07-12-2023 04:19 PM
We are trying to move our DHCP server from windows servers to our PA-820 firewalls. There is no issue for any devices getting DHCP addresses except the Cisco AIR-CAP3702I. It requires DHCP option 43 which I have configured with an IP, ASCII, and hex. No matter what option I select, the AP gets a DHCP address and within a few seconds releases it and requests a new one. I was unable to find any documentation on other people having this issue.
The AP has no trouble getting an IP from the DHCP server and connecting back to the controller, when I use the DHCP relay on the firewall to send the requests to the Windows server.
The other devices connecting to the firewall for DHCP that don't require option 43, but do require other options are not having any issues.
I have a ticket opened with Palo support, but since the device is getting and IP and is the same device that is releasing the IP to get a new one, they aren't being much help.
I don't currently have access to console connection on the AP, but should tomorrow, but if anyone has any ideas on what could be causing this I'd appreciate it.
07-12-2023 05:43 PM
Hi
Option 43 is problematic as every vendor deploy differently. But, called my attention when you said "IP, ASCII, and hex". Usually is one or other.
07-14-2023 09:40 AM
In the Windows DHCP server, we use f1040a010101 and it works just fine. Because that configuration wasn't working in the firewall, I tried using different variations in an attempt to get it to work. I see the same behavior no matter how I configured it. So whether I used the option for IP, ASCII, or hex and their appropriate values in the firewall's DHCP options (at different times, not all configured at once), the AP will still get an IP and then release it 5-8 seconds later and request a new one. The lease is set for 8 days.
07-29-2023 08:48 AM
Get a packet capture of the DHCP packets to/from the PA firewall and compare to the packet capture of DHCP from the Windows server - share here if you want us to look. The PA might be sending additional parameters which the 3700 doesn't support.
Very important to get the complete console log from the AP to see what that shows. If it's staying on the same IP can't you SSH into the AP to check the log?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide