01-07-2011 03:45 AM - edited 03-06-2019 02:52 PM
Hello.
I've this problem.
A remote network with a few PCs, connected to our central network through a cisco router, configured with ip helper-address:
interface FastEthernet0/0
ip address 192.168.120.1 255.255.255.0
ip helper-address 192.168.0.3
192.168.0.3 is our dhcp server.
When I configure PC in dhcp mode, I can't see any packet arrive to our dhcp server, and I can see in ASA firewall between router and dhcp server this error:
Jan 07 2011 12:27:39: %ASA-2-106016: Deny IP spoof from (0.0.0.0) to 192.168.0.3 on interface outside
It's a strange behaviour: ip helper-address must use unicast packets from interface ip (192.168.120.1 in this case) to dhcp server; in this case, packets come from 0.0.0.0 address, so asa blocks it.
PCs don't obtain an ip address...
How can I troubleshoot this problem?
Thanks
Daniele
01-07-2011 04:13 AM
Hi,
Can you show config of your ASA and diagram of your topology.If dhcp messages from clients come on outside interface then you must have an ACL permitting this traffic.
Regards.
Alain.
01-07-2011 04:57 AM
PC----Router-----ASA-----DHCP Server
ASA interesting config
access-list da_filiali_ult extended permit udp host 192.168.120.2 host 192.168.0.3 eq bootps
where 192.168.120.2 is router ip address and 192.168.0.3 is dhcp server
But problem is that traffic arrive with a source address of 0.0.0.0 instead of 192.168.120.2
Thanks
01-07-2011 05:15 AM
ip helper-address xxx
forwards the recieved broadcasts to xxx,
for example bootp/dhcp request, but does not change the the src-ip address.
This function is no full-featured dhcp-relay or proxy, just forwarding of packets .
0.0.0.0 as source for a new device dhcp request is according to the standards,
so everyting looks fine.
Perhaps you want to configure a dhcp server local on the router?
Juergen.
01-07-2011 05:59 AM
Hello Juergen.
I've made other configurations of this type in other sites, and all work fine, into dhcp server logs I can see coming requests with ip address of site router; this also help dhcp server to chose whose dhcp range use.
For example, if I have two sites with ip address 1.1.1.0/24 and 2.2.2.0/24, in this way dhcp server can assign correct ip addresses to relative networks; if requests arrive both with a source of 0.0.0.0, how can the dhcp server distinguish between two different networks?
Thanks
Daniele
01-07-2011 06:25 AM
Hello.
I've solved problem myself.
Into router I've configured "service dhcp" problem.
This command transform dhcp request packet source address from 0.0.0.0 to router ip, permitting dhcp server to identify network range.
Daniele
01-07-2011 06:29 AM
Danielle, could you please post the whole command line that you entered on the interface for the source request address?
Thanks, Pat.
01-07-2011 06:47 AM
.. so the dhcp relay was not running.
01-07-2011 06:45 AM
No,
the src is not changed, but the routers ip address with the helper-adress recieving the dhcp-request will be put
into the gi-addr dhcp field to be able to distinguish different remote lans.
Just seen as "via..." on linux dhcp server.
From http://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/htdhcpre.html :
..., the DHCP client broadcasts a request for an IP address and additional configuration parameters on its local LAN.
Router B, acting as a DHCP relay agent, picks up the broadcast and generates a new DHCP message to send out on another interface.
As part of this DHCP message,
the relay agent inserts the IP address of the interface containing the ip helper-address command into the gateway IP address (giaddr) field of the DHCP packet.
This IP address enables the DHCP server to determine which subnet should receive the offer and identify the appropriate IP address range to offer.
The DHCP relay agent sends the local broadcast, via IP unicast,
to the DHCP server address 172.16.1.2 specified by the ip helper-address interface configuration command.
probably the (default-)behaviour of the dhcp-relay has been changed, and needs to be configured now ?
Juergen.
03-28-2013 10:20 AM
(*kick*)
I was pretty sure I remembered that the relayed DHCP request gets the router interface's address as a source, in addition to the GIADDR field in the UDP datagram.
From: http://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/htdhcpre.html :
In Figure 1, the DHCP client broadcasts a request for an IP address and additional configuration parameters on its local LAN. Router B, acting as a DHCP relay agent, picks up the broadcast and generates a new DHCP message to send out on another interface. As part of this DHCP message, the relay agent inserts the IP address of the interface containing the ip helper-address command into the gateway IP address (giaddr) field of the DHCP packet. This IP address enables the DHCP server to determine which subnet should receive the offer and identify the appropriate IP address range to offer. The DHCP relay agent sends the local broadcast, via IP unicast, to the DHCP server address 172.16.1.2 specified by the ip helper-address interface configuration command.
Note the last sentence: "The DHCP relay agent sends the local broadcast, via IP unicast...." The DHCP relay agent generates a new UNICAST packet, with a source address of the router interface, to send to the DHCP server. The 0.0.0.0 source address is not propagated past the relaying router.
Just to be perfectly sure, I hung a sniffer on a feed to one of our DHCP servers, and sniffed a few request packets. Sure enough, they all had the IP addresses of relaying router interfaces as source addresses.
03-28-2013 11:35 AM
Hi,
it's working this way because the default is service dhcp and that's what populates the gia address with the ip address of the interface which received the DHCP Discover.All ip helper-address does is turn a udp broadcast into a udp unicast with the source address as the IP of the interface where it is configured BUT it doesn't change the gia address.
Regards
Alain
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide