Jump to content


Photo

DHCP-Relay problems after upgrading NGFW

DHCP NGFW

Best Answer Gavin Chappell, 10 March 2020 - 04:51 AM

Did you see the release notes item about VLAN header re-ordering? There was a bug in older firmware that meant the behaviour of the checkbox was inverted (so unchecked meant it was enabled), on a firmware upgrade it may be the case that this checkbox remains unchecked, which now means DISabled. If you have VLANs configured on your firewall, then you may need to enable this option after the upgrade and do a network activation.

Go to the full post


  • Please log in to reply
8 replies to this topic

#1 Stephan Glaser

Stephan Glaser
  • Members
  • 7 posts

Posted 10 March 2020 - 04:48 AM

Hi folks,

 

a few days ago we tried to update our F80 from firmware version 7.2.2 to 8.0.2. Update went through without any problems and half an hour later the box was running again. Everything seemed fine until we discovered that our clients had problems getting a lease from our DHCP-server. Clients an servers have different vlans. The box is working as a router between these two vlans an configured to provide a DHCP-relay. Since we were not able to solve the problem in due time we switched to our backup-box with the old firmware and everything was running perfectly again. So obviously the DHCP-relay was not working properly anymore.

Maybe someone has made a similar experience!? Any help with this issue would be highly appreciated...

 

Thanks

Stephan



#2 Gavin Chappell

Gavin Chappell
  • Moderators
  • 441 posts
  • LocationNottingham, UK

Posted 10 March 2020 - 04:51 AM   Best Answer

Did you see the release notes item about VLAN header re-ordering? There was a bug in older firmware that meant the behaviour of the checkbox was inverted (so unchecked meant it was enabled), on a firmware upgrade it may be the case that this checkbox remains unchecked, which now means DISabled. If you have VLANs configured on your firewall, then you may need to enable this option after the upgrade and do a network activation.



#3 Peter Schimscha

Peter Schimscha
  • Members
  • 18 posts
  • LocationVienna, 1190

Posted 10 March 2020 - 04:56 AM

Hi,

just enable Header Reordering on the Vlan where the DHCP Requests hit the FW.

It´s part of the migration notes, although it wasn´t stated clearly why this is neccessary in the beginning.

Rgds, Peter.

 



#4 Stephan Glaser

Stephan Glaser
  • Members
  • 7 posts

Posted 10 March 2020 - 05:16 AM

Thanks for the hint, I just checked and Header Reordering was disabled on all the Vlans. I enabled it and will try to see if it works. Unfortunately I can't do so now without getting an angry mob of coworkers after me  ;) . Will try after closing time and give you a feedback.

 

I promise, next time I will read the migration notes more carefully...  :rolleyes:



#5 Stephan Glaser

Stephan Glaser
  • Members
  • 7 posts

Posted 10 March 2020 - 08:11 AM

While waiting for closing time I did a little reading which raised two further questions you guys maybe can help me with:

 

1. The HowTo-guide https://campus.barra...cp-relay-agent/ says that I have to create a Forwarding Rule in order to get DHCPR to work. But I don't know if this is really necessary, in fact there is a corresponding Host Rule (OP-SRV-DHCP) which seems to do the job. I deactivated my Forwarding Rule and its still working!? So I think the extra Forwarding Rule is obsolete. Can anybody confirm this?

 

2. When configuring the DHCPR there's an option to specify a Service IP - but you can't! The only option I can choose is "All-IPs". I would like to specify Explicit Service IPs but this section is greyed out. It's on both firmware-versions 7.2.2 and 8.0.2. Sure I could mess around with the corresponding Host Rule but I don't think that's the way it should work...

 

Btw, its my first time in this forum and you guys are quite awesome! Keep up the good work!



#6 Gavin Chappell

Gavin Chappell
  • Moderators
  • 441 posts
  • LocationNottingham, UK

Posted 10 March 2020 - 08:13 AM

The DHCP service listens on all IPs, yes - however it will only respond to DHCP requests on subnets you have configured. So if you have (for example) an F80a appliance with 4 ports, and only P2 is configured as a LAN network with a DHCP server, the DHCP daemon will technically listen on all IPs (including the management IP) but it will only respond to requests that arrive on the P2 interface (either by a broadcast contained within that broadcast domain, or a unicast with the destination being the shared service IP on the network on P2).



#7 Stefan Hora

Stefan Hora
  • Barracuda Guru
  • 153 posts

Posted 10 March 2020 - 04:39 PM

While waiting for closing time I did a little reading which raised two further questions you guys maybe can help me with:

 

1. The HowTo-guide https://campus.barra...cp-relay-agent/ says that I have to create a Forwarding Rule in order to get DHCPR to work. But I don't know if this is really necessary, in fact there is a corresponding Host Rule (OP-SRV-DHCP) which seems to do the job. I deactivated my Forwarding Rule and its still working!? So I think the extra Forwarding Rule is obsolete. Can anybody confirm this?

 

 

The DHCP Clients usually send a unicast dhcp package to the dhcp server who served the client before the lease expires to extend the lease.
Since this is a normal unicast package which is sent from the client ip directly to the dhcp server ip it hits the Forwarding Firewall.
The DHCP-Relay is used to handle the broadcast messages when the Client has not yet got an IP.

 

If you don't have the Forwarding Rule then the Lease expires and the Client requests again an ip via normal DHCP.



#8 Stephan Glaser

Stephan Glaser
  • Members
  • 7 posts

Posted 17 March 2020 - 07:09 AM

Thanks for all your help. I used a maintenance slot today to switch the Firewalls and now everything works like a charm.



#9 dpa

dpa
  • Members
  • 1 posts

Posted 14 May 2020 - 05:00 PM

Hi all, 

 

i just upgraded to 8.0.3-0137 and my Relay Service stopped working on all boxes. With 8.0.2 ist was still working, I Dont have vlans configured so header reorder does not have any impact.

I wiresharked my dhcp and only see discover packages which are never being replied by our ms DHCP server.

with the old version it worked perfectly.

I am really stuck here and my only workaorund ist to setup local DHCP services on every box

 

Any ideas? 

 

Thanks  Christian