This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Polina
Explorer
Tuesday

DHCP Relay Issue

Hello,

Could you please help me with a DHCP Relay issue? We have a bond interface and several VLAN interfaces added to it. DHCP Relay is configured for each VLANs.
When traffic passes through one cluster node, DHCP Relay works correctly, but when another node becomes active, clients in one VLAN stop receiving addresses from the DHCP server. This issue only affects one VLAN; in all other networks, DHCP Relay works correctly on both cluster nodes.

We've already tried several SK methods to resolve the issue, but nothing works.
The strange thing is that both cluster members are configured identically.

Has anyone seen similar issues? Or are there any solutions for fixing this?

0 Kudos
10 Replies
WiliRGasparetto
Contributor
Tuesday

Hi Polina, have you already checked the DHCP traffic?

Check DHCP traffic arriving on the VLAN (client → gateway):

tcpdump -eni bondX.<VLAN> -vv udp port 67 or 68

Check DHCP relay traffic leaving towards the server (gateway → server):

tcpdump -eni <iface-to-dhcp-server> -vv udp port 67 or 68

If on member B you do not see the DHCPDISCOVER broadcast reaching the VLAN sub-interface, then it points to an L2/tagging/trunk issue.

If you can, please share the relevant tcpdump output/logs so we can review them and help you more effectively.

0 Kudos
Polina
Explorer
yesterday
In response to WiliRGasparetto

Hello
Currently, we've only checked traffic on the interface (gateway → server). We're awaiting results on the client-facing interface.

The dump shows DHCP Discover and DHCP Offer packets. The DHCP Offer packet arrives at the cluster's VIP address. I've attached a screenshot.

Checked fw ctl zdebug + drop:
fw_log_drop_ex: Packet proto=17 IP_DHCP Server :67 -> VIP address :67 dropped by fw_handle_first_packet Reason: fwconn_key_init_links (INBOUND) failed;

Scenario 3, sk97642, matches our symptoms. We added NAT rules as described in sk. But this did not bring results. Further, sk97642 (scenario 3) suggests changing the table.def file, but we're concerned that this change will disrupt DHCP Relay operation on other subnets where it works correctly.

On both cluster nodes:
# fw ctl get int fwx_dhcp_relay_nat
1

#routed:instance:default:bootpgw:interface:bondХ.Х t
#routed:instance:default:bootpgw:interface:bondХ.Х:primary VIP address
#routed:instance:default:bootpgw:interface:bond77.77:relayto:host: IP_DHCP Server t

Thank you for your answers.
Preview file
27 KB
0 Kudos
the_rock
MVP Diamond
MVP Diamond
yesterday
In response to Polina

Based on that drop, did you make sure relevant services/protocols are configured in the rule?

Best,
Andy
0 Kudos
WiliRGasparetto
Contributor
Tuesday

To tell you the “most likely root cause” without guessing, please send me these 4 pieces of evidence:

  1. Version: R80.40 / R81.10 / R81.20 / R82 + JHF/take

  2. Screenshot/output of the DHCP Relay configuration for the affected VLAN only (including Primary Address, if configured)

  3. Output of fw ctl get int fwx_dhcp_relay_nat on both cluster members

  4. Two 20–30 second tcpdumps during failover (good member vs bad member): one on the VLAN sub-interface and one on the interface towards the DHCP server

0 Kudos
the_rock
MVP Diamond
MVP Diamond
Wednesday

This is the abbreviation often used when it comes to dhcp:

Detailed Breakdown of the DORA Process:
  • Discover (DHCPDISCOVER): The client sends a broadcast message on the network to locate available DHCP servers.
  • Offer (DHCPOFFER): The server receives the request and sends a unicast or broadcast offer containing an IP address, subnet mask, default gateway, and DNS information.
  • Request (DHCPREQUEST): The client accepts the offer and broadcasts a request, notifying the server (and others) that it will use that specific IP address.
  • Acknowledge (DHCPACK): The server sends a final confirmation (unicast) to the client, authorizing the lease and completing the process.

Now, here is what I would do...can you run tcpdump/fw monitor and see where this exactly fails? That will 100% tell you why its not working. Also, I would make sure config matches the working firewall. Sometimes, people may forget, specially if they worked long time with another vendor (ie Fortinet for example), that in such case, there is no VIP, everything is replicated automatically from master to backup fw, unlike Check Point, where you would need to ensure it is the same.

Best,
Andy
0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
Wednesday
In response to the_rock

Hi Andy,

For the sake of completeness, I would like to clarify something. It cannot be said outright that FortiGate does not have a VIP. Rather, in the standard configuration, there is ONLY the VIP located on the active node, and the nodes themselves do not have their own IP, but this can be configured.
brV

P.S. You really gave me a fright. I currently hear DORA as something completely different and it constantly annoys me, given the effort we're putting into it: Digital Operational Resilience Act.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
the_rock
MVP Diamond
MVP Diamond
Thursday
In response to Vincent_Bacher

Haha...or the kid in us can reference it to Dora the explorer 😂

Anywho, you are absolutely right about Fortigate VIP. I more meant you dont need additional IP like you would in smart console to create cluster object and you would not need to enable management HA (believe they call it for Fortinet), unless you really wanted to be always able to log into backup firewall as well.

Best,
Andy
0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
Thursday
In response to the_rock

I had always preferred to be able to log in directly to both devices. However, as we also have less experienced colleagues, I have started to recommend doing it by default and then just execute ha manage …. To hop to the slave, then less can be broken.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
the_rock
MVP Diamond
MVP Diamond
Thursday
In response to Vincent_Bacher

Honestly, Im the same way. That tripped me once so bad when my colleague and I (at my previous job) were troubloeshooting Cisco failover. We assumed (wrongly obviously) that it worked same way like Check Point, which it does not, so took us a bit of time to get it right. Im sure Cisco TAC guy had a laugh after, but hey, all good...once we got it, all was fine : - )

Best,
Andy
0 Kudos
the_rock
MVP Diamond
MVP Diamond
Friday

Hey @Polina 

Any luck with this?

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 24 Feb 2026 @ 04:30 PM (EST)

    Las Vegas: MDR/XMDR
    In-Person

    Wed 25 Feb 2026 @ 04:30 PM (MST)

    Tempe, AZ: MDR/MXDR
    CheckMates Events