Description | This article describes the background of DHCP message exchange and explains the root cause of the DHCP status 'Removed due to conflict'. |
Scope | FortiGate. |
Solution |
After completing the DORA process and getting the IP from the DHCP server, the client will perform an ARP probe to verify that no other devices are using the IP address before the probing device starts to do so. If an ARP response receives an ARP response for the same IP allocated by the DHCP server, the client will send a DHCP decline message to the DHCP server and request a new IP.
When FortiGate receives the DHCPDECLINE from a specific mac address for a leased IP, it will deduce that the leased IP is a duplicate IP and is used in the network. FortiGate will store the ip information as 'Removed due to conflict' in the GUI.
For example: Consider a network where a device is configured with 10.0.0.3 as the client ip address. The same ip address falls under the DHCP IP range.
config system dhcp server edit 2 set dns-service default set default-gateway 10.0.0.1 config ip-range set start-ip 10.0.0.2 next end next end
Now, when a client requests the DHCP IP, FortiGate will lease the next available IP from the IP range.
0.0.0.0 255.255.255.255 ff:ff:ff:ff:ff:ff 50:1a:45:00:07:00 DHCP Discover - Transaction ID 0x2761267 Debug : [note]DHCPDISCOVER from 50:1a:45:00:07:00 via port2(ethernet)
A DHCP Offer is sent to the client:
10.0.0.1 10.0.0.3 50:1a:45:00:07:00 50:23:99:00:03:01 DHCP Offer - Transaction ID 0x2761267
[note]DHCPOFFER on 10.0.0.3 to 50:1a:45:00:07:00 via port2(ethernet)
Followed by a DHCP request from the client and DHCP ask from FortiGate:
0.0.0.0 255.255.255.255 ff:ff:ff:ff:ff:ff 50:1a:45:00:07:00 DHCP Request - Transaction ID 0x2761267
[note]DHCPREQUEST for 10.0.0.3 from 50:1a:45:00:07:00 via port2(ethernet)
Once the client completes the DHCP DORA process, it will send an ARP probe to identify any duplicate IPs in the same broadcast network.
50:1a:45:00:07:00 Broadcast ff:ff:ff:ff:ff:ff 50:1a:45:00:07:00 Who has 10.0.0.3? (ARP Probe)
If it does not receive a response, the IP will be assigned its interface. If there is an ARP response, the DHCP client will send the DHCPDECLINE message to the server, notifying it of the IP conflict.
50:fc:cf:00:0b:00 50:1a:45:00:07:00 50:1a:45:00:07:00 50:fc:cf:00:0b:00 10.0.0.3 is at 50:fc:cf:00:0b:00 (duplicate use of 10.0.0.3 detected!)
0.0.0.0 255.255.255.255 ff:ff:ff:ff:ff:ff 50:1a:45:00:07:00 DHCP Decline - Transaction ID 0x2761267
FortiGate debug:
[note]DHCPDECLINE on 10.0.0.3 from 50:1a:45:00:07:00 via port2(ethernet) <<<<<<
At this point, FortiGate learns that the leased IP 10.0.0.3 has conflict and adds the IP to the list of conflicted leases. The same IP will not be leased to any other client until the expiry time.
exe dhcp lease-list
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.