Troubleshooting Tip: DHCP status 'Removed due to conflict'

nithincs · ‎06-12-2023

Description

This article describes the background of DHCP message exchange and explains the root cause of the DHCP status 'Removed due to conflict'.

Scope

FortiGate.

Solution

After completing the DORA process and getting the IP from the DHCP server, the client will perform an ARP probe to verify that no other devices are using the IP address before the probing device starts to do so.

If an ARP response receives an ARP response for the same IP allocated by the DHCP server, the client will send a DHCP decline message to the DHCP server and request a new IP.

When FortiGate receives the DHCPDECLINE from a specific mac address for a leased IP, it will deduce that the leased IP is a duplicate IP and is used in the network. FortiGate will store the ip information as 'Removed due to conflict' in the GUI.

For example:

Consider a network where a device is configured with 10.0.0.3 as the client ip address. The same ip address falls under the DHCP IP range.

FortiGate Config:

config system dhcp server

edit 2

set dns-service default

set default-gateway 10.0.0.1
set netmask 255.255.255.248
set interface "port2"

config ip-range
edit 1

set start-ip 10.0.0.2
set end-ip 10.0.0.6

Now, when a client requests the DHCP IP, FortiGate will lease the next available IP from the IP range.

0.0.0.0 255.255.255.255 ff:ff:ff:ff:ff:ff 50:1a:45:00:07:00 DHCP Discover - Transaction ID 0x2761267

Debug :

[note]DHCPDISCOVER from 50:1a:45:00:07:00 via port2(ethernet)
[debug]found a new lease of ip 10.0.0.3 <<<<<<<<<<<<<<<<
[debug]added ip 10.0.0.3 mac 50:1a:45:00:07:00 in vd root
[debug]packet length 300
[debug]op = 1 htype = 1 hlen = 6 hops = 0
[debug]xid = 67127602 secs = 28 flags = 0
[debug]ciaddr = 0.0.0.0
[debug]yiaddr = 0.0.0.0
[debug]siaddr = 0.0.0.0
[debug]giaddr = 0.0.0.0
[debug]chaddr = 50:1a:45:00:07:00
[debug]filename =
[debug]server_name =
[debug] host-name = "UNL"
[debug] dhcp-message-type = 1
[debug] dhcp-parameter-request-list = 1,15,3,6,44,46,47,31,33,121,249,43
[debug] dhcp-class-identifier = "MSFT 5.0"
[debug] dhcp-client-identifier = 1:50:1a:45:0:7:0

A DHCP Offer is sent to the client:

10.0.0.1 10.0.0.3 50:1a:45:00:07:00 50:23:99:00:03:01 DHCP Offer - Transaction ID 0x2761267

[note]DHCPOFFER on 10.0.0.3 to 50:1a:45:00:07:00 via port2(ethernet)
[debug]sending on port2(ethernet)
[debug]sending using lpf_dhcpd_send_packet
[debug]locate_network prhtype(1) pihtype(1)
[debug]find_lease(): packet contains preferred client IP, cip.s_addr is 10.0.0.3
[debug]find_lease(): leaving function with lease set
[debug]find_lease(): the lease's IP is 10.0.0.3

Followed by a DHCP request from the client and DHCP ask from FortiGate:

0.0.0.0 255.255.255.255 ff:ff:ff:ff:ff:ff 50:1a:45:00:07:00 DHCP Request - Transaction ID 0x2761267
10.0.0.1 10.0.0.3 50:1a:45:00:07:00 50:23:99:00:03:01 DHCP ACK - Transaction ID 0x2761267

[note]DHCPREQUEST for 10.0.0.3 from 50:1a:45:00:07:00 via port2(ethernet)
[debug]deled ip 10.0.0.3 mac 50:1a:45:00:07:00 in vd root
[debug]added ip 10.0.0.3 mac 50:1a:45:00:07:00 in vd root
[debug]packet length 302
[debug]op = 1 htype = 1 hlen = 6 hops = 0
[debug]xid = 67127602 secs = 28 flags = 0
[debug]ciaddr = 0.0.0.0
[debug]yiaddr = 0.0.0.0
[debug]siaddr = 0.0.0.0
[debug]giaddr = 0.0.0.0
[debug]chaddr = 50:1a:45:00:07:00
[debug]filename =
[debug]server_name =
[debug] host-name = "UNL"
[debug] dhcp-requested-address = 10.0.0.3
[debug] dhcp-message-type = 3
[debug] dhcp-server-identifier = 10.0.0.1
[debug] dhcp-parameter-request-list = 1,15,3,6,44,46,47,31,33,121,249,43
[debug] dhcp-class-identifier = "MSFT 5.0"
[debug] dhcp-client-identifier = 1:50:1a:45:0:7:0
[debug] option-81 = 0:0:0:55:4e:4c
[debug]
[note]DHCPACK on 10.0.0.3 to 50:1a:45:00:07:00 via port2(ethernet)
[debug]sending on port2(ethernet)

Once the client completes the DHCP DORA process, it will send an ARP probe to identify any duplicate IPs in the same broadcast network.

50:1a:45:00:07:00 Broadcast ff:ff:ff:ff:ff:ff 50:1a:45:00:07:00 Who has 10.0.0.3? (ARP Probe)

If it does not receive a response, the IP will be assigned its interface.

If there is an ARP response, the DHCP client will send the DHCPDECLINE message to the server, notifying it of the IP conflict.

50:fc:cf:00:0b:00 50:1a:45:00:07:00 50:1a:45:00:07:00 50:fc:cf:00:0b:00 10.0.0.3 is at 50:fc:cf:00:0b:00 (duplicate use of 10.0.0.3 detected!)

0.0.0.0 255.255.255.255 ff:ff:ff:ff:ff:ff 50:1a:45:00:07:00 DHCP Decline - Transaction ID 0x2761267

FortiGate debug:

[note]DHCPDECLINE on 10.0.0.3 from 50:1a:45:00:07:00 via port2(ethernet) <<<<<<
[warn]Abandoning IP address 10.0.0.3: declined.
[debug]deled ip 10.0.0.3 mac 50:1a:45:00:07:00 in vd root
[debug]locate_network prhtype(1) pihtype(1)
[debug]find_lease(): leaving function WITHOUT a lease
[note]DHCPDISCOVER from 50:1a:45:00:07:00 via port2(ethernet)
[debug]found a new lease of ip 10.0.0.4
[debug]added ip 10.0.0.4 mac 50:1a:45:00:07:00 in vd root

At this point, FortiGate learns that the leased IP 10.0.0.3 has conflict and adds the IP to the list of conflicted leases.

The same IP will not be leased to any other client until the expiry time.

exe dhcp lease-list
port2
IP MAC-Address Hostname VCI SSID AP SERVER-ID Expiry
10.0.0.4 50:1a:45:00:07:00 UNL MSFT 5.0 2 Mon Jun 19 07:19:45 2023

port2 [Conflicted leases]
IP Expiry
10.0.0.2 Mon Jun 12 07:49:15 2023
10.0.0.3 Mon Jun 12 07:49:33 2023