- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortigate 60F - DHCP Issue on Virtual Ports
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate 60F - DHCP Issue on Virtual Ports
I'm really not sure what has been done, or why this has stopped working, but let me give a little insight.
We've provisioned a new site with a Fortigate 60F. There is an IPsec tunnel setup back to our main site, and this works fine.
We use internal2 port for our internal traffic, which is configured for 192.168.110.0/24. DHCP is enabled, options are configured, and everything works. Ports are either tagged/untagged where appropriate for this VLAN, and it's all fine.
Yesterday I created a new virtual interface VLAN on the Internal2 interface, for VLAN 241. This is our guest VLAN. The IP range on the fortigate has been setup for 192.168.111.0/24. DHCP has been configured and the ports for our wireless access point, and ports were tagged with VLAN 241 where appropriate. I attempted to connect to our guest SSID and I got an IP address correctly from the guest range. I added an outbound rule for internet, and everything worked just fine.
I've come back to it today, and I am not getting DHCP from the virtual interface VLAN. The main interface for corporate traffic is fine, that's giving out DHCP, but my virtual interface is not working. I've tried a few things such as recreating, checking my port tags, and everything looks fine. I even setup a wall port untagged on VLAN 241 and plugged my laptop into it, no matter what I do though, I'm just getting a 169 address now, for all devices.
Someone on my team did make some changes, but they've been reverted from what I can see, either something else has been changed, or I'm missing something. I know this is still a little vague, but I'm not overly familiar with these firewalls, so any advice on how to troubleshoot would be amazing! I'm no longer onsite, which makes it more difficult to troubleshoot too.
Labels:
- Labels:
-
FortiGate
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@CA-Davida1992
First step would be to do some packet capture on that newly created vlan interface and see if you can see dhcp requests hitting there.
diag sniffer packet vlan241-interface-name "" 6
Replace vlan241-interface-name with real vlan name that you have created and monitor if there are dhcp requests hitting fortigate interface
You can also do packet capture through GUI:
Troubleshooting Tip: Packet Capture on FortiOS GUI - Fortinet Community
Technical Tip: Diagnosing DHCP on a FortiGate - Fortinet Community
Please post some results here to check
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not seeing any DHCP packets or requests. I think that it's not even getting that far. Please see my VLAN switch below. We're focussing on the GuestWiFi VLAN on VLAN 241.
DHCP is enabled on it, but as I said above, it's not getting DHCP.
I have the Internal2 interface connected to port 48 on my switch, tagged with VLAN 241. The switch has an IP of 192.168.111.2.
Switch: 192.168.111.2
Firewall: 192.168.111.1
If I SSH to the Switch or Firewall and try to ping either, they are not responsive, but they can ping themselves on their own interfaces.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue you've described is a common one when dealing with VLANs, DHCP, and networking in general. Here are some troubleshooting steps and considerations you can take to help diagnose and possibly resolve the problem:
1. **DHCP Service**:
- Verify that the DHCP service for VLAN 241 is still running on the Fortigate.
- Ensure that the DHCP range and settings for VLAN 241 are correctly configured.
2. **Interface Configuration**:
- Double-check the virtual interface configuration for VLAN 241. Make sure the IP and subnet are correct.
- Ensure that the VLAN interface is up and running.
3. **Switch Configuration**:
- Ensure that the switch ports connecting to devices needing access to VLAN 241 are correctly tagged/untagged.
- If you have managed switches, check if there's any VLAN-related misconfiguration or changes made recently.
4. **Firewall Policies**:
- Ensure that there's an appropriate firewall policy allowing traffic from the VLAN 241 subnet to reach the Fortigate's DHCP server.
- Check if there are any policies that might be blocking DHCP requests or responses.
5. **Logs and Diagnostics**:
- Check the Fortigate logs for any related entries or errors regarding DHCP for VLAN 241.
- Use diagnostic commands to check the DHCP status:
```
diagnose ip dhcp relay list
diagnose ip dhcp server list
```
- These commands will show you the current DHCP relays and leases, which can help identify if the Fortigate is receiving DHCP requests and if it's providing leases.
6. **Physical Connections**:
- Ensure that all cables and connections are secure. A loose cable can sometimes be the culprit.
- Ensure that the connection between the Fortigate and the switch is correctly configured for VLAN tagging.
7. **Reboots and Restarts**:
- As a last resort, consider rebooting the Fortigate. Sometimes, certain services can get stuck and a reboot might resolve the issue.
- Restart the DHCP service on the Fortigate.
8. **Other Considerations**:
- If someone on your team made changes, it's possible that a change might have been overlooked when reverting. It might be beneficial to compare the current configuration with a backup (if available).
- Ensure that there aren't any other DHCP servers active on VLAN 241. Another active DHCP server can cause conflicts.
Lastly, if you're not on-site, you might need assistance from someone who is, especially if physical checks or reboots are required. If the issue remains unresolved, consider reaching out to Fortinet support or consulting with a Fortinet expert.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @CA-Davida1992,
Please refer to this document for DHCP debug "https://community.fortinet.com/t5/FortiGate/Technical-Tip-Diagnosing-DHCP-on-a-FortiGate/ta-p/192960.... Please also run a pcap on FortiGate for port 67 or 68 and check if traffic is tagged with the right Vlan id.
Regards,
Minh
Related Posts
- Buy second hand Fortigate 8xE 123 Views
- Forticlient EMS deployment on FortiGate virtual... 67 Views
- How to configure physical internal switch... 107 Views
- Log messages when forwarding traffic 174 Views
- Fortigate 40F - 2 identical ports... 195 Views
Labels
-
FortiGate
6,571 -
FortiClient
1,308 -
5.2
801 -
5.4
639 -
FortiManager
568 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
338 -
FortiAP
336 -
FortiClient EMS
267 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
25 -
Firewall policy
24 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SSO
6 -
Traffic shaping policy
5 -
SNMP
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Email filter profile
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.