Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Fortigate 60F - DHCP Issue on Virtual Ports

I'm really not sure what has been done, or why this has stopped working, but let me give a little insight.


We've provisioned a new site with a Fortigate 60F. There is an IPsec tunnel setup back to our main site, and this works fine.


We use internal2 port for our internal traffic, which is configured for DHCP is enabled, options are configured, and everything works. Ports are either tagged/untagged where appropriate for this VLAN, and it's all fine. 


Yesterday I created a new virtual interface VLAN on the Internal2 interface, for VLAN 241. This is our guest VLAN. The IP range on the fortigate has been setup for DHCP has been configured and the ports for our wireless access point, and ports were tagged with VLAN 241 where appropriate. I attempted to connect to our guest SSID and I got an IP address correctly from the guest range. I added an outbound rule for internet, and everything worked just fine.


I've come back to it today, and I am not getting DHCP from the virtual interface VLAN. The main interface for corporate traffic is fine, that's giving out DHCP, but my virtual interface is not working. I've tried a few things such as recreating, checking my port tags, and everything looks fine. I even setup a wall port untagged on VLAN 241 and plugged my laptop into it, no matter what I do though, I'm just getting a 169 address now, for all devices.


Someone on my team did make some changes, but they've been reverted from what I can see, either something else has been changed, or I'm missing something. I know this is still a little vague, but I'm not overly familiar with these firewalls, so any advice on how to troubleshoot would be amazing! I'm no longer onsite, which makes it more difficult to troubleshoot too.




First step would be to do some packet capture on that newly created vlan interface and see if you can see dhcp requests hitting there.
diag sniffer packet vlan241-interface-name "" 6

Replace vlan241-interface-name with real vlan name that you have created and monitor if there are dhcp requests hitting fortigate interface

You can also do packet capture through GUI:

Troubleshooting Tip: Packet Capture on FortiOS GUI - Fortinet Community

Technical Tip: Diagnosing DHCP on a FortiGate - Fortinet Community
Please post some results here to check

New Contributor

I'm not seeing any DHCP packets or requests. I think that it's not even getting that far. Please see my VLAN switch below. We're focussing on the GuestWiFi VLAN on VLAN 241.


DHCP is enabled on it, but as I said above, it's not getting DHCP.

I have the Internal2 interface connected to port 48 on my switch, tagged with VLAN 241. The switch has an IP of


If I SSH to the Switch or Firewall and try to ping either, they are not responsive, but they can ping themselves on their own interfaces.

Contributor III

The issue you've described is a common one when dealing with VLANs, DHCP, and networking in general. Here are some troubleshooting steps and considerations you can take to help diagnose and possibly resolve the problem:

1. **DHCP Service**:
- Verify that the DHCP service for VLAN 241 is still running on the Fortigate.
- Ensure that the DHCP range and settings for VLAN 241 are correctly configured.

2. **Interface Configuration**:
- Double-check the virtual interface configuration for VLAN 241. Make sure the IP and subnet are correct.
- Ensure that the VLAN interface is up and running.

3. **Switch Configuration**:
- Ensure that the switch ports connecting to devices needing access to VLAN 241 are correctly tagged/untagged.
- If you have managed switches, check if there's any VLAN-related misconfiguration or changes made recently.

4. **Firewall Policies**:
- Ensure that there's an appropriate firewall policy allowing traffic from the VLAN 241 subnet to reach the Fortigate's DHCP server.
- Check if there are any policies that might be blocking DHCP requests or responses.

5. **Logs and Diagnostics**:
- Check the Fortigate logs for any related entries or errors regarding DHCP for VLAN 241.
- Use diagnostic commands to check the DHCP status:
diagnose ip dhcp relay list
diagnose ip dhcp server list
- These commands will show you the current DHCP relays and leases, which can help identify if the Fortigate is receiving DHCP requests and if it's providing leases.

6. **Physical Connections**:
- Ensure that all cables and connections are secure. A loose cable can sometimes be the culprit.
- Ensure that the connection between the Fortigate and the switch is correctly configured for VLAN tagging.

7. **Reboots and Restarts**:
- As a last resort, consider rebooting the Fortigate. Sometimes, certain services can get stuck and a reboot might resolve the issue.
- Restart the DHCP service on the Fortigate.

8. **Other Considerations**:
- If someone on your team made changes, it's possible that a change might have been overlooked when reverting. It might be beneficial to compare the current configuration with a backup (if available).
- Ensure that there aren't any other DHCP servers active on VLAN 241. Another active DHCP server can cause conflicts.

Lastly, if you're not on-site, you might need assistance from someone who is, especially if physical checks or reboots are required. If the issue remains unresolved, consider reaching out to Fortinet support or consulting with a Fortinet expert.


Hi @CA-Davida1992,
Please refer to this document for DHCP debug " Please also run a pcap on FortiGate for port 67 or 68 and check if traffic is tagged with the right Vlan id.