FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kumarh
Staff
Staff
Article Id 339802
Description This article describes that if the FortiGate is acting as a DHCP-relay and if the switch is the downstream device, it is possible to encounter the error 'can't get server id from client message'. The reason is that the PC not getting an IP address.
Scope FortiGate.
Solution

Topology:

PC---------Switch1(vlan451)----------Switch2-----------Port 11 - Fortigate Relay- Port 10 ---------DHCP Server.


If enabling the DHCP relay in FortiGate, then run the below debugs and renew the PC IP address:

 

diagnose debug application dhcprelay -1
diagnose debug console timestamp enable
diagnose debug enable

If it is happening, the following error 'Warning! can't get server id from client message' in debugs appear. Make sure in the switch, the DHCP relay is disabled.


The error message 'can't get server id from client message' suggests that the FortiGate is having trouble interpreting or processing the DHCP requests from the client. This could be due to the interference or duplication of relay attempts.

 

Note: This error does not necessarily mean that the issue is with the DHCP relay on the switch. Make sure that the DISCOVER packets are forwarded to the DHCP server and are visible in the pcap on the relay server.

 

To isolate one trace and analyze the report the 'xid' can be taken (e.g.,xid:b3ed0683) in the following way:

 

2025-02-20 12:05:57 (xid:b3ed0683) received request message from 0.0.0.0:68 to 255.255.255.255 at VLAN-34
2025-02-20 12:05:57 (xid:b3ed0683) got a DHCPDISCOVER <-- Received Discover message from client
2025-02-20 12:05:57 (xid:b3ed0683) Warning! can't get server id from client message 
Insert option(82), len(9)
2025-02-20 12:05:57 found route to 192.168.0.1 via 192.168.0.254 iif=29 oif=27/VLAN-32, mode=auto, ifname=
2025-02-20 12:05:57 (xid:b3ed0683) forwarding dhcp request from 192.168.16.254:67 to 192.168.0.1:67
found route to 192.168.4.16 via 10.255.255.2 iif=29 oif=9/internal2, mode=auto, ifname=
2025-02-20 12:05:57 (xid:b3ed0683) forwarding dhcp request from 192.168.16.254:67 to 192.168.4.16:67
2025-02-20 12:05:57 (xid:b3ed0683) received request message from 192.168.4.16:67 to 192.168.16.254 at internal2
2025-02-20 12:05:57 (xid:b3ed0683) got a DHCPOFFER <-- Offer sent from server and passing though FortiGate
2025-02-20 12:05:57 (xid:b3ed0683) from server 192.168.4.16
2025-02-20 12:05:57 (xid:b3ed0683) Send unicast to client, devidx 29 ip 192.168.16.159 mac 3c:6a:a7:8b:2f:13  <-- Offer sent with IP to the specific MAC address

 

More troubleshooting should be performed such as :

 

  1. Taking a packet capture on the firewall and DHCP server to see where the DORA process terminates.
  2. Make sure no duplicate scope on the DHCP server.
  3. Using a different or secondary DHCP server to verify the issue with a particular DHCP server.

 

To get the packet capture in FortiGate GUI, the following KB article Troubleshooting Tip: Packet Capture on FortiOS GUI can be followed. Filter ports 67 and 68.


To get packet capture of the traffic via CLI command:

 

diagnose sniffer packet <interface> "port 67 or port 68" 6 0 l

 

Related article:

Troubleshooting Tip: DHCP relay issue