Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff

Created on ‎02-27-2025 02:08 AM

Article Id 379286

Technical Tip: DHCP failing with DHCP relay on FortiGate with VLANs changing

Description This article describes the reason behind the DHCP failing when having DHCP relay on FortiGate with dynamic VLAN change for the DHCP client 
Scope FortiGate.
Solution

With a DHCP request received on the VLAN 15, it will be relayed to the DHCP server configured on the interface. 

 

config system interface
     edit "VLAN15"
          set vdom "root"
          set dhcp-relay-service enable
          set ip 10.6.4.25 255.255.255.0
          set allowaccess ping
          set snmp-index 40
          set dhcp-relay-ip "10.66.8.100"
          set interface "port1"
          set vlanid 15
     next
end

 

The DHCP request fails initially on the VLAN15 as this VLAN is not the one on which the DHCP address should be assigned. 

 

2025-01-22 14:32:56.660633 VLAN15 in 0.0.0.0.68 -> 255.255.255.255.67: udp 548
2025-01-22 14:32:56.661597 x2 out 10.6.4.25.67 -> 10.66.8.100.67: udp 321

 

In the meantime, the dynamic VLAN switch takes place on 3rd party device, putting the DHCP client in a different VLAN. DHCP requests are then seen on the VLAN25 interface, which is configured with a DHCP relay and should assign an IP address to the DHCP client. 

 

config system interface
    edit "VLAN25"
        set vdom "root"
        set dhcp-relay-service enable
        set ip 10.6.5.25 255.255.255.0
        set allowaccess ping fabric
        set snmp-index 37
        set dhcp-relay-ip  "10.40.41.200"
        set interface "port1"
        set vlanid 25
    next

 

The DHCP fails at this point. After relaying DHCP discover packets and upon receiving the DHCP offer from DHCP server, FortiGate sends the DHCP offer packets back via the VLAN15.

2025-01-22 10:05:59.519883 VLAN25 in 0.0.0.0.68 -> 255.255.255.255.67: udp 300
2025-01-22 10:05:59.520114 x1 out 10.66.5.25.67 -> 10.40.41.200.67: udp 293


2025-01-22 10:06:00.524934 x1 in 10.40.41.200.67 -> 10.66.5.254.67: udp 300
2025-01-22 10:06:00.525125 VLAN15 out 10.66.4.25.67 -> 255.255.255.255.68: udp 290 <----- Packet being sent out via VLAN15.

In the packet capture review with Wireshark, if the same transaction ID for DHCP Discover packets is thereafter the VLAN change, the issue will be faced. 

 

The code has been changed to address this, and this behavior is not faced on and onward the following versions releases: v7.2.11, v7.4.6, v7.6.1 .

 

179
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.