Technical Tip: Diagnosing DHCP on a FortiGate
Description
FortiGate is the DHCP client and is connected to a router that provides an address over DHCP, or FortiGate is the DHCP server.
For this example, the server and client were switched, so it is possible to see the same MAC addresses 00:66:65:72:36:03 and 00:66:65:72:27:02 in both the dhcpc (DHCP Client) and dhcps (DHCP Server) output.
Solution
- If FortiGate is the DHCP client:
diagnose debug reset
diagnose debug application dhcpc -1
diagnose debug console timestamp enable
diagnose debug enable
To stop the debug:
diagnose debug reset
diagnose debug disable
Example and truncated output:
timer 0xc023f10(send_discover -> send_discover) will expire in 8 secs
timer 0xc023f10(send_discover -> send_discover) will expire in 7 secs
timer 0xc023f10(send_discover -> send_discover) will expire in 6 secs
timer 0xc023f10(send_discover -> send_discover) will expire in 5 secs
timer 0xc023f10(send_discover -> send_discover) will expire in 4 secs
timer 0xc023f10(send_discover -> send_discover) will expire in 3 secs
timer 0xc023f10(send_discover -> send_discover) will expire in 2 secs
timer 0xc023f10(send_discover -> send_discover) will expire in 1 secs
timer 0xc023f10 expired, take action
Sending discover!
Send a packet out.
add hw header
set dst hw addr as: FF:FF:FF:FF:FF:FF
src hw addr: 00:66:65:72:27:02
add ip udp header
dhcpcd_send_packet,267:result:590, ifinde:4
unregister timer:0xc023f10
register timer func=0x74f1a0 arg=0xc047350 name=send_discover -> send_discover
Allocate a new timer
Registered timer 0xc023700 will expiry in 22 secs
timer 0xc023700(send_discover -> send_discover) will expire in 22 secs
timer 0xc023700(send_discover -> send_discover) will expire in 21 secs
fd 14 can be read now
###############3Receive packet:
len=353
del hw header
ether_type:0800
hw addr from: 00:66:65:72:36:03
del ip udp header
final dhcp message len:311
DHCP Message received.
parse dhcp options
parse dhcp option buffer (71 bytes)
option[53], len:1
option[54], len:4
option[51], len:4
option[1], len:4
option[2], len:4
option[3], len:4
option[6], len:4
option[58], len:4
option[59], len:4
option[224], len:17
DHO_BROADCAST_ADDRESS option is missed
DHCPOFFER received on port2
- If FortiGate is the DHCP server:
As a first step, review the existing dhcp leases by the DHCP server on this FortiGate to check for any issues using the following CLI command.
execute dhcp lease-list
diagnose debug reset
diagnose debug application dhcps -1
diagnose debug console timestamp enable
diagnose debug enable
To stop the debug:
diagnose debug reset
diagnose debug disable
Example and truncated output:
[warn]Backing up leasefile
[warn]finished dumping all leases
[debug]locate_network prhtype(1) pihtype(1)
[debug]find_lease(): leaving function WITHOUT a lease
[note]DHCPDISCOVER from 00:66:65:72:36:03 via port2(ethernet)
[debug]Start dumping IP address range:
[debug]IP Range from 10.0.0.2 to 10.0.7.58
[debug]IP Range from 10.0.7.60 to 10.0.15.254
[debug]found a new lease of ip 10.0.0.1
[debug]added ip 10.0.0.1 mac 00:66:65:72:36:03 in vd root
[debug]packet length 548
[debug]op = 1 htype = 1 hlen = 6 hops = 0
[debug]xid = eb93af5 secs = 0 flags = 80
[debug]ciaddr = 0.0.0.0
[debug]yiaddr = 0.0.0.0
[debug]siaddr = 0.0.0.0
[debug]giaddr = 0.0.0.0
[debug]chaddr = 00:66:65:72:36:03
[debug]filename =
[debug]server_name =
[debug] host-name = "fermion-kvm54"
[debug] dhcp-message-type = 1
[debug] dhcp-parameter-request-list = 1,2,3,6,12,15,28,40,42,26,240,241
[debug] dhcp-max-message-size = 1458
[debug] dhcp-class-identifier = "FortiGate-VM64-KVM"
[debug] dhcp-client-identifier = 1:0:66:65:72:36:3
[debug]
[pkt]000: 01 01 06 00 f5 3a b9 0e 00 00 80 00 00 00 00 00
[pkt]010: 00 00 00 00 00 00 00 00 00 00 00 00 00 66 65 72
[pkt]020: 36 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[……]
[pkt]200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[pkt]210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[pkt]220: 00 00 00 00
[debug]Sending ICMP echo-request to 10.0.0.1
[note]DHCPOFFER on 10.0.0.1 to 00:66:65:72:36:03 via port2(ethernet)
[pkt]000: 02 01 06 00 f5 3a b9 0e 00 00 80 00 00 00 00 00
[pkt]010: 0a 00 00 01 00 00 00 00 00 00 00 00 00 66 65 72
[pkt]020: 36 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[……]
[pkt]120: 40 3b 04 00 08 13 30 e0 11 46 47 56 4d 30 31 30
[pkt]130: 30 30 30 30 35 32 37 34 33 00 ff
[debug]sending on port2(ethernet)
[debug]sending using lpf_dhcpd_send_packet
[debug]locate_network prhtype(1) pihtype(1)
[debug]find_lease(): packet contains preferred client IP, cip.s_addr is 10.0.0.1
[debug]find_lease(): leaving function with lease set
[debug]find_lease(): the lease's IP is 10.0.0.1
[note]DHCPREQUEST for 10.0.0.1 from 00:66:65:72:36:03 via port2(ethernet)
[debug]deled ip 10.0.0.1 mac 00:66:65:72:36:03 in vd root
[debug]added ip 10.0.0.1 mac 00:66:65:72:36:03 in vd root
[debug]packet length 548
[debug]op = 1 htype = 1 hlen = 6 hops = 0
[debug]xid = eb93af5 secs = 0 flags = 80
[debug]ciaddr = 0.0.0.0
[debug]yiaddr = 0.0.0.0
[debug]siaddr = 0.0.0.0
[debug]giaddr = 0.0.0.0
[debug]chaddr = 00:66:65:72:36:03
[debug]filename =
[debug]server_name =
[debug] host-name = "fermion-kvm54"
[debug] dhcp-requested-address = 10.0.0.1
[debug] dhcp-message-type = 3
[debug] dhcp-server-identifier = 10.0.7.59
[debug] dhcp-parameter-request-list = 1,2,3,6,12,15,28,40,42,26,240,241
[debug] dhcp-max-message-size = 1458
[debug] dhcp-class-identifier = "FortiGate-VM64-KVM"
[debug] dhcp-client-identifier = 1:0:66:65:72:36:3
[debug]
[pkt]000: 01 01 06 00 f5 3a b9 0e 00 00 80 00 00 00 00 00
[pkt]010: 00 00 00 00 00 00 00 00 00 00 00 00 00 66 65 72
[pkt]020: 36 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[……]
[pkt]1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[pkt]200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[pkt]210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[pkt]220: 00 00 00 00
[note]DHCPACK on 10.0.0.1 to 00:66:65:72:36:03 via port2(ethernet)
[pkt]000: 02 01 06 00 f5 3a b9 0e 00 00 80 00 00 00 00 00
[pkt]010: 0a 00 00 01 00 00 00 00 00 00 00 00 00 66 65 72
[pkt]020: 36 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[pkt]030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[……]
In the output, note the DHCP packets and the typical DHCP flow of packets: DHCPDISCOVER -> DHCPOFFER -> DHCPREQUEST and finally DHCPACK.
Additionally, execute the following sniffer command in a separate console window:
diagnose sniffer packet <interface> 'port 67 or port 68' 6 0 l <----- Enter the interface that is handing the DHCP IP lease.
The following is an example of how to capture sniffer output using the MAC address of the end-machine, with the MAC address [a8:1d:16:6e:9b:3b] used for the demonstration:
diagnose sniffer packet any "(ether[6:4]=0xa81d166e) and (ether[10:2]=0x9b3b)" 6 0 l
The expression above uses the 'and' operator to ensure both parts of the MAC address match simultaneously:
- (ether[6:4]=0xa81d166e): Matches the first 4 bytes of the Source MAC.
- (ether[10:2]=0x9b3b): Matches the final 2 bytes of the Source MAC.
Additionally, the FortiGate packet capture utility will be useful.
Since DHCP is widely used, there is similar behavior on other DHCP-capable devices.
This should also show the DHCP packets in the same order. In the following Wireshark packet capture example, note the following important fields:
- Client MAC Address: 00:66:65:72:36:03 <--- This address is the Client hardware address.
- Transaction ID: 0x82628920 <--- This is a static ID and is unique to one DHCP flow.
- (Client) IP address: 10.0.0.1 <--- This is the result of the client trying to acquire an IP address.
During DHCP debugging, verify that the interface receiving DHCP requests has the correct role assigned. An incorrect interface role or misconfigured DHCP settings can prevent DHCPDISCOVER packets from being processed by the FortiGate DHCP server. Use the command show system interface and get system dhcp server to confirm the correct configuration.
There are also DHCP options containing information about the Gateway/next hop, DNS, NTP, and others. If a client receives a DCHP lease but does not receive an expected DHCP option configured as an FQDN on the FortiGate acting as a DHCP server, verify that the firewall has DNS connectivity to resolve the FQDN to an IPv4 address. This is most commonly noticed for NTP, which will generate dhcps logs similar to the following.
diagnose debug application dhcps -1
diagnose debug enable
[warn]ntp1.fortiguard.com: rcode=2
[warn]ntp2.fortiguard.com: rcode=2
[warn]ntp1.fortiguard.com unresolvable
[note]dns query name=ntp1.fortiguard.com, id=896, cb=0x55824f38a270
[warn]ntp2.fortiguard.com unresolvable
[note]dns query name=ntp2.fortiguard.com, id=897, cb=0x55824f38a270
To stop the debug processes, run the following:
diagnose debug disable
diagnose debug reset
The Client MAC address and Transaction ID must not change in this DHCP session.
If that is the case, there is possibly another DHCP server interfering and answering the requests. It is also possible that one of the devices is not responding properly.
Bootstrap Protocol (Discover)
Message type: Boot Request (1)
Hardware type: Ethernet (0x01)
Hardware address length: 6
Hops: 0
Transaction ID: 0x82628920
Seconds elapsed: 0
Bootp flags: 0x8000, Broadcast flag (Broadcast)
Client IP address: 0.0.0.0
Your (client) IP address: 0.0.0.0
Next server IP address: 0.0.0.0
Relay agent IP address: 0.0.0.0
Client MAC address: 00:66:65:72:36:03 (00:66:65:72:36:03)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (53) DHCP Message Type (Discover)
Option: (57) Maximum DHCP Message Size
Option: (61) Client identifier
Option: (55) Parameter Request List
Option: (12) Host Name
Option: (60) Vendor class identifier
Option: (255) End
Bootstrap Protocol (Offer)
Message type: Boot Reply (2)
Hardware type: Ethernet (0x01)
Hardware address length: 6
Hops: 0
Transaction ID: 0x82628920
Seconds elapsed: 0
Bootp flags: 0x8000, Broadcast flag (Broadcast)
Client IP address: 0.0.0.0
Your (client) IP address: 10.0.0.1
Next server IP address: 0.0.0.0
Relay agent IP address: 0.0.0.0
Client MAC address: 00:66:65:72:36:03 (00:66:65:72:36:03)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (53) DHCP Message Type (Offer)
Option: (54) DHCP Server Identifier
Option: (51) IP Address Lease Time
Option: (1) Subnet Mask
Option: (2) Time Offset
Option: (3) Router
Option: (6) Domain Name Server
Option: (58) Renewal Time Value
Option: (59) Rebinding Time Value
Option: (224) Private
Option: (255) End
Bootstrap Protocol (Request)
Message type: Boot Request (1)
Hardware type: Ethernet (0x01)
Hardware address length: 6
Hops: 0
Transaction ID: 0x82628920
Seconds elapsed: 0
Bootp flags: 0x8000, Broadcast flag (Broadcast)
Client IP address: 0.0.0.0
Your (client) IP address: 0.0.0.0
Next server IP address: 0.0.0.0
Relay agent IP address: 0.0.0.0
Client MAC address: 00:66:65:72:36:03 (00:66:65:72:36:03)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (53) DHCP Message Type (Request)
Option: (57) Maximum DHCP Message Size
Option: (61) Client identifier
Option: (50) Requested IP Address
Option: (54) DHCP Server Identifier
Option: (55) Parameter Request List
Option: (12) Host Name
Option: (60) Vendor class identifier
Option: (255) End
Bootstrap Protocol (ACK)
Message type: Boot Reply (2)
Hardware type: Ethernet (0x01)
Hardware address length: 6
Hops: 0
Transaction ID: 0x82628920
Seconds elapsed: 0
Bootp flags: 0x8000, Broadcast flag (Broadcast)
Client IP address: 0.0.0.0
Your (client) IP address: 10.0.0.1
Next server IP address: 0.0.0.0
Relay agent IP address: 0.0.0.0
Client MAC address: 00:66:65:72:36:03 (00:66:65:72:36:03)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (53) DHCP Message Type (ACK)
Option: (54) DHCP Server Identifier
Option: (51) IP Address Lease Time
Option: (1) Subnet Mask
Option: (2) Time Offset
Option: (3) Router
Option: (6) Domain Name Server
Option: (58) Renewal Time Value
Option: (59) Rebinding Time Value
Option: (224) Private
Option: (255) End
-
If FortiGate is configured as a DHCP relay server:
diagnose debug reset
diagnose debug application dhcprelay -1
diagnose debug console timestamp enable
diagnose debug enable
To stop the debug, run the following commands:
diagnose debug disable
diagnose debug reset
If it is necessary, use the built-in sniffer to perform packet capture, verify packet flow, and examine it in Wireshark. Do so via either the CLI or the GUI. The easiest way is to filter packets based on port 67 or 68: From the GUI, navigate to Network -> Diagnostics -> Packet Capture:
Or, in the CLI, enter the following:
diagnose sniffer packet <interface_name/any> "port 67 or port 68" 6 0 l
For detailed information about DHCP options, see RFC 2132, DHCP Options, and BOOTP Vendor Extensions. Cross-checking the options may be helpful if clients receive an IP as expected, but the gateway information is still incorrect.
Additionally, this can become more complicated if some kind of Network Access Control, like FortiNAC, is implemented.
Related articles:
- Technical Tip: Reserving a DHCP IP address for a particular MAC address (IP/MAC binding)
- Troubleshooting Tip: DHCP relay issue
- Troubleshooting Tip: DHCP status 'Removed due to conflict'
- Technical Tip: Understanding DHCP Server and DHCP Relay functionality on FortiGate
- Technical Tip: DHCP over IPsec (Hub & Spoke scenario)
- Troubleshooting Tip: 'cannot find outgoing interface' error in DHCP relay debug