Solved: DHCP Offer, but no ACK from client on VLan

jeff.ewing · ‎06-27-2012

Hi. We are experiencing what I believe to be a routing issue, but cannot identify it. 1 Cisco switch stack (SGE2010) in L3 mode, 2 Vlans.

Vlan 1 = 192.168.0.253/24, untagged on all ports except 14/15

Vlan 2 = 192.168.22.1/24, untagged on port 14 and 15

SGE2010 default route 0.0.0.0/0 next hop 192.168.0.1 (Checkpoint UTM)

DHCP Relay enabled

DHCP server set to 192.168.0.16

DHCP interface set to Vlan2

Checkpoint UTM = 192.168.0.1/24

Static route = From ANY to 192.168.22.0, next hop 192.168.0.253 (Stack)

DHCP Relay setup on Checkpoint to Stack address

DHCP server, IP=192.168.0.16/24 DG=192.168.0.1 is plugged into port 8 of the stack, Vlan1

Machine 1 = static IP 192.168.22.9/24 DG=192.168.22.1 on port 14 of Stack, Vlan2

Machine 2 = DHCP client on port 15 of Stack, Vlan2

Machine 3 = DHCP client on port 16 of Stack, Vlan1

Machine 1 which is using a static address on Vlan2 works great. It can ping everywhere I want it to, including any host on Vlan 1 and the DHCP server itself.

Machine 2, DHCP client on Vlan2, never gets an address, stating that it cannot reach the DHCP server

Machine 3, DHCP client on Vlan1 works fine

From WireShark, the DHCP Discovery is sent from the DG of Vlan2, DHCP Offer is sent from DHCP server on Vlan1 with an appropriate IP from the scope for Vlan2, however, the very next entry is a ICMP Port Unreachable from Vlan2 on the Stack to the DHCP server.

11900 192.168.22.1 192.168.0.16 DHCP 354 DHCP Discover

11901 192.168.0.16 192.168.22.1 DHCP 345 DHCP Offer

11902 192.168.22.1 192.168.0.16 ICMP 70 Destination unreachable (Port unreachable)

Expanding the ICMP entry, it appears that the destination is the pc client since it shows a Dell mac address, and the source is the Checkpoint UTM (Sofaware).

I can ping and tracert from the Checkpoint to my static IP on Vlan 2. The same goes for the DHCP server to/from Vlan2, so I am confused as to why the routing is failing. I have tried adding Port Fast to the stack ports, but nothing changes. Sorry for the lengthy description, but I wanted to include enough detail for you. Your insights are appreciated and much needed.

thanks.

Jeff.

pompeychimes · ‎07-02-2012

I'm confused as to why the DHCP Server (192.168.0.16) is using the Check Point UTM (192.168.0.1) as its DFG when you have a layer 3 interface configured on the switch for VLAN 1 (192.168.0.253)

James

View solution in original post

pompeychimes · ‎07-02-2012

I'm confused as to why the DHCP Server (192.168.0.16) is using the Check Point UTM (192.168.0.1) as its DFG when you have a layer 3 interface configured on the switch for VLAN 1 (192.168.0.253)

James

jeff.ewing · ‎07-20-2012

Sorry, I just got back to this environment. I must have looked at that 100 times, but it wasn't until I read your post that it realized it. Thanks for waking me up. Sometimes, you just stare at it too long.

The DHCP server was in place a long while and I didn't think to change it's default gateway to the VLan1 port when we created the vlans. Thanks again for your help!

Jeff

smehrnia · ‎07-02-2012

Hi there,

i dont think you have routing problems here, everything seems to work at Layer 3 level. there should something wrong about the Broadcast handling in ur network, check if u accidentaly set something to block bootp broadcasts, check the UTM.

you could temporarily bypass UTM, see if dhcp works then.

Hope it Helps,

Soroush.

Hope it Helps!

Soroush.