Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Kraven2323
Staff
Staff

Created on ‎06-29-2022 11:29 PM

Article Id 216328

Troubleshooting Tip: FortiGate not providing DHCP with error DHCP DECLINE

Description This article helps to troubleshoot the FortiGate DHCP when it is receiving error DHCP DECLINE on debug.
Scope

FortiGate is the DHCP server and the client is not getting any DHCP IP.

 

When running the debug '# diag debug application dhcpc -1', the error DHCP DECLINE is visible.

 

Sample:

 

2022-06-08 18:28:52 [note]DHCPDECLINE on 172.22.1.2 from 98:fa:9b:89:da:d6 via port4(ethernet)
2022-06-08 18:28:52 [warn]Abandoning IP address 172.22.1.2: declined.
2022-06-08 18:28:52 [debug]deled ip 172.22.1.2 mac 98:fa:9b:89:da:d6 in vd root
2022-06-08 18:29:02 [debug]locate_network prhtype(1) pihtype(1)
2022-06-08 18:29:02 [debug]find_lease(): leaving function WITHOUT a lease
Solution

Check the IPpool configured on the FortiGate.

 

# config firewall ippool
    edit "testCWPIP"
        set startip 172.22.1.2
        set endip 172.22.1.125
    next

 

By default, the IPpool is configured to have the 'arp reply' enabled, this will cause the FortiGate itself to respond to the DHCP probe.

 

Kraven2323_0-1656570168544.png

 

To be sure, it is possible to use the sniffer command to check the ARP:

 

# diag sniff pac <port> "arp" 4

 

Solution:

Remove the IPpool or change the DHCP IP to another range.
10147
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.