Office Mode IP allocation for VPN users from DHCP server

mkushner — Tue, 07 Dec 2021 10:19:06 GMT

Hi,

While implementing OM IP allocation for VPN users, we discovered an issue with having a DHCP server allocate IP addresses. We are running R81.

We have a pair of Windows DHCP servers which distribute IP addresses to all different clients in the LAN (telephones and computers).

Checkpoint only allows defining one DHCP server in Office Mode configuration. We chose one of the DHCP servers, but noticed that some users were not able to receive IP addresses (error appears on client and in logs). When we switched to second DHCP server, clients that were able to receive from first server were now not able to have IP address allocated.

It was not consistent. Some users did succeed. Others did not.

It took a while, but we found the cause of the problem:

https://get-cmd.com/?p=3471

In DHCP failover, the client messages which are broadcast are received by both the DHCP failover servers. However, only one server responds to the client messages. In case of load balance mode, the servers will hash the MAC address of a DHCP client to establish which of them must respond. In hot standby mode, only the active server responds. In both cases, the DHCP server which does not respond to the client logs this message in the audit log.

If the hash of the laptop belongs to the server not defined in the firewall, then IP allocation will fail.

For now, we have removed the scope from the second DHCP server, such that only one server will allocate IP addresses for the VPN OM scope. This server is defined in Firewall OM configuration.

There is a "hotstandby" option where the second DHCP will take over the scope only if the primary server fails. However, the IP address of the DHCP in the firewall will still need to be changed manually. We haven't found a fully automatic solution.

Note: When we configure DHCP Relay Addresses for LAN DHCP allocation, we configure both DHCP servers. Since both receive the request, both will hash the MAC address and decide if to answer or not. It is not possible to configure two DHCP ervers in Office Mode configuration.

Maybe a feature request for Checkpoint.

Hope this helps someone.

micha

Re: Office Mode IP allocation for VPN users from DHCP server

PhoneBoy — Tue, 14 Dec 2021 06:22:54 GMT

This definitely sounds like an RFE.

Re: Office Mode IP allocation for VPN users from DHCP server

Hrvoje_Brlek — Tue, 18 Apr 2023 07:48:35 GMT

@mkushner @PhoneBoy any news on this question, can you check if any kind of RFE has been submitted?

We are facing the same situation, that's why we are still sticking to the CP built-in DHCP. and not migrating to Windows DHCP.

Re: Office Mode IP allocation for VPN users from DHCP server

Chris_Atkinson — Tue, 18 Apr 2023 08:42:50 GMT

If you have a similar requirement definitely talk to your local CP SE about raising an RFE to help support it.

Re: Office Mode IP allocation for VPN users from DHCP server

PhoneBoy — Wed, 19 Apr 2023 17:39:54 GMT

Unless we happen to have knowledge of an RFE through other means (e.g. SK articles), the community team has no visibility into RFEs.
The best course of action is to engage with your local Check Point office.

topic Re: Office Mode IP allocation for VPN users from DHCP server in SASE and Remote Access

Office Mode IP allocation for VPN users from DHCP server

Re: Office Mode IP allocation for VPN users from DHCP server

Re: Office Mode IP allocation for VPN users from DHCP server

Re: Office Mode IP allocation for VPN users from DHCP server

Re: Office Mode IP allocation for VPN users from DHCP server