Skip to main content
Kraven2323
Staff
Kraven2323
Staff
June 30, 2022

Troubleshooting Tip: FortiGate is not providing DHCP with error DHCP DECLINE

  • June 30, 2022
  • 0 replies
  • 23507 views
Description This article helps to troubleshoot the FortiGate DHCP when it is receiving an error DHCP DECLINE on debug.
Scope

FortiGate is the DHCP server, and the client is not getting a DHCP IP.

 

When running the debug 'diagnose debug application dhcpc -1', the error DHCP DECLINE is visible.

 

Sample 1:

 

2022-06-08 18:28:52 [note]DHCPDECLINE on 172.22.1.2 from 98:fa:9b:89:da:d6 via port4(ethernet)
2022-06-08 18:28:52 [warn]Abandoning IP address 172.22.1.2: declined.
2022-06-08 18:28:52 [debug]deled ip 172.22.1.2 mac 98:fa:9b:89:da:d6 in vd root
2022-06-08 18:29:02 [debug]locate_network prhtype(1) pihtype(1)
2022-06-08 18:29:02 [debug]find_lease(): leaving function WITHOUT a lease

 

Sample 2:

 

Receive packet:
len=60
del hw header
ether_type:0806
hw addr from: XX:XX:XX:4E:DC:XX
arp packet received, len:46
A ARP packet is received.
The requested 192.168.100.78 address is in use by XX:XX:XX:4E:DC:6E
make decline
make dhcp message, code=4
Insert option(255), len(0)
Insert option(53), len(1)
Insert requested address
Insert option(50), len(4)
Insert client ID
Insert option(61), len(7)
Insert server ID
Insert option(54), len(4)
Insert message The requested 192.168.100.78 address is in use by XX:XX:XX:4E:DC:6E

 

Use the following debug commands to capture the relevant parameters: 

 

FortiGate is the DHCP Server:

 

diagnose debug reset
diagnose debug application dhcps -1

diagnose debug console timestamp enable
diagnose debug enable

 

To stop the debug:

 

diagnose debug reset
diagnose debug disable
Solution
  1. Check the IPpool configured on the FortiGate:

 

config firewall ippool
    edit "testCWPIP"
        set startip 172.22.1.2
        set endip 172.22.1.125
    next

 

By default, the IPpool is configured to have the 'arp reply' enabled, which will cause the FortiGate itself to respond to the DHCP probe.

 

Kraven2323_0-1656570168544.png

 

To be sure, it is possible to use the sniffer command to check the ARP:

 

diagnose sniff pac <port> "arp" 4

 

Remove the IPpool or change the DHCP IP to another range.

 

  1. The IP sent by the DHCP server is already used by another device. So FortiGate sends a decline message.

 

dhcp.PNG
Once the client/FortiGate receives an IP from the DHCP server, it sends an ARP probe to check if the same IP is being used by any other device in the network. If it receives an ARP response from the same IP address allocated by the DHCP server, the client will send a DHCP decline message and will restart the process.

 

The MAC IP address of the PC is blocked from getting an IP address from the DHCP server:

 

After this rule is configured, the device associated with the specified MAC address will no longer be eligible to receive a DHCP lease from the FortiGate DHCP server. This approach helps ensure that only authorized devices are granted automatic IP address assignments, thereby enhancing overall network security.

 

dhcpserver.png
      Terms & ConditionsAccessibility statement