DescriptionBasic troubleshooting steps to take when DHCP daemon is running on NAC Server or Application Server but host(s) in isolation are not obtaining a DHCP address.Solution
1. Verify the host is in the appropriate isolation VLAN (e.g. Registration, Remediation, Authentication, Deadend). This should be confirmed at the wireless Controller/Access Point or switch the host directly connects.
2. Determine how far the DHCP process is progressing.
A complete DHCP cycle looks like the following: DHCPDISCOVER is sent from Host to NAC
DHCPOFFER is sent from NAC to Host
DHCPREQUEST is sent from Host to NAC
DHCPACK from NAC to Host
Host is currently experiencing the behavior
Watch the DHCP activity via the NAC Server or Application Server /bsc/logs/dhcpd.log. Type:
tail -F /bsc/logs/dhcpd.log | grep -i "<mac address of host using colons>"
The log entries regarding the specified MAC address will print to the screen as they occur.
Example:
tail -F /bsc/logs/dhcpd.log | grep -i "a8:7c:01:42:b8:09"
The following is an example of a completed DHCP Cycle:
dhcpd: DHCPDISCOVER from a8:7c:01:42:b8:09 via eth1
dhcpd: DHCPOFFER on 192.168.40.147 to a8:7c:01:42:b8:09 (android-12bffc2cd0e898fb) via eth1
dhcpd: DHCPREQUEST for 192.168.40.147 (192.168.40.3) from a8:7c:01:42:b8:09 (android-12bffc2cd0e898fb) via eth1
dhcpd: DHCPACK on 192.168.40.147 to a8:7c:01:42:b8:09 (android-12bffc2cd0e898fb) via eth1
Alternatively, a packet capture using tcpdump can be taken on the NAC Server or Application Server.
a. Start capture by typing
tcpdump -nni eth1 port 67 or port 68
b. Ctrl-C to stop the capture
To take a packet capture to be viewed by a third party application (e.g. Wireshark).
a. Start capture by typing
tcpdump -nni any port 67 or port 68 -s0 -w dhcp.cap
b. Ctrl-C to stop the capture
c. Upload the file (dhcp.cap) using FTP or SCP to another computer or server
Host is no longer online
Print the historical log entries. Type:
grep -i "<mac address of host using colons>" /bsc/logs/dhcpd.log
3. Determine possible causes.
DHCPDISCOVER is received but NAC is not responding
Possible Causes:
Scope is not configured in NAC. "Unknown segment" message is printed in log upon receipt of DHCPDISCOVER packet. To resolve, add the missing scope using Configuration Wizard. Refer to the applicable installation guide in the Fortinet Document Library. Asymmetrically routed packets are being discarded. To resolve, configure static routes in NAC or modify configuration to accept such traffic. Refer to the related KB article below.
DHCPDISCOVER is not received by NAC
Possible Causes:
Host does not have DHCP enabled
Inconsistent isolation VLAN tagging
Missing DHCP Helper (IP Helper) - Required in L3 Networks (eth1 interface on different network than isolation). Helper must point to NAC's Registration eth1 Interface
Firewall/ACL Rules From Host to NAC blocking DHCP
Routing issue from Host to NAC
DHCPOFFER is not reaching the host
Possible Causes:
Inconsistent isolation VLAN tagging
Firewall/ACL rules from NAC to the host
Routing issue from NAC to the host*
DHCPREQUEST is not received by NAC
Possible Causes:
Inconsistent isolation VLAN tagging
Firewall/ACL rules from the host to NAC
Routing issue from the host to NAC*
DHCPACK is not reaching the host
Possible Causes:
- Inconsistent isolation VLAN tagging
- Firewall/ACL rules from NAC to the host
- Routing issue from NAC to the host*
Related Articles
Technical Note: Asymmetrically routed packets are discarded with newer appliances
Technical Note: Set static routes using in Configuration Wizard
