Re: Problem with DHCP Relay over VPN tunnel for Firepower 1010 running

ABaker94985 · ‎01-10-2022

We have several internal VLANs that need to get an IP address from a DHCP server that resides across a site-to-site tunnel. Here is the configuration for DHCP relay:

dhcprelay server 172.17.32.10 outside
dhcprelay enable wireless
dhcprelay enable printers
dhcprelay enable data
dhcprelay enable voice
dhcprelay setroute wireless
dhcprelay setroute printers
dhcprelay setroute data
dhcprelay setroute voice
dhcprelay timeout 60

I've included debug for DHCP relay, but the line that doesn't seen correct is the following. The IP range for this location is 192.168.70.0/24, and the DHCP server is 172.17.32.10. It appears to be me source and destination addresses are reversed. The hosts are not getting an IP address, and I don't see any of this traffic in the VPN tunnel.

Inserting divert entry for ingress 'outside' to egress 'data': dest addr 192.168.70.1, src addr 172.17.32.10, port 67

Debug:

Inserting divert entry for ingress 'data' to egress 'data': dest addr 255.255.255.255, src addr 0.0.0.0, port 67
DHCPRA: Inserting nat divert for 0.0.0.0 on 'data'
Inserting divert entry for ingress 'outside' to egress 'data': dest addr 192.168.70.1, src addr 172.17.32.10, port 67
DHCPRA: Inserting nat divert for 172.17.32.10 on 'outside'
DHCPRA: Inserting Relay rule on ifc 'data' src:192.168.70.0/255.255.255.192/17/68 dst:172.17.32.10/255.255.255.255/17/67
DHCPRA: Inserting Relay rules on ifc 'outside' src:172.17.32.10/255.255.255.255/17/67 dst:0.0.0.0/0.0.0.0/0/0-0
DHCPD: freeing relay binding 0x0000149da0a1bd40 (192.168.70.1).
DHCPRA: Setting DHCP relay binding expiration (192.168.70.1).
DHCPRA: returned relay binding 192.168.70.1/14a2.a05c.02d1 to address pool.
DHCPRA Monitor: Attempt to auto reset DHCP relay on data
DHCPRA Monitor: Force auto reset DHCP relay on data
Removing divert entry for ingress 'data' to egress 'data': addr 255.255.255.255 port 67
Removing divert addr 255.255.255.255, port 67
Removing divert entry for ingress 'outside' to egress 'data': addr 192.168.70.1 port 67
Removing divert addr 192.168.70.1, port 67
Removing server 172.17.32.10 rules from client ifc 'data'
Removing server 172.17.32.10 and ifc data rules from server ifc 'outside'

Does anyone have a thought what the problem might be?

Mohammed al Baqari · ‎01-10-2022

Hi,

Is you VPN tunnel up and running?
Do you have nat exempt for lan to dhcp server subnet configured?
Can you share debug dhcprelay packet?
Do you routing for dhcp server configured over outside interface

**** please remember to rate useful posts

ABaker94985 · ‎01-12-2022

I typed a reply, but I must have never submitted it. Tunnel is up and running, and I can ping the DHCP server from the outside interface of the firewall.

DHCP is configured to be sourced from the outside interface, and the DHCP server is across the VPN tunnel. The DHCP requests were showing up in a capture on the internal interfaces, but they weren't making it into the tunnel. Pinging the DHCP server would bring up the tunnel, but by themselves, the DHCP requests wouldn't.

The firewall had a route to the DHCP server via the outside interface.

Regarding these lines:

DHCPRA: Inserting Relay rule on ifc 'data' src:192.168.70.0/255.255.255.192/17/68 dst:172.17.32.10/255.255.255.255/17/67
DHCPRA: Inserting Relay rules on ifc 'outside' src:172.17.32.10/255.255.255.255/17/67 dst:0.0.0.0/0.0.0.0/0/0-0

A packet tracer using the top line would bring up the VPN tunnel. This is tried and tested.

I'm not sure if the second line is for return traffic, but the VPN configuration does not contain 0.0.0.0/0.0.0.0 nor can it.

Then I get to the pesky line:

Inserting divert entry for ingress 'outside' to egress 'data': dest addr 192.168.70.1, src addr 172.17.32.10, port 67

Ingress interface is outside? Egress interface is data? This is backwards.

MHM Cisco World · ‎01-10-2022

follow

MatthewHickey7355 · ‎09-13-2022

follow

Problem with DHCP Relay over VPN tunnel for Firepower 1010 running 7.1