Description
This article describes what does logs in System events 'DHCP client is blocked by the DHCP server' means.
Scope
FortiGate.
Solution
It is possible to block certain MAC addresses explicitly from getting the dynamic IP address when the FortiGate interface is acting as the DHCP Server.
For example:
Go to Network -> Interface -> Edit the Interface -> DHCP server -> Advanced -> IP Address Assignment Rules.
When the MAC address is blocked under DHCP Advanced settings, and if the user with the MAC 00:63:68: 61:1f:01 tries to get the DHCP IP from the same FortiGate interface, it will generate the logs 'DHCP client is blocked by the DHCP server' and the user would not be receiving any dynamic IP.
Log generated in system events are as below:
In the debug the following logs will be generated for the block MAC address:
xygen-kvm42 # [debug]locate_network prhtype(1) pihtype(1)
[note]DHCPNAK on 192.168.1.111 to 00:63:68:61:1f:01 via port4(ethernet)
[debug]packet length 322
[debug]op = 1 htype = 1 hlen = 6 hops = 0
[debug]xid = e8a78316 secs = 0 flags = 0
[debug]ciaddr = 0.0.0.0
[debug]yiaddr = 0.0.0.0
[debug]siaddr = 0.0.0.0
[debug]giaddr = 0.0.0.0
[debug]chaddr = 00:63:68:61:1f:01
[debug]sending using lpf_dhcpd_send_packet
[debug]locate_network prhtype(1) pihtype(1)
[warn]MAC address is blocked
[debug]locate_network prhtype(1) pihtype(1)
[warn]server identifier does not match
[warn]ipsec tun number: 0/0
