Fortigate DHCP Issues

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › Fortigate DHCP Issues

yumcimil

179 posts

Master Geek
+1 received by user: 14

#259729 17-Oct-2019 22:27

The Orcon-provided router works just fine. Trying to use a FG-60E instead. :)

I've just switched across to Orcon from My Republic, and my DHCP issues with my Fortigate 60E appear to have followed along. It does not appear to get a DHCP lease. With My Republic, it never even saw a DHCP offer. Under Orcon, I'm seeing the offer, and sending the request back, but never getting the acknowledgement.

The issue originally began randomly about three weeks ago with My Republic, and their first level guys said they'd had another fortigate user with the same issue recently.

The Fortigate happily gets a DHCP lease from LAN-based sources, but very definitely hates anything coming out of the ONT - it had been running fine for months. Any ideas/other people in the same boat? Packet capture attached.

1 | 2

320 posts

Ultimate Geek
+1 received by user: 39

#2339987 18-Oct-2019 08:31

VLAN tagging?

I can't see the packet capture attached.

Cheers

networkn

Networkn
32871 posts

Uber Geek
+1 received by user: 15463

ID Verified

Trusted

Lifetime subscriber

#2339988 18-Oct-2019 08:33

I have just put a 60E in my own environment which is Orcon gigabit fibre and I had a 30e for the past couple of weeks, and no issues with dhcp, since installing the FG's I have had slow arp updates across all my devices for a reason not apparent.

What firmware version? I am on 6.x I had 6.2 on the 30e but this 60E is 6.0 something I think. Neither had any issues getting IP from Orcon, though mine is static.

You have your WAN plugged in and a new virtual interface with a VLAN 10 set?

fsecurity

17 posts

Geek
+1 received by user: 4

ID Verified

Trusted

#2340129 18-Oct-2019 12:13

I’ve had this exact problem with several juniper SRX series firewalls. I’ve had them working, then after a power outage I send countless DHCP requests but never receive an offer. Plug a Mac or PC in and you get a DHCP lease no problem, then all of a sudden after a week or two you plug in the SRX and it magically works. I’ve tried this with older SRX110s and SRX220s running legacy code, and my modern SRX300 with recommended releases - same result every time. Something appears to be going on with MyRepublics BNG/DHCP server. Unfortunately their technical support for this kind of issue is pretty bad, I’ve tried to provide packet dumps and get a engineer on the phone but no luck.

yumcimil

179 posts

Master Geek
+1 received by user: 14

#2340139 18-Oct-2019 12:38

With more link!

https://drive.google.com/a/kablooey.co.nz/file/d/1-9fBsNNz9znFHgkDRgiYkn85eXjYozUF/view?usp=drivesdk

yumcimil

179 posts

Master Geek
+1 received by user: 14

#2340140 18-Oct-2019 12:51

Yeah. I literally had an email from my Republics engineer asking for packet caps the day Orcon. Hopefully Orcon are more helpful. It's definitely a weird one though.

LennonNZ

2459 posts

Uber Geek
+1 received by user: 411

ID Verified

Trusted

#2340147 18-Oct-2019 13:45

It may be the Fortigate is sending a 802.1p COS or something which the UFB network is dropping.. I have requested access of the file but what is 801.p value being sent out...?

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

Sounddude

I fix stuff!
1935 posts

Uber Geek
+1 received by user: 640

Trusted

2degrees

Lifetime subscriber

#2340148 18-Oct-2019 13:54

Josh? :-) Long time if it is :-)

PM me your details and I can look at the logs for you.

yumcimil

179 posts

Master Geek
+1 received by user: 14

#2340359 18-Oct-2019 19:56

Sup!

Lennon - Access is fixed, sorry about that. :)

Will provide customer details shortly.

LennonNZ

2459 posts

Uber Geek
+1 received by user: 411

ID Verified

Trusted

#2340363 18-Oct-2019 20:07

Having a quick look .. it seems a standard DHCP request/offer but after the offer the fortinet is ignoring/not accepting the offer.

Maybe turn on logging/updating to latest version/check bugs on existing firmware version. Apart from that I really can't help.

networkn

Networkn
32871 posts

Uber Geek
+1 received by user: 15463

ID Verified

Trusted

Lifetime subscriber

#2340364 18-Oct-2019 20:14

So to confirm, the capture has been sent to Fortinet for analysis with a support ticket? As a new partner I am keen to see how they resolve this.

Sounddude

I fix stuff!
1935 posts

Uber Geek
+1 received by user: 640

Trusted

2degrees

Lifetime subscriber

#2340366 18-Oct-2019 20:26

Looking at the pcap file, the DHCP packet is not being framed with 802.1q.

We expect the dhcp packet to be tagged with vlan 10.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

networkn

Networkn
32871 posts

Uber Geek
+1 received by user: 15463

ID Verified

Trusted

Lifetime subscriber

#2340372 18-Oct-2019 20:35

Sounddude:

Looking at the pcap file, the DHCP packet is not being framed with 802.1q.

We expect the dhcp packet to be tagged with vlan 10.

OP are you sure you have a virtual interface added to your WAN Interface?

As a reference.

I assume you have, but just in case....

LennonNZ

2459 posts

Uber Geek
+1 received by user: 411

ID Verified

Trusted

#2340381 18-Oct-2019 21:08

The dump may be done on VLAN 10, not on the raw interface so you might not see the VLAN tag.

This may help with debugging if it works on your fortinet.

https://kb.fortinet.com/kb/documentLink.do?externalID=FD30879

yumcimil

179 posts

Master Geek
+1 received by user: 14

#2341177 21-Oct-2019 08:35

Sounddude:

Looking at the pcap file, the DHCP packet is not being framed with 802.1q.

We expect the dhcp packet to be tagged with vlan 10.

Was certainly meant to be. Will double-check tonight and post config.

yumcimil

179 posts

Master Geek
+1 received by user: 14

#2341179 21-Oct-2019 08:39

networkn:

So to confirm, the capture has been sent to Fortinet for analysis with a support ticket? As a new partner I am keen to see how they resolve this.

Yeah, we're in the same boat. I used some of my training budget to buy one for home via NFR. Going to see how we go with logging the ticket today (Last week was Kawaiicon).

1 | 2