Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Kraven2323
Staff
Staff

Created on ‎06-29-2022 11:29 PM Edited on ‎01-09-2026 12:49 AM By Community Manager

Article Id 216328

Troubleshooting Tip: FortiGate is not providing DHCP with error DHCP DECLINE

Description This article helps to troubleshoot the FortiGate DHCP when it is receiving an error DHCP DECLINE on debug.
Scope

FortiGate is the DHCP server, and the client is not getting a DHCP IP.

 

When running the debug 'diagnose debug application dhcpc -1', the error DHCP DECLINE is visible.

 

Sample 1:

 

2022-06-08 18:28:52 [note]DHCPDECLINE on 172.22.1.2 from 98:fa:9b:89:da:d6 via port4(ethernet)
2022-06-08 18:28:52 [warn]Abandoning IP address 172.22.1.2: declined.
2022-06-08 18:28:52 [debug]deled ip 172.22.1.2 mac 98:fa:9b:89:da:d6 in vd root
2022-06-08 18:29:02 [debug]locate_network prhtype(1) pihtype(1)
2022-06-08 18:29:02 [debug]find_lease(): leaving function WITHOUT a lease

 

Sample 2:

 

Receive packet:
len=60
del hw header
ether_type:0806
hw addr from: XX:XX:XX:4E:DC:XX
arp packet received, len:46
A ARP packet is received.
The requested 192.168.100.78 address is in use by XX:XX:XX:4E:DC:6E
make decline
make dhcp message, code=4
Insert option(255), len(0)
Insert option(53), len(1)
Insert requested address
Insert option(50), len(4)
Insert client ID
Insert option(61), len(7)
Insert server ID
Insert option(54), len(4)
Insert message The requested 192.168.100.78 address is in use by XX:XX:XX:4E:DC:6E

 

Use the following debug commands to capture the relevant parameters: 

 

FortiGate is the DHCP Server:

 

diagnose debug reset
diagnose debug application dhcps -1

diagnose debug console timestamp enable
diagnose debug enable

 

To stop the debug:

 

diagnose debug reset
diagnose debug disable
Solution
  1. Check the IPpool configured on the FortiGate:

 

config firewall ippool
    edit "testCWPIP"
        set startip 172.22.1.2
        set endip 172.22.1.125
    next

 

By default, the IPpool is configured to have the 'arp reply' enabled, which will cause the FortiGate itself to respond to the DHCP probe.

 

Kraven2323_0-1656570168544.png

 

To be sure, it is possible to use the sniffer command to check the ARP:

 

diagnose sniff pac <port> "arp" 4

 

Remove the IPpool or change the DHCP IP to another range.

 

  1. The IP sent by the DHCP server is already used by another device. So FortiGate sends a decline message.

 

dhcp.PNG
Once the client/FortiGate receives an IP from the DHCP server, it sends an ARP probe to check if the same IP is being used by any other device in the network. If it receives an ARP response from the same IP address allocated by the DHCP server, the client will send a DHCP decline message and will restart the process.

 

The MAC IP address of the PC is blocked from getting an IP address from the DHCP server:

 

dhcpserver.png
22511
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.