fires after: 00:00:04
000171: 00:04:21: Retry count: 1 Client-ID: cisco-1c6a.7a2c.7670-Gi0/0.832
000172: 00:04:21: Client-ID hex dump: 636973636F2D316336612E376132632E
000173: 00:04:21: 373637302D4769302F302E383332
000174: 00:04:21: Hostname: xxx.ddns.net
000175: 00:04:21: DHCP: SDiscover placed class-id option: 636973636F706E70
000176: 00:04:21: DHCP: SDiscover: sending 318 byte length DHCP packet
000177: 00:04:21: DHCP: SDiscover 318 bytes
000178: 00:04:21: B'cast on GigabitEthernet0/0.832 interface from 0.0.0.0
000179: 00:04:21: DHCP: Received a BOOTREP pkt
000180: 00:04:21: DHCP: Scan: Message type: DHCP Offer
000181: 00:04:21: DHCP: Scan: Server ID Option: 81.52.127.254 = 51347FFE
000182: 00:04:21: DHCP: Scan: Lease Time: 86400
000183: 00:04:21: DHCP: Scan: Subnet Address Option: 255.255.252.0
000184: 00:04:21: DHCP: Scan: Router Option: 123.123.191.254
000185: 00:04:21: DHCP: Scan: DNS Name Server Option: 62.36.225.150, 62.37.228.20
000186: 00:04:21: DHCP: Scan: Rebind time: 75600
000187: 00:04:21: DHCP: Scan: Renewal time: 43200
000188: 00:04:21: DHCP: Scan: Token Authen Message Option:
000189: 00:04:21: DHCP: Scan: Domain Name: orange.es
000190: 00:04:21: DHCP: rcvd pkt source: 123.123.191.254, destination: 255.255.255.255
000191: 00:04:21: UDP sport: 43, dport: 44, length: 338
000192: 00:04:21: DHCP op: 2, htype: 1, hlen: 6, hops: 0
000193: 00:04:21: DHCP server identifier: 81.52.127.254
000194: 00:04:21: xid: 1DF, secs: 0, flags: 8000
000195: 00:04:21: client: 0.0.0.0, your: 123.123.188.32
000196: 00:04:21: srvr: 81.52.127.254, gw: 90.74.0.254
000197: 00:04:21: options block length: 90

000198: 00:04:21: DHCP Offer Message Offered Address: 123.123.188.32
000199: 00:04:21: DHCP: Lease Seconds: 86400 Renewal secs: 43200 Rebind secs: 75600
000200: 00:04:21: DHCP: Server ID Option: 81.52.127.254
000201: 00:04:21: DHCP: offer received from 81.52.127.254
000202: 00:04:21: DHCP: SRequest attempt # 1 for entry:
000203: 00:04:21: Temp IP addr: 123.123.188.32 for peer on Interface: GigabitEthernet0/0.832
000204: 00:04:21: Temp sub net mask: 255.255.252.0
000205: 00:04:21: DHCP Lease server: 81.52.127.254, state: 4 Requesting
000206: 00:04:21: DHCP transaction id: 1DF
000207: 00:04:21: Lease: 86400 secs, Renewal: 0 secs, Rebind: 0 secs
000208: 00:04:21: Next timer fires after: 00:00:03
000209: 00:04:21: Retry count: 1 Client-ID: cisco-1c6a.7a2c.7670-Gi0/0.832
000210: 00:04:21: Client-ID hex dump: 636973636F2D316336612E376132632E
000211: 00:04:21: 373637302D4769302F302E383332
000212: 00:04:21: Hostname: xxx.ddns.net
000213: 00:04:21: DHCP: SRequest- Server ID option: 81.52.127.254
000214: 00:04:21: DHCP: SRequest- Requested IP addr option: 123.123.188.32
000215: 00:04:21: DHCP: SRequest placed class-id option: 636973636F706E70
000216: 00:04:21: DHCP: SRequest: 330 bytes
000217: 00:04:21: DHCP: SRequest: 330 bytes
000218: 00:04:21: B'cast on GigabitEthernet0/0.832 interface from 0.0.0.0
000219: 00:04:22: DHCP: Received a BOOTREP pkt
000220: 00:04:22: DHCP: Scan: Message type: DHCP Ack
000221: 00:04:22: DHCP: Scan: Server ID Option: 81.52.127.254 = 51347FFE
000222: 00:04:22: DHCP: Scan: Lease Time: 86400
000223: 00:04:22: DHCP: Scan: Subnet Address Option: 255.255.252.0
000224: 00:04:22: DHCP: Scan: Router Option: 123.123.191.254
000225: 00:04:22: DHCP: Scan: DNS Name Server Option: 62.36.225.150, 62.37.228.20
000226: 00:04:22: DHCP: Scan: Rebind time: 75600
000227: 00:04:22: DHCP: Scan: Renewal time: 43200
000228: 00:04:22: DHCP: Scan: Token Authen Message Option:
000229: 00:04:22: DHCP: Scan: Domain Name: orange.es
000230: 00:04:22: DHCP: rcvd pkt source: 123.123.191.254, destination: 255.255.255.255
000231: 00:04:22: UDP sport: 43, dport: 44, length: 338
000232: 00:04:22: DHCP op: 2, htype: 1, hlen: 6, hops: 0
000233: 00:04:22: DHCP server identifier: 81.52.127.254
000234: 00:04:22: xid: 1DF, secs: 0, flags: 8000
000235: 00:04:22: client: 0.0.0.0, your: 123.123.188.32
000236: 00:04:22: srvr: 81.52.127.254, gw: 90.74.0.254
000237: 00:04:22: options block length: 90

000238: 00:04:22: DHCP Ack Message
000239: 00:04:22: DHCP: Lease Seconds: 86400 Renewal secs: 43200 Rebind secs: 75600
esscg-2921-1(config-subif)#
000240: 00:04:22: DHCP: Server ID Option: 81.52.127.254
esscg-2921-1(config-subif)#do sh
000241: 00:04:26: DHCP: Releasing ipl options:
000242: 00:04:26: DHCP: Applying DHCP options:
000243: 00:04:26: Setting default_gateway to 123.123.191.254
000244: 00:04:26: Adding default route 123.123.191.254
000245: 00:04:27: Adding route to DHCP server 81.52.127.254 via GigabitEthernet0/0.832 123.123.191.254
000246: 00:04:27: Adding DNS server address 62.36.225.150
000247: 00:04:27: Adding DNS server address 62.37.228.20
000248: 00:04:27: DHCP: Sending notification of ASSIGNMENT:
000249: 00:04:27: Address 123.123.188.32 mask 255.255.252.0
000250: 00:04:27: DHCP Client Pooling: ***Allocated IP address: 123.123.188.32
000251: 00:04:27: Allocated IP address = 123.123.188.32 255.255.252.0

 

And this keep hapenning at every restart.

I didn't had problems with other device (Like EdgeRouter) to get the DHCP client working fine.

 

Seen for example on : Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.5(3)M6a, RELEASE SOFTWARE (fc2)

 

Any idea of what what can be ? Looks like a bug ?

 

Thanks

9 Replies 9

Hello,

 

just to be clear: your router has no client authentication configured initially, and in order to get an IP address, you have to configure and then disable it ?

 

What if you configure 'ip dhcp client authentication mode token' or 'ip dhcp client authentication mode md5' and enable 'ip dhcp-client forcerenew' globally ?

 

I checked for bugs but couldn't find any... 

Yes, initially there is no configuration related to authentication, I need to enable the token authentication, wait for a DHCP request to fail, then disable it (So get the same configuration than initially) and then it works.

I already have the forcerenew enabled.

I'll try the global authentication configuration and let you know.

Hello,

 

the forcerenew is only needed in combination with client authentication. In your case, since you have no authentication configured, you don't need the forcerenew. Does the problem also occur without forcerenew ?

I have the same problem and found the exact same behaviour. 

 

Did you ever solve the DHCP problem with Orange in Spain?

Hello,

 

what device is this happening on ? Post the running configuration...

@mathieupoussin  had the problem on a 1941 router IOS15. I have the problem @mathieupoussin  described on a 1841 IOS 15.1(4)M12a.

 

 

interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1.832
 encapsulation dot1Q 832
 ip address dhcp
 !!! configure the next two, wait for DHCP to fail, then
!!! remove the two lines again !ip dhcp client authentication mode token   !ip dhcp client authentication key-chain blablabla end

 

 

 

Hello,

 

post the full running configuration (sh run). Do you have the below configured ? 

 

interface FastEthernet0/1.832
encapsulation dot1Q 832
ip address dhcp
ip dhcp client authentication mode token
ip dhcp client authentication key-chain keychain-name
!
key-chain keychain-name
!
ip dhcp-client forcerenew

No, I do not have that configured. I do not know which key I would have to configure. Provider Orange did not give any user/pass or key to me. 

The interesting part is, that the Cisco router accepts the DHCP-provided IP as soon as it failed once with authentication enabled by disabling authentication again.

This might be a hack and it works by accident.

I have a similar problem. When I remove "ip nat outside" from the interface config, it receives a DHCP address properly.

Review Cisco Networking for a $25 gift card