A complete DHCP cycle looks like the following:DHCPDISCOVER is sent from Host to NACDHCPOFFER is sent from NAC to HostDHCPREQUEST is sent from Host to NACDHCPACK from NAC to HostHost is currently experiencing the behaviorWatch the DHCP activity via the NAC Server or Application Server /bsc/logs/dhcpd.log. Type:tail -F /bsc/logs/dhcpd.log | grep -i "<mac address of host using colons>"The log entries regarding the specified MAC address will print to the screen as they occur.Example:tail -F /bsc/logs/dhcpd.log | grep -i "a8:7c:01:42:b8:09"The following is an example of a completed DHCP Cycle:dhcpd: DHCPDISCOVER from a8:7c:01:42:b8:09 via eth1dhcpd: DHCPOFFER on 192.168.40.147 to a8:7c:01:42:b8:09 (android-12bffc2cd0e898fb) via eth1dhcpd: DHCPREQUEST for 192.168.40.147 (192.168.40.3) from a8:7c:01:42:b8:09 (android-12bffc2cd0e898fb) via eth1dhcpd: DHCPACK on 192.168.40.147 to a8:7c:01:42:b8:09 (android-12bffc2cd0e898fb) via eth1Alternatively, a packet capture using tcpdump can be taken on the NAC Server or Application Server.a. Start capture by typingtcpdump -nni eth1 port 67 or port 68b. Ctrl-C to stop the captureTo take a packet capture to be viewed by a third party application (e.g. Wireshark).a. Start capture by typingtcpdump -nni any port 67 or port 68 -s0 -w dhcp.capb. Ctrl-C to stop the capturec. Upload the file (dhcp.cap) using FTP or SCP to another computer or serverHost is no longer onlinePrint the historical log entries. Type:grep -i "<mac address of host using colons>" /bsc/logs/dhcpd.log
DHCPDISCOVER is received but NAC is not respondingPossible Causes:
Scope is not configured in NAC. "Unknown segment" message is printed in log upon receipt of DHCPDISCOVER packet. To resolve, add the missing scope using Configuration Wizard. Refer to the applicable installation guide in the Fortinet Document Library. Asymmetrically routed packets are being discarded. To resolve, configure static routes in NAC or modify configuration to accept such traffic. Refer to the related KB article below.DHCPDISCOVER is not received by NACPossible Causes:
Host does not have DHCP enabled Inconsistent isolation VLAN tagging Missing DHCP Helper (IP Helper) - Required in L3 Networks (eth1 interface on different network than isolation). Helper must point to NAC's Registration eth1 Interface Firewall/ACL Rules From Host to NAC blocking DHCP Routing issue from Host to NACDHCPOFFER is not reaching the hostPossible Causes:
Inconsistent isolation VLAN tagging Firewall/ACL rules from NAC to the hostRouting issue from NAC to the host*DHCPREQUEST is not received by NACPossible Causes:
Inconsistent isolation VLAN tagging Firewall/ACL rules from the host to NAC Routing issue from the host to NAC*DHCPACK is not reaching the hostPossible Causes:
- Inconsistent isolation VLAN tagging
- Firewall/ACL rules from NAC to the host
- Routing issue from NAC to the host*
Related Articles
Technical Note: Asymmetrically routed packets are discarded with newer appliances
Technical Note: Set static routes using in Configuration Wizard
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.