Technical Tip: Understanding DHCP Server and DHCP Relay functionality on FortiGate

This article will examine the DHCP DORA process, concentrating on the request phase to a FortiGate or if the FortiGate acts as a relay and the NAK (Negative Acknowledgment) response.

Generally, the DHCP DORA process has four stages: Discover, Offer, Request, and Acknowledge. Next to the process, there is the debug that can be seen on the FortiGate when running the DHCP or DHCP Relay debugs:

DHCP server Debugs (if FortiGate is the DHCP server):

diag debug reset
diag debug application dhcps -1
diagnose debug enable

DHCP Relay:

diag debug reset

diagnose debug application dhcprelay -1

diagnose debug enable

Sample debugs while FortiGate is configured as DHCP server:

[note]DHCPDISCOVER from 00:45:xx:xx:xx:xx via port2(ethernet)  <----- DHCP Discover.

[debug]packet length 302

[debug]op = 1  htype = 1  hlen = 6  hops = 0

[debug]xid = 667f0f59  secs = 0  flags = 0

[debug]ciaddr = 0.0.0.0

[debug]yiaddr = 0.0.0.0

[debug]siaddr = 0.0.0.0

[debug]giaddr = 0.0.0.0

[debug]chaddr = 00:45:6e:64:64:01

[debug]filename =

[debug]server_name =

[debug]  host-name = "DESKTOP-OLGFQ84"

[debug]  dhcp-requested-address = 192.168.1.2

[debug]  dhcp-message-type = 1

[debug]  dhcp-parameter-request-list = 1,3,6,15,31,33,43,44,46,47,119,121,249,252

[debug]  dhcp-class-identifier = "MSFT 5.0"

[debug]  dhcp-client-identifier = 1:0:45:6e:64:64:1

[debug]Sending ICMP echo-request to 192.168.1.2

[note]DHCPOFFER on 192.168.1.2 to 00:45:xx:xx:xx:xx via port2(ethernet)    <----- DHCP Offer.

[debug]sending on port2(ethernet)

[debug]sending using lpf_dhcpd_send_packet

[debug]locate_network prhtype(1) pihtype(1)

[debug]find_lease(): packet contains preferred client IP, cip.s_addr is 192.168.1.2

[debug]find_lease(): leaving function with lease set

[debug]find_lease(): the lease's IP is 192.168.1.2

[note]DHCPREQUEST for 192.168.1.2 from 00:45:xx:xx:xx:xx via port2(ethernet)    <----- DHCP Request.

[debug]added ip 192.168.1.2 mac 00:45:6e:64:64:01 in vd root

[debug]packet length 328

[debug]op = 1  htype = 1  hlen = 6  hops = 0

[debug]xid = 667f0f59  secs = 0  flags = 0

[debug]ciaddr = 0.0.0.0

[debug]yiaddr = 0.0.0.0

[debug]siaddr = 0.0.0.0

[debug]giaddr = 0.0.0.0

[debug]chaddr = 00:45:6e:64:64:01

[debug]filename =

[debug]server_name =

[debug]  host-name = "DESKTOP-OLGFQ84"

[debug]  dhcp-requested-address = 192.168.1.2

[debug]  dhcp-message-type = 3

[debug]  dhcp-server-identifier = 192.168.1.1

[debug]  dhcp-parameter-request-list = 1,3,6,15,31,33,43,44,46,47,119,121,249,252

[debug]  dhcp-class-identifier = "MSFT 5.0"

[debug]  dhcp-client-identifier = 1:0:45:6e:64:64:1

[debug]  option-81 = 0:0:0:44:45:53:4b:54:4f:50:2d:4f:4c:47:46:51:38:34

[note]DHCPACK on 192.168.1.2 to 00:45:xx:xx:xx:xx via port2(ethernet)    <----- DHCP Acknowledge.

[debug]sending on port2(ethernet)

[debug]sending using lpf_dhcpd_send_packet

Discover (DHCPDISCOVER from 00:45:xx:xx:xx:xx via port2(ethernet):(

• A client device broadcasts a DHCP Discover message when it joins a network to find any DHCP servers that are accessible.
• When a Discover message is received, the FortiGate, which is also a DHCP server, is ready to respond with an IP address and configuration information.

Offer (DHCPOFFER on 192.168.1.2 to 00:45:xx:xx:xx:xx via port2(ethernet)):

• The FortiGate DHCP server/External DHCP server (FortiGate acting as Relay) answers the Discover message with a DHCP Offer message.
• A client-useable IP address and other setup options are included in the Offer message.
• From the FortiGate device to the client, the Offer message is transmitted as an unicast.

Request (DHCPREQUEST for 192.168.1.2 from 00:45:xx:xx:x:xx via port2(ethernet):(

• The client chooses one from a number of Offer messages and communicates with the DHCP server by sending a DHCP Request message.
• The Request message contains the configuration settings and the IP address that the client has selected.
• From the client to the FortiGate, the Request message is forwarded as an unicast.

Acknowledge (DHCPACK on 192.168.1.2 to 00:45:xx:xx:xx:xx via port2(ethernet):(

• The DHCP server checks the requested IP address and configuration settings after receiving the Request message.
• The DHCP Server sends a DHCP Acknowledge (ACK) message to the client if the requested IP address is accessible and the configuration settings are correct.
• The ACK message validates the IP address's assignment and offers more configuration information.
• The client receives the ACK message as an unicast from the FortiGate device.

Sample debugs while FortiGate is configured as DHCP Relay:

Topology:

DHCP client - 10.1.30.1 (internal3) -  [FGT DHCP Relay] - (internal6) 10.1.60.1 - routed network -10.2.100.3 DHCP Server

Packet capture snippets :

 DHCP Relay debugs:

(xid:e590fa76) received request message from 0.0.0.0:68 to 255.255.255.255 at internal3
(xid:e590fa76) got a DHCPDISCOVER
(xid:e590fa76) Warning! can't get server id from client message
Insert option(82), len(11)
found route to 10.2.100.3 via 10.1.30.1 iif=10 oif=13/internal6, mode=auto, ifname=
(xid:e590fa76) forwarding dhcp request from 10.1.30.1:67 to 10.2.100.3:67
(xid:e590fa76) received request message from 10.2.100.3:67 to 10.1.30.1 at internal6
(xid:e590fa76) got a DHCPOFFER
(xid:e590fa76) from server 10.2.100.3
(xid:e590fa76) sending dhcp reply from 10.1.30.1:67 to 255.255.255.255:68
(xid:e590fa76) received request message from 0.0.0.0:68 to 255.255.255.255 at internal3
(xid:e590fa76) got a DHCPREQUEST
Insert option(82), len(11)
found route to 10.2.100.3 via 10.1.30.1 iif=10 oif=13/internal6, mode=auto, ifname=
(xid:e590fa76) forwarding dhcp request from 10.1.30.1:67 to 10.2.100.3:67
(xid:e590fa76) received request message from 10.2.100.3:67 to 10.1.30.1 at internal6
(xid:e590fa76) got a DHCPACK
(xid:e590fa76) from server 10.2.100.3
(xid:e590fa76) sending dhcp reply from 10.1.30.1:67 to 255.255.255.255:68

Pointers to note:

(xid:e590fa76) -- DHCP transaction ID as seen on DHCP relay debug.

Insert option(82), len(11) -- Option 82 is the relay agent information option and is inserted by the DHCP relay agent when forwarding client-originated DHCP packets to a DHCP server.

forwarding dhcp request from 10.1.30.1:67 to 10.2.100.3:67 - DHCP relay agent and DHCP server communicates over unicast with the source IP being the interface that receives the DHCP request.

Sample DHCP relay packet captures in pcap format are attached.

NACK/NAK (Negative Acknowledgment) :

There can be a situation where after the client has sent the Request to get one of the IP addresses that was offered, the DHCP server sends out NACK/NAK resulting in not getting the desired IP address.

NACK/NAK (Negative Acknowledgment) Response:

• The DHCP server may occasionally reply with a NACK message rather than an ACK (Acknowledgment) response.
• When a DHCP server receives a DHCP Request message but cannot identify any lease records that match, the DHCP server sends a DHCP NAK message to inform the DHCP client that no IP address is available.
• The DHCP server sends the NACK message to the client as an unicast.
• When the DHCP Server is a FortiGate, the negative acknowledgment as 'DHCPNAK' in the 'diagnose debug application dhcps -1' command will be found.

Troubleshooting DHCP DORA Process with NACK:

A captured NAK response on Wireshark looks like the below:

If there are problems with the DHCP DORA process and the DHCP client receives a NAK response, take a look at the following troubleshooting steps:

• Check the configuration of the DHCP server:
  Make sure that the DHCP server is set up correctly with the appropriate IP address range and available configuration settings.
  Examine the system for any conflicts or misconfigurations that can prohibit the DHCP server from providing IP addresses.
• Verify the IP address pool:
  Make that there are addresses available to allocate clients in the IP address pool that is defined on the DHCP server.
  Make sure the pool size is adequate to support the number of networked devices.
• Examine the DHCP server logs:

On the FortiGate check general configuration problems, warning messages about the DHCP Request, and NAK answers.

• Look for any particular error messages or codes that may shed light on the problem. If FortiGate is acting as a relay, check for the logs of the external DHCP server itself (to see why it responds with NAK).

• Make sure the network is connected:
  To contact the DHCP server, confirm that the client device issuing the DHCP Request message has enough network connectivity.
  Verify the network for any problems, such as VLAN configuration errors or firewall settings that can prevent DHCP transmission. 

Other DHCP messages could be:

DHCP Decline (DECLINE):

If the user detects that the offered IP address is already in use on the network, it may send a DHCP Decline message to inform the server that the address is not available.

DHCP Release (RELEASE):

When a DHCP client no longer needs its assigned IP address (e.g., when disconnecting from the network), it sends a DHCP Release message to the server. This allows the server to reclaim the IP address and update its lease pool.

DHCP Inform (INFORM):

A DHCP client may send a DHCP Inform message to a DHCP server to obtain additional configuration information, even if it already has an IP address. This is often used for supplementary options.

Related articles:

Troubleshooting Tip: Check DHCP Messages with VLAN Tag using Wireshark Packet Capture

Technical Tip: Diagnosing DHCP on a FortiGate

Troubleshooting Tip: DHCP relay issue