Troubleshooting Tip: The FortiGate as a DHCP client is not able to get an IP Address, DHCP Decline is seen in a PCAP
| Description | This article describes how to resolve a scenario where the FortiGate is failing to get a DHCP lease, and a DHCP Decline is seen in a PCAP. |
| Scope | FortiOS. |
| Solution | In certain circumstances, the FortiGate may fail to get an IP from a DHCP server even when the DHCP handshake completes successfully.
 The following line will appear in Wireshark when expanding the DHCP fields on the DHCP Decline packet. 
When executing the debug command 'diagnose debug application dhcpc -1', the message 'Sending decline!' appears in the output. 2026-02-23 10:53:55 arp packet received, len:46
The FortiGate gave a DHCP ACK to the DHCP server, indicating the handshake completed. After this, the FortiGate sends over a DHCP Decline, and there is no IP present on the FortiGate.
For example, if using a FortiSwitch to distribute the single WAN connection between an HA pair of FortiGates, that VLAN might exist on both the FortiLink interface and the configured WAN interface. The ARP will go out of the WAN interface, but also arrive on the FortiLink interface. Because the IP the ARP is requesting matches an IP Pool, the FortiGate will reply to itself.
There is an ARP reply. The MAC address seen in that sniffer correlates with port9, which is on the same VLAN as port10.
   The following is the IP Pool configured on this FortiGate. Once 'ARP Reply' is disabled, this issue will not occur.
  On port9, there is now no ARP reply given. The only MAC seen in the sniffer is for port10.
  The FortiGate was able to get the lease successfully.
|
