topic Re: VSX Gateway is using internal IP in DHCP relay connections in Firewall and Security Management

VSX Gateway is using internal IP in DHCP relay connections

Franktum — Wed, 14 Feb 2024 08:52:06 GMT

Hi all:

Yesterday we upgraded a VSX Gateway from R80.40 to R81.10 Take 130. Today most of the users cannot get IP from DHCP. The gateway has configured DHCP relay on the interface, the config is still ok, survived to the upgrade, but in most of the DHCP requests, it's sending the unicast packets to DHCP servers with internal IP address, instead of the IP of Gateway Address.

We checked the value of the variable fw ctl get int fwx_dhcp_relay_nat, it's 0.

We are checking this article, https://support.checkpoint.com/results/sk/sk97642, but no luck so far.

Any ideas?

Thank you

Re: VSX Gateway is using internal IP in DHCP relay connections

Alex- — Wed, 14 Feb 2024 11:42:47 GMT

By internal address, I suppose you mean the internal VSX communication network.

I had this occurence with R81+ gateways and ended up crating manual NAT entries for the relevant interfaces IP to use the VS IP for DHCP services.

Re: VSX Gateway is using internal IP in DHCP relay connections

emmap — Thu, 15 Feb 2024 03:23:59 GMT

Is there a 'no-nat' rule that might be accidently causing this?

Re: VSX Gateway is using internal IP in DHCP relay connections

Franktum — Thu, 15 Feb 2024 07:25:54 GMT

Hi,

The root of the issue was a custom configuration in table.def management file:

no_hide_services_ports = { <4500,17>, <500, 17>, <259, 17>, <1701, 17>, <5500, 17>, <67, 17>, <68, 17>};

no_fold_services_ports = { <4500,17>, <500, 17>, <259, 17>, <1701, 17> , <67, 17>, <68, 17> };

It was working for years with previous versions but with R81.10 it didn't. Once we deleted the bootp ports from the file the problem was fixed.

Regards