FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article helps to troubleshoot the FortiGate DHCP when it is receiving error DHCP DECLINE on debug.
FortiGate is the DHCP server and the client is not getting any DHCP IP.
When running the debug '# diag debug application dhcpc -1', the error DHCP DECLINE is visible.
2022-06-08 18:28:52 [note]DHCPDECLINE on 172.22.1.2 from 98:fa:9b:89:da:d6 via port4(ethernet) 2022-06-08 18:28:52 [warn]Abandoning IP address 172.22.1.2: declined. 2022-06-08 18:28:52 [debug]deled ip 172.22.1.2 mac 98:fa:9b:89:da:d6 in vd root 2022-06-08 18:29:02 [debug]locate_network prhtype(1) pihtype(1) 2022-06-08 18:29:02 [debug]find_lease(): leaving function WITHOUT a lease
Check the IPpool configured on the FortiGate.
# config firewall ippool edit "testCWPIP" set startip 172.22.1.2 set endip 172.22.1.125 next
By default, the IPpool is configured to have the 'arp reply' enabled, this will cause the FortiGate itself to respond to the DHCP probe.
To be sure, it is possible to use the sniffer command to check the ARP:
# diag sniff pac <port> "arp" 4
Remove the IPpool or change the DHCP IP to another range.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.