Troubleshooting Tip: FortiGate is not providing DHCP with error DHCP DECLINE

FortiGate is the DHCP server and the client is not getting any DHCP IP.

When running the debug '# diag debug application dhcpc -1', the error DHCP DECLINE is visible.

Sample 1:

2022-06-08 18:28:52 [note]DHCPDECLINE on 172.22.1.2 from 98:fa:9b:89:da:d6 via port4(ethernet)
2022-06-08 18:28:52 [warn]Abandoning IP address 172.22.1.2: declined.
2022-06-08 18:28:52 [debug]deled ip 172.22.1.2 mac 98:fa:9b:89:da:d6 in vd root
2022-06-08 18:29:02 [debug]locate_network prhtype(1) pihtype(1)
2022-06-08 18:29:02 [debug]find_lease(): leaving function WITHOUT a lease

Sample 2:

Receive packet:
len=60
del hw header
ether_type:0806
hw addr from: XX:XX:XX:4E:DC:XX
arp packet received, len:46
A ARP packet is received.
The requested 192.168.100.78 address is in use by XX:XX:XX:4E:DC:6E
make decline
make dhcp message, code=4
Insert option(255), len(0)
Insert option(53), len(1)
Insert requested address
Insert option(50), len(4)
Insert client ID
Insert option(61), len(7)
Insert server ID
Insert option(54), len(4)
Insert message The requested 192.168.100.78 address is in use by XX:XX:XX:4E:DC:6E

1. Check the IPpool configured on the FortiGate:

config firewall ippool
    edit "testCWPIP"
        set startip 172.22.1.2
        set endip 172.22.1.125
    next

By default, the IPpool is configured to have the 'arp reply' enabled, this will cause the FortiGate itself to respond to the DHCP probe.

To be sure, it is possible to use the sniffer command to check the ARP:

diag sniff pac <port> "arp" 4

Remove the IPpool or change the DHCP IP to another range.

2. The IP sent by the DHCP server is already used by another device. So FortiGate sends a decline message.