Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
salemneaz
Staff
Staff

Created on ‎05-27-2025 05:42 AM

Article Id 393580

Technical Tip: High memory usage caused by DHCPD demon

Description This article describes the DHCP demon causing High Memory utilization due to frequent DHCPDiscover request coming from the client.
Scope FortiOS
Solution

FortiGate memory utilization goes high due to Clients frequent 'DHCPDiscover' message.

 

Once the FortiGate receives a client's 'DHCPDiscover' message, it makes a 'DHCPOffer'. When the 'DHCPDiscover' message is received too frequently from multiple hosts, it may cause memory to spike for a while, depending on the model's available memory.

 

Running the command 'diag debug crashlog read' will show 'Kernel exits extreme low memory mode' and 'Kernel enters extreme low memory mode'.

 

2025-05-20 04:23:59 msg="Kernel exits extreme low memory mode"
2025-05-20 04:24:00 msg="Kernel enters extreme low memory mode"

 

DHCP Debug:

 

diag debug application dhcps -1

diag debug console timestamp en

diag debug enable

 

[note]DHCPDISCOVER from 00:45:6e:xx:xx:xx via port3 (found)
[debug]client suggested lease time as 7776000
max lease time 604800
default lease time 604800

[debug]deled ip 192.168.10.10 mac 00:45:6e:xx:xx:xx in vd root
[debug]deled ip 192.168.10.10 mac 00:45:6e:xx:xx:xx in vd root


A DHCPDISCOVER request was made fom MAC address 00:45:6e:xx:xx:xx was 655 times over a period of approximately 5 minutes during the debug. This can be counted with any software that allows word counting, such as Notepad++.


Running the packet sniffer on port 67 and 68 using the command given below

 

diag sniffer packet port3 'port 67 or port 68' 4 0 l

 

1 0.000000 192.168.10.10 192.168.10.1 DHCP 342 DHCP Release - Transaction ID 0x829f183e
2 0.180354 0.0.0.0 255.255.255.255 DHCP 344 DHCP Discover - Transaction ID 0x77b3ffeb
3 1.216595 192.168.10.1 255.255.255.255 DHCP 351 DHCP Offer - Transaction ID 0x77b3ffeb
4 1.219283 0.0.0.0 255.255.255.255 DHCP 370 DHCP Request - Transaction ID 0x77b3ffeb
5 1.336097 192.168.10.1 255.255.255.255 DHCP 371 DHCP ACK - Transaction ID 0x77b3ffeb
6 2.929969 192.168.10.10 192.168.10.1 DHCP 342 DHCP Release - Transaction ID 0x4ef0ea03
7 3.014106 0.0.0.0 255.255.255.255 DHCP 344 DHCP Discover - Transaction ID 0x253b5a4

 

Here, note that the client is continuously requesting a DHCP IP. Once the FortiGate makes an offer, it Releases the IP and makes another DHCP Discover request.

 

This continuous request pushes the DHCP process to consume more memory than usual.

 

2.png

 

When the DHCP daemon is terminated with the 'fnsysctl killall dhcpd' command, the memory consumption goes down, but will go up again after an extended period of the client sending continuous requests.

 

In order to resolve this issue permanently, the client needs to be isolated.

 

Related article:

Technical Tip: Diagnosing DHCP on a FortiGate 
544
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.