Hi,
While implementing OM IP allocation for VPN users, we discovered an issue with having a DHCP server allocate IP addresses. We are running R81.
We have a pair of Windows DHCP servers which distribute IP addresses to all different clients in the LAN (telephones and computers).
Checkpoint only allows defining one DHCP server in Office Mode configuration. We chose one of the DHCP servers, but noticed that some users were not able to receive IP addresses (error appears on client and in logs). When we switched to second DHCP server, clients that were able to receive from first server were now not able to have IP address allocated.
It was not consistent. Some users did succeed. Others did not.
It took a while, but we found the cause of the problem:
https://get-cmd.com/?p=3471
In DHCP failover, the client messages which are broadcast are received by both the DHCP failover servers. However, only one server responds to the client messages. In case of load balance mode, the servers will hash the MAC address of a DHCP client to establish which of them must respond. In hot standby mode, only the active server responds. In both cases, the DHCP server which does not respond to the client logs this message in the audit log.
If the hash of the laptop belongs to the server not defined in the firewall, then IP allocation will fail.
For now, we have removed the scope from the second DHCP server, such that only one server will allocate IP addresses for the VPN OM scope. This server is defined in Firewall OM configuration.
There is a "hotstandby" option where the second DHCP will take over the scope only if the primary server fails. However, the IP address of the DHCP in the firewall will still need to be changed manually. We haven't found a fully automatic solution.
Note: When we configure DHCP Relay Addresses for LAN DHCP allocation, we configure both DHCP servers. Since both receive the request, both will hash the MAC address and decide if to answer or not. It is not possible to configure two DHCP ervers in Office Mode configuration.
Maybe a feature request for Checkpoint.
Hope this helps someone.
micha