This article will examine the DHCP DORA process, concentrating on the request phase to a FortiGate, or if the FortiGate acts as a relay and the NAK (Negative Acknowledgment) response.

Generally, the DHCP DORA process has four stages: Discover, Offer, Request, and Acknowledge. There is the debug that can be seen on the FortiGate when running the DHCP or DHCP Relay debugs:

DHCP server Debugs (if FortiGate is the DHCP server):

diagnose debug reset
diagnose debug application dhcps -1
diagnose debug enable

To stop the debug, run the following commands: 

diagnose debug disable

diagnose debug reset

DHCP Relay:

diagnose debug reset

diagnose debug application dhcprelay -1

diagnose debug enable

To stop the debug, run the following commands: 

diagnose debug disable

diagnose debug reset

1. Sample debugs while FortiGate is configured as DHCP server:

[note]DHCPDISCOVER from 00:45:xx:xx:xx:xx via port2(ethernet)  <----- DHCP Discover.

[debug]packet length 302

[debug]op = 1  htype = 1  hlen = 6  hops = 0

[debug]xid = 667f0f59  secs = 0  flags = 0

[debug]ciaddr = 0.0.0.0

[debug]yiaddr = 0.0.0.0

[debug]siaddr = 0.0.0.0

[debug]giaddr = 0.0.0.0

[debug]chaddr = 00:45:6e:64:64:01

[debug]filename =

[debug]server_name =

[debug]  host-name = "DESKTOP-OLGFQ84"

[debug]  dhcp-requested-address = 192.168.1.2

[debug]  dhcp-message-type = 1

[debug]  dhcp-parameter-request-list = 1,3,6,15,31,33,43,44,46,47,119,121,249,252

[debug]  dhcp-class-identifier = "MSFT 5.0"

[debug]  dhcp-client-identifier = 1:0:45:6e:64:64:1

[debug]Sending ICMP echo-request to 192.168.1.2

[note]DHCPOFFER on 192.168.1.2 to 00:45:xx:xx:xx:xx via port2(ethernet)    <----- DHCP Offer.

[debug]sending on port2(ethernet)

[debug]sending using lpf_dhcpd_send_packet

[debug]locate_network prhtype(1) pihtype(1)

[debug]find_lease(): packet contains preferred client IP, cip.s_addr is 192.168.1.2

[debug]find_lease(): leaving function with lease set

[debug]find_lease(): the lease's IP is 192.168.1.2

[note]DHCPREQUEST for 192.168.1.2 from 00:45:xx:xx:xx:xx via port2(ethernet)    <----- DHCP Request.

[debug]added ip 192.168.1.2 mac 00:45:6e:64:64:01 in vd root

[debug]packet length 328

[debug]op = 1  htype = 1  hlen = 6  hops = 0

[debug]xid = 667f0f59  secs = 0  flags = 0

[debug]ciaddr = 0.0.0.0

[debug]yiaddr = 0.0.0.0

[debug]siaddr = 0.0.0.0

[debug]giaddr = 0.0.0.0

[debug]chaddr = 00:45:6e:64:64:01

[debug]filename =

[debug]server_name =

[debug]  host-name = "DESKTOP-OLGFQ84"

[debug]  dhcp-requested-address = 192.168.1.2

[debug]  dhcp-message-type = 3

[debug]  dhcp-server-identifier = 192.168.1.1

[debug]  dhcp-parameter-request-list = 1,3,6,15,31,33,43,44,46,47,119,121,249,252

[debug]  dhcp-class-identifier = "MSFT 5.0"

[debug]  dhcp-client-identifier = 1:0:45:6e:64:64:1

[debug]  option-81 = 0:0:0:44:45:53:4b:54:4f:50:2d:4f:4c:47:46:51:38:34

[note]DHCPACK on 192.168.1.2 to 00:45:xx:xx:xx:xx via port2(ethernet)    <----- DHCP Acknowledge.

[debug]sending on port2(ethernet)

[debug]sending using lpf_dhcpd_send_packet

Discover (DHCPDISCOVER from 00:45:xx:xx:xx:xx via port2(ethernet):(

• A client device broadcasts a DHCP Discover message when it joins a network to find any DHCP servers that are accessible.
• When a Discover message is received, the FortiGate, which is also a DHCP server, is ready to respond with an IP address and configuration information.

Offer (DHCPOFFER on 192.168.1.2 to 00:45:xx:xx:xx:xx via port2(ethernet)):

• The FortiGate DHCP server/External DHCP server (FortiGate acting as Relay) answers the Discover message with a DHCP Offer message.
• A client-useable IP address and other setup options are included in the Offer message.
• From the FortiGate device to the client, the Offer message is transmitted as an unicast.

Request (DHCPREQUEST for 192.168.1.2 from 00:45:xx:xx:x:xx via port2(ethernet):(

• The client chooses one from a number of Offer messages and communicates with the DHCP server by sending a DHCP Request message.
• The Request message contains the configuration settings and the IP address that the client has selected.
• From the client to the FortiGate, the Request message is forwarded as an unicast.

Acknowledge (DHCPACK on 192.168.1.2 to 00:45:xx:xx:xx:xx via port2(ethernet):(

• The DHCP server checks the requested IP address and configuration settings after receiving the Request message.
• The DHCP Server sends a DHCP Acknowledge (ACK) message to the client if the requested IP address is accessible and the configuration settings are correct.
• The ACK message validates the IP address's assignment and offers more configuration information.
• The client receives the ACK message as an unicast from the FortiGate device.

To check the DHCP lease list from the GUI, go to Dashboard -> Network -> Hover over the DHCP widget, and select to expand.

Use the following CLI command to view the assigned IP addresses by FortiGate as a DHCP Server :

execute dhcp lease-list

2. Sample debugs while FortiGate is configured as DHCP Relay: To get the packet capture of DHCP relay traffic in FortiGate GUI, the following KB article, Troubleshooting Tip: Packet Capture on FortiOS GUI can be followed. Filter ports 67 and 68.

To get packet capture of the traffic via CLI command:

diagnose sniffer packet <interface> "port 67 or port 68" 6 0 l

Topology:

DHCP client - 10.1.30.1 (internal3) -  [FGT DHCP Relay] - (internal6) 10.1.60.1 - routed network -10.2.100.3 DHCP Server.

Packet capture snippets :

 DHCP Relay debugs:

(xid:e590fa76) received request message from 0.0.0.0:68 to 255.255.255.255 at internal3
(xid:e590fa76) got a DHCPDISCOVER
(xid:e590fa76) Warning! can't get server id from client message
Insert option(82), len(11)
found route to 10.2.100.3 via 10.1.30.1 iif=10 oif=13/internal6, mode=auto, ifname=
(xid:e590fa76) forwarding dhcp request from 10.1.30.1:67 to 10.2.100.3:67
(xid:e590fa76) received request message from 10.2.100.3:67 to 10.1.30.1 at internal6
(xid:e590fa76) got a DHCPOFFER
(xid:e590fa76) from server 10.2.100.3
(xid:e590fa76) sending dhcp reply from 10.1.30.1:67 to 255.255.255.255:68
(xid:e590fa76) received request message from 0.0.0.0:68 to 255.255.255.255 at internal3
(xid:e590fa76) got a DHCPREQUEST
Insert option(82), len(11)
found route to 10.2.100.3 via 10.1.30.1 iif=10 oif=13/internal6, mode=auto, ifname=
(xid:e590fa76) forwarding dhcp request from 10.1.30.1:67 to 10.2.100.3:67
(xid:e590fa76) received request message from 10.2.100.3:67 to 10.1.30.1 at internal6
(xid:e590fa76) got a DHCPACK
(xid:e590fa76) from server 10.2.100.3
(xid:e590fa76) sending dhcp reply from 10.1.30.1:67 to 255.255.255.255:68

Pointers to note:

(xid:e590fa76) -- DHCP transaction ID as seen on DHCP relay debug.

Insert option(82), len(11) -- Option 82 is the relay agent information option and is inserted by the DHCP relay agent when forwarding client-originated DHCP packets to a DHCP server.

forwarding dhcp request from 10.1.30.1:67 to 10.2.100.3:67 - DHCP relay agent and DHCP server communicates over unicast with the source IP being the interface that receives the DHCP request.

Sample DHCP relay packet captures in pcap format are attached.

NACK/NAK (Negative Acknowledgment) :

There can be a situation where, after the client has sent the Request to get one of the IP addresses that was offered, the DHCP server sends out NACK/NAK, resulting in not getting the desired IP address.

NACK/NAK (Negative Acknowledgment) Response:

• The DHCP server may occasionally reply with a NACK message rather than an ACK (Acknowledgment) response.
• When a DHCP server receives a DHCP Request message but cannot identify any lease records that match, the DHCP server sends a DHCP NAK message to inform the DHCP client that no IP address is available.
• The DHCP server sends the NACK message to the client as an unicast.
• When the DHCP Server is a FortiGate, the negative acknowledgment as 'DHCPNAK' in the 'diagnose debug application dhcps -1' command will be found.

Troubleshooting DHCP DORA Process with NACK:

A captured NAK response on Wireshark looks like the below:

If there are problems with the DHCP DORA process and the DHCP client receives a NAK response, take a look at the following troubleshooting steps:

• Check the configuration of the DHCP server:
  Make sure that the DHCP server is set up correctly with the appropriate IP address range and available configuration settings.
  Examine the system for any conflicts or misconfigurations that can prohibit the DHCP server from providing IP addresses.
• Verify the IP address pool:
  Make sure that there are addresses available to allocate clients in the IP address pool that is defined on the DHCP server.
  Make sure the pool size is adequate to support the number of networked devices.
• Examine the DHCP server logs:

On the FortiGate, check general configuration problems, warning messages about the DHCP Request, and NAK answers.

• Look for any particular error messages or codes that may shed light on the problem. If FortiGate is acting as a relay, check for the logs of the external DHCP server itself (to see why it responds with NAK).

• Make sure the network is connected:
  To contact the DHCP server, confirm that the client device issuing the DHCP Request message has enough network connectivity.
  Verify the network for any problems, such as VLAN configuration errors or firewall settings that can prevent DHCP transmission. 

Other DHCP messages could be:

DHCP Decline (DECLINE):

If the user detects that the offered IP address is already in use on the network, it may send a DHCP Decline message to inform the server that the address is not available.

DHCP Release (RELEASE):

When a DHCP client no longer needs its assigned IP address (e.g., when disconnecting from the network), it sends a DHCP Release message to the server. This allows the server to reclaim the IP address and update its lease pool.

DHCP Inform (INFORM):

A DHCP client may send a DHCP Inform message to a DHCP server to obtain additional configuration information, even if it already has an IP address. This is often used for supplementary options.

Related articles:

Troubleshooting Tip: Check DHCP Messages with VLAN Tag using Wireshark Packet Capture

Technical Tip: Diagnosing DHCP on a FortiGate

Troubleshooting Tip: DHCP relay issue