This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Johannes_Schoen
Collaborator
‎2018-07-11 02:51 AM
Jump to solution

Faulty DHCP Relay (dropped)

Hello Community,

I got a Check Point 5800 VRRP Cluster and need to define a DHCP relay for one ip-network.
I configured the DHCP-Relay according to the admin-guide on both gaias and the firewall policies are established as well (stealth-rule any,any,accpept anyway). As primary address I configured the VRRP VIP.

It doesn't work.

If I have a look on the monitoring-tab, I can see:

Dropped -
No bootp relay on in interface: 4510

Does anybody experienced similar problems?
I have no idea how to troubleshoot this and the error-message cannot be found in the check point support area.

I use Gaia R77.30 Take 302

I'm looking forward for any ideas/hints

Best Regards

Johannes

0 Kudos
1 Solution

Accepted Solutions
Johannes_Schoen
Collaborator
‎2018-07-13 02:39 AM
Jump to solution

Okay, issue solved - there was a routing issue and so the servers were not reachable from a specific virtual router inside the core switch.

I thought the error-messages in the dhcp-relay monitor where targeting to something else, but that is clear now.

Thanks for your suggestions.

View solution in original post

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2018-07-11 06:04 AM
Jump to solution

Have you tried some of the troubleshooting steps here?

Troubleshooting DHCP Relay Issues 

Maarten_Sjouw
Champion
Champion
‎2018-07-12 10:31 AM
Jump to solution

Can you share the output of: show configuration bootp

Also did you add a rule allowing traffic from any to 255.255.255.255 with service dhcp_req ?

There are some changes in the way GAIA since R77.20 is handling DHCP-Relay. check sk104114 Configuration of IPv4 BOOTP/DHCP Relay using new services and sk98839 Configuration of IPv4 BOOTP/DHCP Relay using legacy services to see the differences.

Regards, Maarten
0 Kudos
Johannes_Schoen
Collaborator
‎2018-07-12 11:55 PM
In response to Maarten_Sjouw
Jump to solution

Dear Maarten,

there are rules to allow DHCP from any to the broadcast address and from the bond1.x network to the dhcp server as well.

Check Point> show configuration bootp
set bootp interface bond1.x relay-to <dhcp-server> on
set bootp interface bond1.x primary <vrrp-vip of bond1.x> wait-time default on
set bootp interface bond1.x maxhopcount 15

When I enable the bootp traces, I can see, that the discover-request arrive at the bond1.x interface and are forwarded to the dhcp-server.

On the outgoing interface, I cannot see any dhcp requests.

Best Regards

Chacko

0 Kudos
Johannes_Schoen
Collaborator
‎2018-07-12 11:56 PM
Jump to solution

Little update:

"No bootp relay on in interface" warning means, there are dhcp recoverys reaching the Check Point interface, but there is nothing configured.

0 Kudos
Johannes_Schoen
Collaborator
‎2018-07-13 02:39 AM
Jump to solution

Okay, issue solved - there was a routing issue and so the servers were not reachable from a specific virtual router inside the core switch.

I thought the error-messages in the dhcp-relay monitor where targeting to something else, but that is clear now.

Thanks for your suggestions.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events