Nor, for a few reasons. The first time was an environment which makes extensive use of DHCP services and needed to have the thing solved immediately. Another occurrence, I had more time to troubleshoot but I'd rather not mess with the new services policy which worked for more than a year on R80.30 for a workaround based on an old version unless I get confirmation from TAC this is the same issue, as the SK mentions specifically R80.10 and not "All".

Take 118, but I got the issue with previous takes as well.

Hi,

We are experiencing exactly the same issue. followed the SK's mentioned without success. Already did a remote session with TAC but they are pushing on the SK articles but also without success. We escalated the ticket in order to get it fixed. Let's keep each other updated about a possible solution.

Thanks!

I've seen log entries for DHCP Denial of Service in the IPS blade for this VLAN, but they date from 4 days ago and nothing since.

Before doing the first failover, I created an exception which didn't help.

nothing as of 4 days as in:

- no new IPS drops

- or no DHCP logs from that VLAN at all anymore

in my case it was 1 IPS drop and then completely no DHCP logs anymore until the "stuck" connection was released

No IPS logs since 4 days, but firewall logs matching dhcp-request broadcasts on the interface until the day of the issue.

Hi,

Adding an exception on that specific traffic worked for me! error messages are gone and DHCP is working flawlessly again.

Best Regards,

Maarten Lutterman

Hi Maarten,

Did you make an exception for CVE-2004-0899? This is the IPS entry I've seen once before doing the reboots but nothing since and the thing seems stable for now.

Alex

I made an exception for all DHCP Request traffic from the specific subnet to the DHCP server to narrow it down. Not one particular protection, but it was indeed the CVE-2004-0899.

Best Regards,

Maarten 

I did have the IPS protection kick in for the broadcast, so not the subnet per se but I will see if it holds.

And the issue reappeared after approximately a week with the same messages, even though there is the IPS exception and the systems were rebooted. I could pull out more information this time so I'll follow with TAC.

@Alex- Do you still see the: @;61223438;[vs_1];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=17 x.x.x.x:67 -> x.x.x.x:67 dropped by fwpslglue_chain Reason: PSL Drop: ASPII_MT; errors when doing a fw ctl zdebug + drop? The moment I added the exception these errors disappeared from my debug log. Maybe also add the subnets to the exception not only broadcast for DHCP renewals?

TAC has us only add the broadcast object to and from the DHCP server in the ruling, they didn't had any further advice for us. I

Please keep us posted if you found the solution.😁

Hello,

we have a similar problem with a fresh R80.40 Cluster that was not upgraded before from an older version. After the Update from take 91 to 120 the problem appeared, we observed that the firewall is silently dropping the DHCP reply packets from the DHCP Server. A fallback to take 91 fixed the issue for us at the Moment. We don‘t understand what is changing between the takes that is causing the DHCP relay feature to stop working as expected. Has somebody already got an answer / Solution  from TAC? 

Hi,

This looks like a new problem, we also have a customer running on R80.40 take 120 with DHCP issues. So have to open another ticket at TAC in order to get this fixed. For now we will fallback to a previous take.

Best regards,

Maarten