Troubleshooting Tip: FortiGate acting as a DHCP server for multiple scopes not assigning lease for a specific subnet

heljag · ‎07-18-2024

Description

This article describes possible reasons why FortiGate is not assigning a DHCP lease to a machine for a specific subnet configured in a scope.

Scope

FortiGate.

Solution

Diagram:

DHCP Server config:

config system dhcp server
edit 16
set lease-time 86400
set domain "redseamall.com"
set default-gateway 192.168.100.10
set netmask 255.255.255.0
set interface "port1"
config ip-range
edit 1
set start-ip 192.168.100.21
set end-ip 192.168.100.245
next
end
config options
edit 1
set code 150
set type ip
set ip "192.168.100.7"
next
end
set dns-server1 172.18.150.1
set dns-server2 8.8.4.4
set dns-server3 8.8.8.8
next
edit 2
set dns-service default
set default-gateway 172.18.150.1
set netmask 255.255.255.0
set interface "port1"
next
edit 1
set domain "redseamall.com"
set default-gateway 172.18.120.1
set netmask 255.255.255.0
set interface "port1"
config ip-range
edit 1
set start-ip 172.18.120.50
set end-ip 172.18.120.200
next
end
set dns-server1 172.18.150.1
set dns-server2 8.8.4.4
set dns-server3 8.8.8.8
next
end

When we request an IP for VLAN 1 (scope 172.18.120.0/24 - 'edit 1' entry), FortiGate can assign a leased IP for the machine.

DHCP_Server # diagnose debug application dhcps -1
Debug messages will be on for 30 minutes.

...
[note]DHCPDISCOVER from 00:75:6e:69:05:02 via 172.18.120.1(ethernet)
[debug]deled ip 172.18.120.50 mac 00:75:6e:69:05:02 in vd root
[debug]added ip 172.18.120.50 mac 00:75:6e:69:05:02 in vd root
[debug]packet length 305
[debug]op = 1 htype = 1 hlen = 6 hops = 1
[debug]xid = f8d2c223 secs = 0 flags = 0
[debug]ciaddr = 0.0.0.0
[debug]yiaddr = 0.0.0.0
[debug]siaddr = 0.0.0.0
[debug]giaddr = 172.18.120.1
[debug]chaddr = 00:75:6e:69:05:02
[debug]filename =
[debug]server_name =
[debug] host-name = "universe-esx05"
[debug] dhcp-message-type = 1
[debug] dhcp-parameter-request-list = 1,3,6,15,31,33,43,44,46,47,121,249,252
[debug] dhcp-class-identifier = "MSFT 5.0"
[debug] dhcp-client-identifier = 1:0:75:6e:69:5:2
[debug] option-82 = 1:7:76:6c:61:6e:31:32:35
[debug]
...
[note]DHCPOFFER on 172.18.120.50 to 00:75:6e:69:05:02 via 172.18.120.1(ethernet)
...
[debug]sending on port1(ethernet)
[debug]locate_network prhtype(1) pihtype(1)
[debug]find_lease(): packet contains preferred client IP, cip.s_addr is 172.18.120.50
[debug]find_lease(): leaving function with lease set
[debug]find_lease(): the lease's IP is 172.18.120.50
[note]DHCPREQUEST for 172.18.120.50 from 00:75:6e:69:05:02 via 172.18.120.1(ethernet)
[debug]DHCP client doesn't want DHCP server to perform A RR (FQDN-to-address) DNS updates.
[debug]deled ip 172.18.120.50 mac 00:75:6e:69:05:02 in vd root
[debug]added ip 172.18.120.50 mac 00:75:6e:69:05:02 in vd root
[debug]packet length 348
[debug]op = 1 htype = 1 hlen = 6 hops = 1
[debug]xid = f8d2c223 secs = 0 flags = 0
[debug]ciaddr = 0.0.0.0
[debug]yiaddr = 0.0.0.0
[debug]siaddr = 0.0.0.0
[debug]giaddr = 172.18.120.1
[debug]chaddr = 00:75:6e:69:05:02
[debug]filename =
[debug]server_name =
[debug] host-name = "universe-esx05"
[debug] dhcp-requested-address = 172.18.120.50
[debug] dhcp-message-type = 3
[debug] dhcp-server-identifier = 172.18.150.1
[debug] dhcp-parameter-request-list = 1,3,6,15,31,33,43,44,46,47,121,249,252
[debug] dhcp-class-identifier = "MSFT 5.0"
[debug] dhcp-client-identifier = 1:0:75:6e:69:5:2
[debug] option-81 = 0:0:0:75:6e:69:76:65:72:73:65:2d:65:73:78:30:35:2e:63:6f:6e:74:6f:73:6f:2e:63:6f:6d
[debug] option-82 = 1:7:76:6c:61:6e:31:32:35
[debug]
...
[note]DHCPACK on 172.18.120.50 to 00:75:6e:69:05:02 via 172.18.120.1(ethernet)
...

However, when requesting an IP for DHCP scope lease under VLAN 16, the errors 'leaving function without a lease' and 'There is no requesting IP in subnet!' are received.

DHCP_Server # diagnose debug application dhcps -1
Debug messages will be on for 30 minutes.

DHCP_Server # diagnose debug enable

[debug]locate_network prhtype(1) pihtype(1)
[debug]find_lease(): packet contains preferred client IP, cip.s_addr is 192.168.100.21
[debug]search through all subnets to find an ip lease (192.168.100.21)
[debug]There is no requesting IP in subnet!
[note]DHCPREQUEST for 192.168.100.21 from 00:75:6e:69:05:02 via 192.168.100.10(ethernet)
[note]DHCPNAK on 192.168.100.21 to 00:75:6e:69:05:02 via 192.168.100.10(ethernet)
[debug]packet length 342
[debug]op = 1 htype = 1 hlen = 6 hops = 1
[debug]xid = e016ec2c secs = 0 flags = 0
[debug]ciaddr = 0.0.0.0
[debug]yiaddr = 0.0.0.0
[debug]siaddr = 0.0.0.0
[debug]giaddr = 192.168.100.10
[debug]chaddr = 00:75:6e:69:05:02
[debug]filename =
[debug]server_name =
[debug] host-name = "universe-esx05"
[debug] dhcp-requested-address = 192.168.100.21
[debug] dhcp-message-type = 3
[debug] dhcp-class-identifier = "MSFT 5.0"
[debug] dhcp-client-identifier = 1:0:75:6e:69:5:2
[debug] option-81 = 0:0:0:75:6e:69:76:65:72:73:65:2d:65:73:78:30:35:2e:63:6f:6e:74:6f:73:6f:2e:63:6f:6d
[debug] option-82 = 1:7:76:6c:61:6e:31:32:35
[debug]
...
[debug]packet length 277
[debug]op = 2 htype = 1 hlen = 6 hops = 1
[debug]xid = e016ec2c secs = 0 flags = 80
[debug]ciaddr = 0.0.0.0
[debug]yiaddr = 0.0.0.0
[debug]siaddr = 172.18.150.1
[debug]giaddr = 192.168.100.10
[debug]chaddr = 00:75:6e:69:05:02
[debug]filename =
[debug]server_name =
[debug]
...
[debug]locate_network prhtype(1) pihtype(1)
[debug]find_lease(): leaving function WITHOUT a lease
[note]DHCPDISCOVER from 00:75:6e:69:05:02 via 192.168.100.10(ethernet)
[debug]There is no requesting IP in subnet!
[debug]locate_network prhtype(1) pihtype(1)
[debug]find_lease(): leaving function WITHOUT a lease
[note]DHCPDISCOVER from 00:75:6e:69:05:02 via 192.168.100.10(ethernet)
[debug]There is no requesting IP in subnet!
[debug]locate_network prhtype(1) pihtype(1)
[debug]find_lease(): leaving function WITHOUT a lease
[note]DHCPDISCOVER from 00:75:6e:69:05:02 via 192.168.100.10(ethernet)
[debug]There is no requesting IP in subnet!

This is because an entry was created (ID 2) without an assigned range using port1. So every subsequent entry (ex: ID 3,4,5....or 16) will fail to allocate an IP. FortiGate will search for a scope to lease an address starting with ID 1 and when there is a match a lease will be assigned, if in the middle there is an entry without a range FortiGate will stop and throw that error.

Notes:

FortiOS up to 7.2.8, 7.4.4 and 7.6.0	The solution in this case is to remove the entry with ID 2, configure an IP range on the entry, or change the ID to the highest value.
FortiOS 7.4.5, 7.6.1 and later	Entry ID without IP range will be evaluated always at the tail of the list regardless of the ID number configured.