FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
johnathan
Staff
Staff
Article Id 358965
Description This article describes how to resolve a scenario where the FortiGate is failing to get a DHCP lease, and a DHCP Decline is seen in a PCAP.
Scope

FortiOS.

Solution

In certain circumstances, the FortiGate may fail to get an IP from a DHCP server even when the DHCP handshake completes successfully.

 

dhcp decline.PNG

 

The FortiGate gave a DHCP ACK to the DHCP server, indicating the handshake completed.

After this, the FortiGate sends over a DHCP Decline, and there is no IP present on the FortiGate.


Whenever the FortiGate acquires a DHCP lease, it will send out an ARP with that IP to confirm if any other device has that IP on the interface DHCP is configured on.
This can cause an issue if an IP Pool with that leased IP is configured, and a certain topology is present where the WAN VLAN is configured twice.

For example, if using a FortiSwitch to distribute the single WAN connection between an HA pair of FortiGates, that VLAN might exist on both the FortiLink interface and the configured WAN interface.

The ARP will go out of the WAN interface, but also arrive on the FortiLink interface.
Because the IP the ARP is requesting matches an IP Pool, the FortiGate will reply to itself. 

'port10' is configured on this FortiGate for DHCP. The FortiGate acquires a lease for 100.64.0.4, and an ARP is sent out.

 

deny1.PNG

 

There is an ARP reply. The MAC address seen in that sniffer correlates with port9, which is on the same VLAN as port10.

 

port9.PNG

The following is the IP Pool configured on this FortiGate. Once 'ARP Reply' is disabled, this issue will not occur.


ipool.PNG

On port9, there is now no ARP reply given. The only MAC seen in the sniffer is for port10.


no reply.PNG

The FortiGate was able to get the lease successfully. 


good.PNG