Technical Tip: DHCP fails on the Hyperscale FortiGates after upgrading to v7.6.0

After upgrading to v7.6.0, clients fail to receive a DHCP IP address. This issue occurs only on Hyperscale FortiGates when a blackhole route is configured.

config router static
    edit 1
        set dst 172.18.0.0 255.255.255.240
        set blackhole enable
        set vrf 0
    next
end

Running the regular DHCP sniffers does not display DHCP packets. However, DHCP Discover packets are seen in the NPU sniffers.

FGT # diagnose sniffer packet npudbg
interfaces=[npudbg]
filters=[none]
pcap_lookupnet: npudbg: no IPv4 address assigned
15.047526 0.0.0.0.68 -> 255.255.255.255.67: udp 302
15.047526 0.0.0.0.68 -> 255.255.255.255.67: udp 302
18.466648 0.0.0.0.68 -> 255.255.255.255.67: udp 302
18.466648 0.0.0.0.68 -> 255.255.255.255.67: udp 302
23.373949 0.0.0.0.68 -> 255.255.255.255.67: udp 302
23.373949 0.0.0.0.68 -> 255.255.255.255.67: udp 302
27.974108 0.0.0.0.68 -> 255.255.255.255.67: udp 302
27.974108 0.0.0.0.68 -> 255.255.255.255.67: udp 302

This issue has been resolved in v7.6.3 (available in the support portal).

Workaround:
Disable the blackhole route and reboot the firewall.

General debug information required by FortiGate TAC for investigation:

1. Debugs:

diagnose npu sniffer filter intf <>
diagnose npu sniffer filter protocol 17
diagnose npu sniffer filter dir 2
diagnose npu sniffer start
diagnose sniffer packet npudbg ' ' 6 0 a

Reproduce the issue.

diagnose npu sniffer stop

2. TAC Report:

execute tac report

3. Configuration file of the FortiGate.
   
   

Related documents:
Technical Tip: How to packet sniffer on Firewall NP7 hyperscale

Supported FortiGate models