Description
This article describes basic troubleshooting steps to take when a DHCP daemon is running on a NAC Server or Application Server but host(s) in isolation is not obtaining a DHCP address.
Scope
FortiNAC.
Solution
- Verify the host is in the appropriate isolation VLAN (e.g. Registration, Remediation, Authentication, Deadend). This should be confirmed at the wireless Controller/Access Point or switch the host directly connects.
- Determine how far the DHCP process is progressing.
A complete DHCP cycle looks like the following:
DHCPDISCOVER is sent from Host to NAC
DHCPOFFER is sent from NAC to Host
DHCPREQUEST is sent from Host to NAC
DHCPACK from NAC to Host
The host is currently experiencing the behavior.
Watch the DHCP activity via the FortiNAC Server CLI. Type:
CentOS:
tail -F /bsc/logs/dhcpd.log | grep -i "<mac address of host using colons>"
FortiNAC-OS:
diagnose tail -F dhcpd.log | grep -i "<mac address of host using colons>"
Note: starting from 7.6.0 GA dhcpd.log was replaced with kea-dhcp4.log and kea-dhcp6.log.
Example.
CentOS:
tail -F /bsc/logs/dhcpd.log | grep -i "a8:7c:01:42:b8:09"
FortiNAC-OS:
diagnose tail -F dhcpd.log | grep -i "a8:7c:01:42:b8:09"
The log entries regarding the specified MAC address will print to the screen as they occur. The following is an example of a completed DHCP Cycle:
dhcpd: DHCPDISCOVER from a8:7c:01:42:b8:09 via eth1
dhcpd: DHCPOFFER on 192.168.40.147 to a8:7c:01:42:b8:09 (android-12bffc2cd0e898fb) via eth1
dhcpd: DHCPREQUEST for 192.168.40.147 (192.168.40.3) from a8:7c:01:42:b8:09 (android-12bffc2cd0e898fb) via eth1
dhcpd: DHCPACK on 192.168.40.147 to a8:7c:01:42:b8:09 (android-12bffc2cd0e898fb) via eth1
Alternatively, a packet capture using tcpdump can be taken on the NAC Server or Application Server.
Start capture by typing:
CentOS:
tcpdump -nni eth1 port 67 or port 68
FortiNAC-OS:
execute tcpdump -i port2 port 67 or port 68
Ctrl-C to stop the capture:
To take a packet capture to be viewed by a third-party application (for example Wireshark).
Start capture by typing :
CentOS:
tcpdump -nni any port 67 or port 68 -s0 -w dhcp.cap
FortiNAC-OS:
execute tcpdump -i port2 port 67 or port 68 -v -w /home/admin/dhcp.cap
Ctrl-C to stop the capture:
Upload the file (dhcp.cap) using FTP or SCP to another computer or server:
CentOS:
Use WinSCP or a similar program.
FortiNAC-OS:
execute enter-shell
scp /home/admin/dhcp.cap user@IP_of_destination:/Location_Folder
The host is no longer online.
Print the historical log entries. Type:
CentOS:
grep -i "<mac address of host using colons>" /bsc/logs/dhcpd.log
FortiNAC-OS:
execute enter-shell
grep -i "<mac address of host using colons>" /bsc/logs/dhcpd.log
- Determine possible causes.
DHCPDISCOVER is received but NAC is not responding.
DHCPDISCOVER has not been received by NAC.
Possible Causes:
-
The host does not have DHCP enabled.
-
Inconsistent isolation VLAN tagging,
-
Missing DHCP Helper (IP Helper) - Required in L3 Networks (eth1 interface on a different network than isolation). Helper must point to NAC's Registration eth1 Interface.
-
Firewall/ACL Rules From Host to NAC Blocking DHCP.
-
Routing issue from Host to NAC.
DHCPOFFER is not reaching the host.
Possible Causes:
-
Inconsistent isolation VLAN tagging.
-
Firewall/ACL rules from NAC to the host.
Routing issue from NAC to the host.
DHCPREQUEST is not received by NAC:
Possible Causes:
DHCPACK is not reaching the host:
Possible Causes:
- Inconsistent isolation VLAN tagging.
- Firewall/ACL rules from NAC to the host.
- Routing issue from NAC to the host.
Related articles:
Technical Note: Asymmetrically routed packets are discarded with newer appliances
Technical Note: Set static routes using in Configuration Wizard
