Skip to main content
discoscott
discoscott
New Member
September 21, 2015
Question

Secondary FG DHCP server - delay to DHCP DISCOVER requests from DHCP clients

  • September 21, 2015
  • 3 replies
  • 9360 views

I currently have 2 x fortigates configured in a VRRP group. There are 2 x VLANs on both Fortigates and both Fortigates are VRRP master for one VLAN and backup for the subsequent VLAN. e.g. FW1 is master for VLAN 100 and FW2 is master for VLAN 200. FW1 is backup for VLAN 200 and FW2 is backup for VLAN 100.

 

I have configured split DHCP scopes on both fortigates so that if one goes down or connectivity is interupted, the other will serve DHCP addresses to clients.

 

Is there any way to set a delay in DHCP response on the FG to the secondary (VRRP backup) DHCP server so it will only offer an address if the primary VRRP firewall doesnt beat the backup unit? If not - how would I go about having this added as a feature request?

 

I went for VRRP over HA for capacity and granular policy control on the backup VLAN in a fail-over scenario. Session sync is not at all important in the current environment.

 

The alernate solution is to move DHCP server to Windows servers.

 

 

    3 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    September 21, 2015

    It probably wouldn't work well if both FGs or any other DHCP server devices share the same range of IPs. Both don't know what the other leased to the clients. 

    discoscott
    discoscottAuthor
    New Member
    September 21, 2015

    The scopes are split so that each FW doesnt need to know about what the other FW has served.

     

    e.g.

     

    FW1 - 192.168.0.1-192.168.0.176

    FW2 - 192.168.0.177-192.168.0.253

     

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    September 21, 2015

    If so it wouldn't matter which offer the client picks, wouldn't it?

    discoscott
    discoscottAuthor
    New Member
    September 22, 2015

    Whilst it shouldnt matter which one responds, like a MS Windows DHCP server I would prefer to set which one answers first so as not to exhaust the scope of the backup(secondary) DHCP server.

     

    e.g. FW1 responds immediately for VLAN 100 and FW1 responds after 1500ms for VLAN 200

    then vice versa for FW2 - responds immediately for VLAN 200 and responds after 1500ms for VLAN 100

     

    e.g. In MS Windows you would set a delay under the Advanced tab

    http://blogs.technet.com/b/teamdhcp/archive/2009/01/22/how-to-prevent-address-exhaustion-from-secondary-server-in-split-scope-deployment.aspx

     

    ryan_www
    ryan_www
    Explorer III
    February 19, 2025

    I'd like to see this option too and when a delay is enabled the ability to also forward DHCP to another device so FG could just be a secondary DHCP server.  Or when forwarding is enabled the ability to setup a backup DHCP scope if the DHCP server IP is down.

     

    Also, similar but not directly related it would be nice to be able to sync the FG DHCP database to FMG so you don't loose it when a cold restart happens.

    Terms & ConditionsAccessibility statement