| Description | This article describes how users may encounter an issue where iOS and Android devices fail to obtain IP addresses via DHCP in deployments where a FortiGate is acting as a DHCP server and connected to end devices via a Layer 2 switch, while Windows clients function normally. |
| Scope | FortiGate - 3rd party Switch. |
| Solution |
Performing a packet capture on FortiGate may show DHCP Offer packets are corrupted. Apple/Android devices might not be able to obtain DHCP addresses even when there are no issues observed on the packet level. Depending on the downstream switch vendor, the following malformed packets may be observed in Wireshark.
Checking packet level information will show that FortiGate is responding to DHCP Discover messages correctly, but Apple/Android devices may fail to respond with DHCP Request messages, while Windows machines can complete the DHCP DORA process successfully.
This issue is linked to DHCP snooping being enabled on the intermediate switch. The snooping feature is improperly configured, causing it to modify DHCP packets, particularly those destined for mobile OS clients.
In this example scenario, the third party switch modified the DHCP Offer messages on the client side.
Recommendation: Validate the DHCP snooping feature on the downstream switch to determine whether it is truncating the DHCP packets or inserting DHCP Option 82, causing DHCP offers to appear malformed. |
