Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ChrisTan
Staff
Staff

Created on ‎06-30-2022 11:58 PM Edited on ‎02-03-2025 10:27 PM By Community Manager

Article Id 215535

Troubleshooting Tip: DHCP relay issue

Description This article describes how to troubleshoot the DHCP relay if the DHCP client cannot be assigned an IP address.
Scope FortiGate.
Solution

Topology:

 

Host(DHCP client)----(port2 10.57.1.147)FGT(port1 10.56.241.147)---------(10.56.241.172)DHCP Server.

 

  1. Verify if the route to the DHCP Server is intact, and is reachable by ping (this depends if the DHCP Server allows ping or not).

 

get router info routing-table details <DHCP Server IP>

execute ping <DHCP Server IP>

 

  1. Make sure packet capture on port2 can receive DHCP requests from the client.

 

Take packet capture on the Ingress interface of the client on FortiGate via the packet capture function, filtering ports 67, and 68.

 

2022-06-23_10h38_39.png


CLI command :

 

diagnose sniffer packet <interface> "port 67 or port 68" 6 0 l

 

If a specific client MAC Address is required to be checked, run the following Sniffer and provide it to TAC to convert it to PCAP:

 

diagnose sniffer packet <interface> "ether host aa:bb:cc:dd:ee:ff" 6 0 l

 

Note:

A specific interface is required to filter the sniffer using MAC Address. Interface 'any' cannot be used.

 

  1. Run the same packet capture on the outgoing interface to verify if the DHCP request was sent through the DHCP server:

 

2022-06-23_10h51_08.png

 

To verify the client's DHCP Discover request is sent out, filter the outgoing interface packet capture using the filter: dhcp.hw.mac_addr == AA:BB:CC:DD:EE:FF, whereby AA:BB:CC:DD:EE:FF is the client's MAC address.

 

If it is seen, it means FortiGate has sent out the client's DHCP Discover, and further checks would need to be done on the DHCP Server.

 

Note:

It would be FortiGate's internal IP address 10.57.1.147 (the interface that faces the DHCP client) and NOT the external IP address 10.56.241.147 that sends DHCP Discover to the DHCP relay server.

It would cause no reply if the DHCP server did not have the route to the 10.57.1.0/24 subnet.

 

  1. Checking route back to 10.57.1.0/24 subnet on DHCP server.

 

In this example, a static route is added to the DHCP server:

 

route add 10.57.1.0/24 MASK 255.255.255.0 10.56.241.147.

 

After that, FortiGate will receive a DHCP offer and ACK.

 

2022-07-01_15h32_47.png

 

FortiGate then forwards ACK with the new IP address 10.57.1.2 to the Host.

 

ack.png

 

Since the DHCP client will not be under the same subnet as the DHCP server, it is important to configure another IP address pool (10.57.1.0/24) for the port2 LAN subnet in the DHCP server.

 

Also, run dhcprelay debugs as mentioned below:

 

diagnose debug application dhcprelay -1
diagnose debug console timestamp enable
diagnose debug enable

 

Collect the reproduction logs, then disable debug:

 

diagnose debug reset
diagnose debug disable
27776
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.