PiX501 firewall as DHCP Server

Similar Messages

• ASA as DHCP server for WLC2106 and LAP

  Hi,
  First off i aplolgize for asking something that seems to have been asked before but i am getting conflicting answers and wanted someone to give a definitive answer.
  Setup:
       ASA5505  ---------------- WS-C3750G -----------------WLC2106  -------------------------------AIR-LAP1131
  (DHCP SERVER)           (simple config)          (dhcp proxy disabled)           (is requesting dhcp from ASA)
  ASA5505 - ASA 8.2(1)
  WLC2106 - 7.0.98.0 (tried 6.0.99.4 as well)
  AIR-LAP1131 - 12.4(23c)JA
  Problem:
  The ASA5505 is giving addresses to multiple devices, i tested it with the AP plugged directly into the ASA and it worked great.  The problem is that the WLC2106 seems to be altering the DHCP requests somehow and thus making the ASA5505 not respond to them.  The AP gets an ip address and associates to the WLC if plugged into the 3750, or the ASA directly.  Just not when plugged into the WLC2106 ports.
  Research:
  https://supportforums.cisco.com/message/1268269#1268269
  https://supportforums.cisco.com/message/3037259#3037259
  https://supportforums.cisco.com/message/1302468#1302468
  https://supportforums.cisco.com/message/926529#926529
  I have read quite a few posts with people basically saying you cannot use the ASA as the DHCP server with the WLC because of how the WLC relays the requests.  BUT: (this is important)  There are some documents that say with WLC version 4.2 and above you have the option of turning off dhcp proxy mode to enable bridging mode thus elminating the probem and all DHCP requests get forwarded without modification.  Please see here for suggested solution to this issue:
  http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080af5d13.shtml#topic2
  *Interoperability issues can exist between a controller with DHCP proxy enabled and devices acting as both a firewall and DHCP server. This is most likely due to the firewall component of the device as firewalls generally do not respond to proxy requests. To work around this issue, disable DHCP proxy on the controller.
  Help please:
  I have tried this but maybe im missing something.  I have tried with proxy enabled and disabled.  Can anyone verify this is supposed to work for me please?  I input "config dhcp proxy disable" and verified proxy is now disabled.  Yet i do not see any responces from my DHCP server to my AP's requests when going through the WLC.  It works fine when plugging the AP into the ASA or 3750.  DHCP server is working.  Is the above suggested work around not a valid solution?  Did i miss something?  Do i need specific software versions on my devices?  Is this a bug in my software versions?
  Any help is greatly appreciated.  Let me know if anyone has questions.  Thanks,
  Kyle

  I do not see any debug output on the ASA5505 when the AP is connected through the WLC.  Debug output from WLC2106 below:
  (Cisco Controller) >show debug
  MAC debugging .............................. disabled
  Debug Flags Enabled:
    dhcp packet enabled.
  (Cisco Controller) >
  (Cisco Controller) >
  (Cisco Controller) >show dhcp proxy
  DHCP Proxy Behaviour: disabled bootp-broadcast disabled
  (Cisco Controller) >
  (Cisco Controller) >*DHCP Socket Task: Nov 16 10:56:39.931: 00:1d:a1:ed:c8:d4 DHCP received op BOOTREQUEST (1) (len 310,vlan 0, port 8, encap 0xec00)
  *DHCP Socket Task: Nov 16 10:56:39.932: 00:1d:a1:ed:c8:d4 DHCP processing DHCP DISCOVER (1)
  *DHCP Socket Task: Nov 16 10:56:39.932: 00:1d:a1:ed:c8:d4 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
  *DHCP Socket Task: Nov 16 10:56:39.932: 00:1d:a1:ed:c8:d4 DHCP   xid: 0x126b (4715), secs: 0, flags: 80
  *DHCP Socket Task: Nov 16 10:56:39.932: 00:1d:a1:ed:c8:d4 DHCP   chaddr: 00:1d:a1:ed:c8:d4
  *DHCP Socket Task: Nov 16 10:56:39.933: 00:1d:a1:ed:c8:d4 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
  *DHCP Socket Task: Nov 16 10:56:39.933: 00:1d:a1:ed:c8:d4 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
  *DHCP Socket Task: Nov 16 10:56:39.933: 00:1d:a1:ed:c8:d4 DHCP dropping REQUEST from STA with invalid mobility state 'Unassociated' (0)
  *DHCP Socket Task: Nov 16 10:56:42.939: 00:1d:a1:ed:c8:d4 DHCP received op BOOTREQUEST (1) (len 310,vlan 0, port 8, encap 0xec00)
  *DHCP Socket Task: Nov 16 10:56:42.940: 00:1d:a1:ed:c8:d4 DHCP processing DHCP DISCOVER (1)
  *DHCP Socket Task: Nov 16 10:56:42.940: 00:1d:a1:ed:c8:d4 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
  *DHCP Socket Task: Nov 16 10:56:42.940: 00:1d:a1:ed:c8:d4 DHCP   xid: 0x126b (4715), secs: 0, flags: 80
  *DHCP Socket Task: Nov 16 10:56:42.940: 00:1d:a1:ed:c8:d4 DHCP   chaddr: 00:1d:a1:ed:c8:d4
  *DHCP Socket Task: Nov 16 10:56:42.941: 00:1d:a1:ed:c8:d4 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
  *DHCP Socket Task: Nov 16 10:56:42.941: 00:1d:a1:ed:c8:d4 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
  *DHCP Socket Task: Nov 16 10:56:42.941: 00:1d:a1:ed:c8:d4 DHCP dropping REQUEST from STA with invalid mobility state 'Unassociated' (0)
  *DHCP Socket Task: Nov 16 10:56:46.938: 00:1d:a1:ed:c8:d4 DHCP received op BOOTREQUEST (1) (len 310,vlan 0, port 8, encap 0xec00)
  *DHCP Socket Task: Nov 16 10:56:46.938: 00:1d:a1:ed:c8:d4 DHCP processing DHCP DISCOVER (1)
  *DHCP Socket Task: Nov 16 10:56:46.938: 00:1d:a1:ed:c8:d4 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
  *DHCP Socket Task: Nov 16 10:56:46.938: 00:1d:a1:ed:c8:d4 DHCP   xid: 0x126b (4715), secs: 0, flags: 80
  *DHCP Socket Task: Nov 16 10:56:46.939: 00:1d:a1:ed:c8:d4 DHCP   chaddr: 00:1d:a1:ed:c8:d4
  *DHCP Socket Task: Nov 16 10:56:46.939: 00:1d:a1:ed:c8:d4 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
  *DHCP Socket Task: Nov 16 10:56:46.939: 00:1d:a1:ed:c8:d4 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
  *DHCP Socket Task: Nov 16 10:56:46.939: 00:1d:a1:ed:c8:d4 DHCP dropping REQUEST from STA with invalid mobility state 'Unassociated' (0)
  *DHCP Socket Task: Nov 16 10:57:05.034: 00:1d:a1:ed:c8:d4 DHCP received op BOOTREQUEST (1) (len 310,vlan 0, port 8, encap 0xec00)
  *DHCP Socket Task: Nov 16 10:57:05.035: 00:1d:a1:ed:c8:d4 DHCP processing DHCP DISCOVER (1)
  *DHCP Socket Task: Nov 16 10:57:05.035: 00:1d:a1:ed:c8:d4 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
  *DHCP Socket Task: Nov 16 10:57:05.035: 00:1d:a1:ed:c8:d4 DHCP   xid: 0x126c (4716), secs: 0, flags: 80
  *DHCP Socket Task: Nov 16 10:57:05.035: 00:1d:a1:ed:c8:d4 DHCP   chaddr: 00:1d:a1:ed:c8:d4
  *DHCP Socket Task: Nov 16 10:57:05.036: 00:1d:a1:ed:c8:d4 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
  *DHCP Socket Task: Nov 16 10:57:05.036: 00:1d:a1:ed:c8:d4 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
  *DHCP Socket Task: Nov 16 10:57:05.036: 00:1d:a1:ed:c8:d4 DHCP dropping REQUEST from STA with invalid mobility state 'Unassociated'
  It keeps seeing the Discover messages but never gets any responce from the ASA.  What does that message mean "dropping REQUEST from STA with invalid mobility state 'Unassociated'" ?  I know the STA is the AP but why is it dropping the request?
  Here is the debug output from the ASA:
  ASA5505lab#  show debug
  debug dhcpd packet enabled at level 128
  debug dhcpd event enabled at level 128
  ASA5505lab#
  DHCPD: checking for expired leases.
  DHCPD: checking for expired leases.
  DHCPD: checking for expired leases.
  DHCPD: checking for expired leases.
  DHCPD: checking for expired leases.
  DHCPD: checking for expired leases.
  (IT NEVER SEE'S ANY MESSAGES OR SHOWS ME ANY BLOCKED REQUESTS OR ANYTHING)
  (Now if i move the AP to the PoE ports directly on the ASA5505 you will see the AP get an IP)
  DHCPD: Server msg received, fip=ANY, fport=0 on inside interface
  DHCPD: DHCPDISCOVER received from client 0100.1da1.edc8.d4 on interface inside.
  DHCPD: Sending DHCPOFFER to client 0100.1da1.edc8.d4 (192.168.143.4).
  DHCPD: Total # of raw options copied to outgoing DHCP message is 0.
  DHCPD: broadcasting BOOTREPLY to client 001d.a1ed.c8d4.
  DHCPD: Server msg received, fip=ANY, fport=0 on inside interface
  DHCPD: DHCPREQUEST received from client 0100.1da1.edc8.d4.
  DHCPD: Sending DHCPACK to client 0100.1da1.edc8.d4 (192.168.143.4).
  DHCPD: Total # of raw options copied to outgoing DHCP message is 0.
  DHCPD: broadcasting BOOTREPLY to client 001d.a1ed.c8d4.
  ASA5505lab#
  ASA5505lab# show dhcpd binding
  IP address       Hardware address        Lease expiration        Type
    192.168.143.4    0100.1da1.edc8.d4            3581 seconds    Automatic
    192.168.143.5  0063.6973.636f.2d30.           1911 seconds    Automatic
                   3031.662e.3965.6234.
                   2e35.3034.302d.566c.
                   31
  ASA5505lab#
  ASA5505lab#
  So the ASA5505 is working when the AP is plugged directly into the ASA or a 3750 on the same network.  Only when connected through the WLC i do not see any messages on the ASA.  Is there something else i need setup on the WLC2106 besides turning off dhcp proxy?
  Thanks,

• Why does my Cisco router firewall block Windows Server 2012 traffic, but not Windows Server 2008 traffic?

  Hello,
     I run a small business network with five physical servers: three Dell servers running Windows Server 2008 R2, one custom build running 2008, and another custom build running 2012 with Domain Controller Role (same hardware for both custom builds). 
  The Dell servers are all running the Hyper-V role and each has a number of 2008 VMs.  I also have a 2012 VM with the Domain Controller Role on one of the Hyper-V servers and another VM with a completely base install of 2012.
     All servers are plugged into a Cisco SG300-52 switch which is uplinked to a Cisco 881 router which is connected to a cable TWC provided Ubee cable modem.  I have no VLANs setup.  I do have the Firewall on the router configured
  to inspect most traffic.
     Here is my problem:  I cannot connect to most of the internet on ANY 2012 server (and all exhibit the exact same behavior), but I have NO problems connecting to the internet from 2008 servers.  Here is what I already know:
     1.) I can ping the outside world just fine so ICMP is passing to any external host.
     2.) Two of the 2012 servers are DCs running DNS services and they can connect to the internet just fine for DNS requests because they are doing a perfectly good job of providing DNS services to my network.
     3.) Here's where it gets really weird: I can browse in internet explorer to Bing.com and it works.  I can also go to a couple other Microsoft websites (though they are very slow).  If I click on any link in Bing, however, it doesn't
  work and gives me a page not available error.  If I connect to a non-MS website like Google or my company website, I get page not available.
      4.) I have tried to telnet to port 80 at Bing and it works.  I have tried to telnet to port 80 at google.com and it won't connect.  The 2008 servers have no issue telneting to either bing or google on port 80 and none of my client
  PCs on the network do either.
      5.) Windows Update will not connect and neither will any other update service such as AVG (I have AVG Antivirus installed WITHOUT firewall on two of the three servers. The base 2012 VM has no software installed and no roles...I built it
  just to see if it could connect after a fresh install and it still cannot.)
      6.) The network connection does not indicate limited connectivity (probably because ICMP appears to be passing successfully)
       7.) If I connect the server directly to the modem it has full internet access.
       8.) All internal LAN connectivity is perfectly fine and runs at full speed.
       9.) I have scoured the internet trying to find other examples of this particular kind of connectivity issue on 2012 and I have found two TechNet articles that are similar, but they both had the same resolution: changing the router
  worked, but no one knows why. (I would have included the links, but apparently I cannot do that yet)
  My question is this: What is different about Windows Server 2012 networking that would render it unable to communicate through a router that Windows Server 2008 has no problems with?  I ask because, unlike in these two articles where they were
  running personal networking equipment they could easily upgrade, I'm running a Cisco 881 with what should be virtually limitless configuration options and I have no desire to replace it.  I have to assume the issue is somehow related to the firewall configuration,
  which I could fix easily, but I don't know what to change.  If anyone knows what changed in 2012 and why I would be able to browse to bing and other MS sites but no where else, please pass them along.  Thanks.

  This is the IP Config for the 2012 DC:
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : COMPANYDC02
     Primary Dns Suffix  . . . . . . . : company.local
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : company.local
  Ethernet adapter Ethernet:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
     Physical Address. . . . . . . . . : 00-25-90-DC-EF-D5
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::81d5:53cf:bd07:14ed%12(Preferred)
     IPv4 Address. . . . . . . . . . . : 10.10.10.202(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 10.10.10.1
     DHCPv6 IAID . . . . . . . . . . . : 301999504
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-96-D5-C3-00-25-90-DC-EF-D5
     DNS Servers . . . . . . . . . . . : 10.10.10.202
                                         10.10.10.221
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.{9929D989-8E88-4096-A1CB-61F1DB173FA3}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Teredo Tunneling Pseudo-Interface:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  This is the IP Config for the fresh install 2012 VM:
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : WIN-800299O7ES6
     Primary Dns Suffix  . . . . . . . :
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : company.local
  Ethernet adapter Ethernet:
     Connection-specific DNS Suffix  . : company.local
     Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
     Physical Address. . . . . . . . . : 00-15-5D-0A-5C-02
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 10.10.10.49(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Saturday, August 23, 2014 10:23:01 PM
     Lease Expires . . . . . . . . . . : Wednesday, August 27, 2014 10:23:01 PM
     Default Gateway . . . . . . . . . : 10.10.10.1
     DHCP Server . . . . . . . . . . . : 10.10.10.1
     DNS Servers . . . . . . . . . . . : 10.10.10.220
                                         10.10.10.221
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.company.local:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . : company.local
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  NOTE: 10.10.10.220 and 10.10.10.221 are the other domain controllers on my network.  One of them is 2012 and one of them is 2008.  They are both functioning correctly for providing DNS services.  The 2012 Virtual DC, however, still has
  the internet connectivity issue that this whole post was about in the first place.
  NOTE2: When I logged on to COMPANYDC02 this morning, it told me that I had new Windows Updates that needed to be downloaded.   Confused, I checked the most recent time WU had checked for updates at it had successfully checked for updates last night
  at 10pm.  Of course, it failed when trying to download them, but it appears that once in a while, a connection gets through successfully...

• "Cannot find the DHCP server" message in 2012 R2

  Hello All,
  I am running Server 2012 R2 with a DHCP server running on it(usually).  Every few days or so, when I go into my DHCP console, I click on my server and I get the above message written in the topic of this thread??  Does anyone know why this is happening? 
  The server is literally on all the time.  It mentions that the DHCP service isn't running, but what can be shutting that down?  From what I have tried, the only way for me to rectifiy the issue is to do a restart during non-peak hours and the DHCP
  server comes right up no problem.  It doesn't seem like I am having DHCP problems in my organization even though this message is up.  Any ideas?
  Thanks,
  Chris

  Hi Chris,
  How are things going?
  Based on your description, you get “Cannot find the DHCP server” message, but it seems that the DHCP services in your organization has no problems.
  I agree with Jugganutz1871. In addition, have you recently made some changes in your DHCP server or your network? Such as, there are some cases with firewall.
  If there are any updates, please feel free to let us know.
  Best Regards,
  Tina
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Mac Lion won't accept IP address sent from DHCP server

  Upgraded to Lion a few days ago.  Everything worked for a couple days.  Plug in the ethernet cable today and I never get an ip address with DHCP from my router.  I have 2 other devices plugged into the router and they get ip addresses normally.  Captured the DHCP communication to see if I was getting a valid DHCP offer and I am...it is included.  The Lion firewall is disabled.  For some reason Lion isn't accepting the DHCP offer.  Could this be a bug or maybe something in a cache needs to cleaned out.  I connect to several different networks daily and they all work except for this one.
  The line in Bold type shows the ip address being offered that never gets accepted by lion.
  No.     Time        Source                Destination           Protocol Info
       26 21.993141   10.19.39.97           255.255.255.255       DHCP     DHCP Offer    - Transaction ID 0x4e299603
  Frame 26 (353 bytes on wire, 353 bytes captured)
      Arrival Time: Aug  5, 2011 19:30:01.105566000
      [Time delta from previous captured frame: 0.001086000 seconds]
      [Time delta from previous displayed frame: 0.001086000 seconds]
      [Time since reference or first frame: 21.993141000 seconds]
      Frame Number: 26
      Frame Length: 353 bytes
      Capture Length: 353 bytes
      [Frame is marked: False]
      [Protocols in frame: eth:ip:udp:bootp]
      [Coloring Rule Name: UDP]
      [Coloring Rule String: udp]
  Ethernet II, Src: e8:b7:48:e6:ab:5c (e8:b7:48:e6:ab:5c), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
      Destination: Broadcast (ff:ff:ff:ff:ff:ff)
          Address: Broadcast (ff:ff:ff:ff:ff:ff)
          .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
          .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
      Source: e8:b7:48:e6:ab:5c (e8:b7:48:e6:ab:5c)
          Address: e8:b7:48:e6:ab:5c (e8:b7:48:e6:ab:5c)
          .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
          .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
      Type: IP (0x0800)
  Internet Protocol, Src: 10.19.39.97 (10.19.39.97), Dst: 255.255.255.255 (255.255.255.255)
      Version: 4
      Header length: 20 bytes
      Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
          0000 00.. = Differentiated Services Codepoint: Default (0x00)
          .... ..0. = ECN-Capable Transport (ECT): 0
          .... ...0 = ECN-CE: 0
      Total Length: 339
      Identification: 0x00fa (250)
      Flags: 0x00
          0.. = Reserved bit: Not Set
          .0. = Don't fragment: Not Set
          ..0 = More fragments: Not Set
      Fragment offset: 0
      Time to live: 255
      Protocol: UDP (0x11)
      Header checksum: 0x882c [correct]
          [Good: True]
          [Bad : False]
      Source: 10.19.39.97 (10.19.39.97)
      Destination: 255.255.255.255 (255.255.255.255)
  User Datagram Protocol, Src Port: bootps (67), Dst Port: bootpc (68)
      Source port: bootps (67)
      Destination port: bootpc (68)
      Length: 319
      Checksum: 0x038d [validation disabled]
          [Good Checksum: False]
          [Bad Checksum: False]
  Bootstrap Protocol
      Message type: Boot Reply (2)
      Hardware type: Ethernet
      Hardware address length: 6
      Hops: 0
      Transaction ID: 0x4e299603
      Seconds elapsed: 0
      Bootp flags: 0x8000 (Broadcast)
          1... .... .... .... = Broadcast flag: Broadcast
          .000 0000 0000 0000 = Reserved flags: 0x0000
      Client IP address: 0.0.0.0 (0.0.0.0)
      Your (client) IP address: 10.19.39.98 (10.19.39.98)
      Next server IP address: 0.0.0.0 (0.0.0.0)
      Relay agent IP address: 0.0.0.0 (0.0.0.0)
      Client MAC address: Apple_17:fd:5d (c4:2c:03:17:fd:5d)
      Client hardware address padding: 00000000000000000000
      Server host name not given
      Boot file name not given
      Magic cookie: (OK)
      Option: (t=53,l=1) DHCP Message Type = DHCP Offer
          Option: (53) DHCP Message Type
          Length: 1
          Value: 02
      Option: (t=54,l=4) DHCP Server Identifier = 10.19.39.97
          Option: (54) DHCP Server Identifier
          Length: 4
          Value: 0A132761
      Option: (t=51,l=4) IP Address Lease Time = 1 day, 23 hours, 39 minutes, 50 seconds
          Option: (51) IP Address Lease Time
          Length: 4
          Value: 00029E46
      Option: (t=58,l=4) Renewal Time Value = 23 hours, 49 minutes, 55 seconds
          Option: (58) Renewal Time Value
          Length: 4
          Value: 00014F23
      Option: (t=59,l=4) Rebinding Time Value = 1 day, 17 hours, 42 minutes, 16 seconds
          Option: (59) Rebinding Time Value
          Length: 4
          Value: 00024A78
      Option: (t=1,l=4) Subnet Mask = 255.255.255.240
          Option: (1) Subnet Mask
          Length: 4
          Value: FFFFFFF0
      Option: (t=6,l=8) Domain Name Server
          Option: (6) Domain Name Server
          Length: 8
          Value: AB44E278AB46A8B7
          IP Address: 171.68.226.120
          IP Address: 171.70.168.183
      Option: (t=44,l=8) NetBIOS over TCP/IP Name Server
          Option: (44) NetBIOS over TCP/IP Name Server
          Length: 8
          Value: AB443935AD2573BF
          IP Address: 171.68.57.53
          IP Address: 173.37.115.191
      Option: (t=3,l=4) Router = 10.19.39.97
          Option: (3) Router
          Length: 4
          Value: 0A132761
      End Option

  I have seen the same issue with my iOS and Mac OS devices (iPhone and MacBook Pro). I have written my own DHCP server (http://notebook.kulchenko.com/embedded/dhcp-and-dns-servers-with-arduino) and have had troubles getting my devices to connect (Windows Vista and Ubuntu devices connect fine). I suspect that this problem happens because the DHCP Offer message is sent to a broadcast address, even though (at least in my case) the broadcast flag is off in the DHCP Discover message I see.
  Unfortunately you didn't include the Discover message, so I can't tell for sure, but if it indeed has the broadcast flag set to 0, then the server should send the response message using unicast as per DHCP spec (http://www.ietf.org/rfc/rfc2131.txt, section 4.1):
    If the broadcast bit is not set and 'giaddr' is zero and
     'ciaddr' is zero, then the server unicasts DHCPOFFER and DHCPACK
     messages to the client's hardware address and 'yiaddr' address.
  So, it seems like in this case the server may be at fault, even though it would be nice for Mac OS to accept broadcast responses (and would solve my problem too).
  Can someone confirm that Mac OS does not accept broadcast responses to DHCP Discover and DHCP Request messages? Thanks.
  Paul.

• How to DHCP Server with NO ROUTER on Server Admin panel field?

  Hi all!
  I'm having a little problem.
  I have two completely different networks, with different purposes, one is 10.0.10.X and the other is 192.168.10.X. My networks is like this:
  Internet------Wifi Router (192.168.10.250) -----iMacs AirPoirt (192.168.10.X)
  MacPro (10.0.10.100)-----iMacs Ethernet (10.0.10.X)
  Great, is so simple. So I had a DHCP server (Windows blerg) on the 10.0.10.X (NOT MAC OS X SERVER) and everything works perfect, since on the Windows DHCP Server I'm not forced to fill the router/gateway and leaving it blank makes the iMacs have just one router/gateway from the 192.168.10.X lease from the Wifi Router.
  Now I'm planning to migrate the DHCP Service to the Mac OS X Server (Snow Leopard Server), I fiddled a bit and found that I can't use DHCP Server on Mac OS Server leaving router field blank and if I type ANYTHING, my iMacs will NOT access the internet through 192.162.10.X since now there's two gateways (from 10.0.10.X that Server Admin panel forced me to fill and from 192.168.10.X that HAS to have one gateway and it's the correct one).
  I've tried to fill with the 192.168.10.X gateway but throws a warning saying that is not on the same subnet.
  I really don't want to re-route or mix the traffic for many reasons.
  So I ask, is there any possible way to NOT fill or bypass or do anything to make DHCP Server service from Mac OS X Server not have a gateway/router?
  The only way I'm managing to do it now is to use manually entered IPs on the iMacs, but it's 10 iMacs and I guess for some services like netboot etc I need DHCP.
  Cheers,

  Lets assume that before you had computers with both Ethernet and WiFi connections, they were able to access the Internet via WiFi and talk amongst themselves via Ethernet. The Ethernet addresses were not (in theory) accessible from the WiFi network and hence not accessible from the Internet. Presumably you intended this for security reasons.
  If so, you were completely mistaken. Even if you turned on a Software firewall on each of these iMacs to in theory block traffic going between the two networks you still have a potentially insecure setup. This is because traffic can reach the iMacs via WiFi. Once hypothetical malicious traffic has invaded an iMac via WiFi it can take control over the computer and within that computer reach out via its Ethernet port to other Ethernet computers.
  The only way to ensure complete security is not to have any link between the two networks at all. If one of the computers is linked to both then you have a potential path for attacks to travel across.
  So what are you really trying to do? If you want two totally separate networks with one having absolutely no link to the outside world then this is simple and is as follows.
  NETWORK1 Internet------Wifi Router (192.168.10.250) -----iMacs AirPoirt (192.168.10.X)
  NETWORK2 MacPro (10.0.10.100)-----different iMacs Ethernet (10.0.10.X) with WiFi turned off
  You could define the default gateway for NETWORK2 as being the DHCP server itself. No computer on NETWORK2 would be able to access the Internet and hence it would be totally secure.
  If however you want all computers to be able to access the Internet then you need a link between them. Are you merely wanting to segregate WiFi traffic as it might be insecure and evesdropped on? If so then the following is a better approach
                           WiFi clients (192.168.10.x)
  Internet ----- AirPort Extreme (192.168.10.250) ------ Hardware FireWall does NAT (10.0.10.1) ---- MacPro (10.0.10.100) ---- iMacs via Ethernet (10.0.10.x)
  The WiFi clients would not be able to directly access your 10.0.10.x network as they are blocked by the FireWall. However if you have say a Laptop that you want ot use on WiFi but still access your server on your internal secure LAN you would do this by having the server run the VPN server component. The WiFi client would then connect via the VPN server and this would ensure all the network traffic going over the WiFi is encrypted using industry standard IPSec encryption. In this second scenario the MacPro (presumably your server) would have the FireWall as the default gateway, and the FireWall would have the Internet router as its default gateway. You could set the Firewall to forward VPN traffic to the server or use the second Ethernet port on the server to accept VPN traffic on the 192.168.10.x LAN.
  This is my own setup is something like
                          AirPort
                             |
  Internet router --- Public IP range --- (WAN) FireWall (LAN) --- LAN Switch --- Server Port1 for normal traffic
                                                   |(DMZ)                                    |
                                                   +----------------------------- Server Port2 for VPN

• DHCP server + IP multipath

  hi,
  I have configured a solaris 10 box that runs a dhcp server with ha networking using multipathing:
  ifconfig dmfe0 thehostname netmask + broadcast + group mygroup -failover deprecated up
  ifconfig dmfe0 addif hahostname + broadcast + failover up
  ifconfig dmfe1 otherhostname netmask + broadcast + group mygroup -failover deprecated up
  The networking if working fine, and setting the failover period to 2500 in /etc/default/mpathd works great - unplug cable from dmfe0 and the host is still available
  before using hahostname as a virtual interface, it was bound to dmfe0, and running dhcp was all fine. Now that the IP is on the virtual interface, the DHCP server address that clients see is the IP of "thehostname" (from /etc/hosts). 1st question: is it possible to get the DHCP server to show its IP address as the IP of HAHOSTNAME instead of THEHOSTNAME? I have added "INTERFACES=dmfe0,dmfe1" to /etc/inet/dhcpsrv.conf, not able to bind to virtual interfaces, would like to if possible
  In addition to that, since implementing this networking config, dhcp is not running as well. The clients on the network all received dhcp addresses with no problems prior to the HA configuration changes, after changing to this config and restarting (either restarting the dhcp-server service with svcadm or even after a server reboot), some clients are not getting IP addresses. The clients are Windows XP clients, and I had to disable my network card and re-enable it to get it to get an IP address. I get the following error in event viewer (event ID 1001):
  "The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server."
  after getting an IP, i can renew my IP and there are no problems, but in the event of the primary nic failing (tested by unplugging network cable), i cannot get DHCP addresses again.
  the first thing that jumps to mind is it might be an arp issue - should i be binding the same mac address to all cards perhaps? i have set local-mac-address?=true with eeprom.
  ideas?

  You may want to ask this under Firewall section of this forum.
  Regards,
  Sawan Gupta

• Wired ethernet can't communicate with DHCP server

  Hi all
  I have a Mac Mini running Mac OS X Server. I recently changed a bunch of network settings, and since then I can't get the Mac to acquire an address from DHCP through the wired connection.
  The wireless ethernet connects to the same router and acquires it's IP address, DNS, and router information through DHCP without a problem.
  The wired ethernet connection is unable to communicate with the DHCP server. The router detects it, and sees it as having it's self-assigned ip address (169.254.74.247). The subnet mask is wrong (255.255.0.0 vs. 255.255.255.0) as well. Both are greyed out in network preferences when DHCP is selected. I've tried all of the obvious steps (restarting networking, rebooting everything, running the diagnostic tool, disabling wireless airport, etc.) to get it to work, with no change.
  I can get it to connect with a manually assigned IP, but that's not a long term solution for my network.
  I have had this issue with multiple routers. Currently I'm using a gigabit-e router - netgear WNDR3700. Other machines connect to the router just fine through wired ethernet (xbox360 and linkstation mini).
  I'm new to Mac OS, but not new to networking. Any help would be appreciated.

  This might be an old discussion but it was helpful to me.  Well, almost.  After reading this discussion, I arrived the same place that xoofoo above did.  After some poking around, I was able to find the answers.  (Feel free to correct me if I'm wrong, please!)
  Here's what I did:
  Launch "Server Admin" in Applications/Server folder
  Open the list of services by clicking on the triangle next to the Server listed in the left pane.
  Click on "Firewall"
  Click on "Settings" tab
  Click on "Editing services for" and select "192.168-net" (or if necessary, select "any".)
  In the window below, go down the list and tick both "DHCP and Netboot client" and "DHCPDISCOVER".  (hint, this list is sorted by ports number, go down and look for port 68).
  Click "Save".
  That should do the trick!  Hope this is helpful to others in the future.

• SG 300-28: how to configure it as DHCP server.

  I am relatively new the configuring network switches. Could someone point me in right direction to configure SG300-28 as a DHCP server?
  From the people I talked based on device specs it should be able to act as dhcp server. However, if we cannot, can it be configured so that clients get DHCP infomation from Firewall to which L3 switch is connected.
  Thank you,
  S.

  Hi Sreenath,
  I guess when you try the GUI or CLI interface, you would have noticed there is no mention of DHCP server.
  They both mention, as does the datahseet, DHCP relay;
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps10898/data_sheet_c78-610061.html
  Dynamic Host Configuration Protocol (DHCP) Relay at Layer 2
  Relay of DHCP traffic to DHCP server in different VLAN. Works with DHCP Option 82
  The new SG300-28 switch or  ordering p/n SRW2024-K9,   does not incorporate a DHCP server, but relies on DHCP relay to get IP addresses allocated to PC's on seperate VLANs.
  If you needed a DHCP server within a Layer 3 switch you would have to look at the traditional Catalyst 3XXX series switch for that functionality.
  I guess this is not the answer you wanted to hear.
  regards Dave

• Airport DHCP Server woes

  Greetings to all!
  I've got an Apple Airport Extreme running as a router to my (large) Office Network.
  Recently, I've setup an Active Directory server, which runs with a DHCP server for configuration purposes.
  What I'd like to know is if I can *disable* the Airport's DHCP Server, but keep it running as a "Router"/Firewall (if you want to call it that) to my ISP.
  As it is now, if I disable DHCP serving, then the Airport also disables its NAT service, regardless of the fact that I've got my own internal DHCP server serving up addresses (with the Airport remaining as the "Router"). I know this is possible as Statically assigned addresses pointing at my AE as a router can access the internet, so its not like DHCP is absolutely required for NAT.
  Is there any way to kill the AE's DHCP server, but keep it running as a NAT Gateway to my ISP?
  Cheers!

  No, the DHCP and NAT services are not able to be independently switched on and off. The cheapest way you could do this is to connect the modem to a separate broadband router that can have DHCP switched off and run the Airport express in the Distribute IP Addresses off mode.

• Firewall and DHCP

  Hi
  We have a Cisco 5505 ASA fireawll at a remote site.
  I can get the firewall to issue the IP addresses to the pc's, Is there a way for the pc's to get their IP addresses directly from our DHCP server?
  Regards
  Jay

  Hi Jayesh,
  We need more information on how and where the DHCP server is located. Here are couple of scenarios..
  1. DHCP server and PCs are located inside the network - then nothing to do on ASA. You need to do necessary config on L3 switch inside (if there is any).
  2. DHCP server and PCs are on different segments of ASA or at remote L2L vpn tunnel end. You need to configure ASA as DHCP relay agent.Check the below links.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008075fcfb.shtml
  https://supportforums.cisco.com/community/netpro/security/firewall/blog/2011/01/07/asa-pix-dhcp-relay-through-vpn-tunnel
  hth
  MS

• BEFSR41 V3.0 - DHCP server periodically stops working; rest of functions ok

  I have a BEFSR41 V3.0 latest firmware (1.0.5).
  Sometimes the DHCP server will stop working.  The rest of the functions are ok.  I normally monitor the unit via PING and unfortunately, this won't alert me if the DHCP server stops working because the unit still responds to a ping.
  Does anyone know of a fix?  
  The workaround is to power cycle the unit, but that needs me to be at the office and I'm not always here. 

  It is the DHCP server within the Linksys BEFSR41 that intermittently stops working.  I do not have another DHCP server on the network.
  I'm curious why changing the MTU would help.  If you could explain, I'd certainly give that a try. 
  At the moment, the BEFSR41 serves as the DHCP server and firewall for our guest network.  I keep an eye on it by enabling external ping response.  However, I have found that the firewall part of the BEFSR41 will work and it will respond to a ping.  But newly connected computers won't get an IP address lease.  I power cycle the unit and its DHCP server will work again.  The trouble is, because the unit responds to a ping, I won't know if the DHCP server is not working until someone reports it.  And I'd like to be proactive about things.
  Message Edited by boomer on 04-06-2009 05:17 PM

• Server 2012 DHCP Server Failover - Hot Standby

  Hi There
  I'm running two Windows Server 2012 R2 servers, they are configured in a Hot Standby mode for DHCP Failover. ServerA, is the local server at the site and is configured to Failover to ServerB. But I'm having an issue where after the state of ServerA changes
  from Normal to Communication_Int and then back from Communication_Int to Normal that it's no longer leasing any IP address to my Windows 7 clients until you restart the DHCP service on ServerA. I've replicated this in my lab environment as well.
  1. Disable Network Adapter on ServerA or disconnect Network - State changes from Normal to Communication_Int. ServerA and ServerB loses contact.
  2. Enable Network Adapter on ServerA or reconnect Network - State changes from Communication_Int to Normal. ServerA and ServerB re-establishes contact.
  3. Connect new computer to LAN, or release IP on client computer, and then try to obtain an IP address\renew.
  4. Client computers time out trying to communicate with DHCP server, but as soon as you Restart the DHCP service on ServerA the client machines obtain an IP address.
  Has anyone else experienced this? If so is there a fix/workaround for this?
  Thanks

  Hi
  Sorry for only replying now.....
  Disabled firewall on ServerA, ServerB and client machine. Issue still occurring.....

• New client cant get ip from dhcp server (web authentication)

  We have WLC 5508 with two SSID staff (vlan 58, PSK auth) and customer (vlan 48, web auth)
  Recently, new client can connect to SSID staff without problem but It cant get IP when it connect to Customer SSID.
  many other client ( smart phone, laptop) which connect for few week still connect to Customer normally.
  DHCP server still have a lot of IP for wireless client. 
  We want to use firewall to make policy for Customer so we put gateway of vlan 48 on the firewall.
  Please check the dubug client file.
  Thanks.

  The debug just shows a single DHCP Discover attempt when attaching to WLAN with VLAN 48 interface.  It appears the client is simply not pulling an IP (not the WLCs responsibility), although you are using DHCP-Proxy.
  Can you put a wired client in VLAN 48 on the same switch as the WLC and have a client pull an IP?

• No contact with DHCP server when using VPN Client

  Pretty weird problem I discovered recently.
  We use the VPN Client to connect to a 1841 router. Everything works fine except for one small thing.
  The client do not send out _any_ traffic if the destination is the ip-address of the DHCP-server the client got its original ip-address from.
  This is verified by Wireshark. A ping on the client do not produce any ESP packets towards the VPN concentrator. No matter what traffic you try actually.
  Discovered this when wanting to use Remote Desktop towards the Windows Server that is the local DHCP server and was not able to connect. Then tested ping and still no response. That made me look closer and found out that I could not communicate at all with the DHCP server.
  As I said, pretty weird.
  Anyone else have seen this? Anyone have a solution? Right now I use OpenVPN instead when I need to control that server.
  - Roger

  Hi and thanks for responding.
  Nothing here apart from being unable to send any packets to the dhcp-server. No problem sending to any other system on the same subnet. The same happens when I connect my pc to another subnet that is served by another dhcp-server. Then I can not connect to _that_ dhcp-server. I can then of course connect to the previous dhcp-server.
  I mean _no_ packets are generated out the client at all if the destination are your dhcp-server. No problem with the packet being blocked by a firewall or anything like that. Ping another system on the same subnet as the dhcp-server and the client happily generates ESP packets and sends them to the vpn-concentrator.
  I do not know if it was clear enough in the first post so I am saying it here: the vpn-concentrator gives out the ip for the vpn connection. The dhcp-server I can not connect to is the server that gives the client its ip-address _before_ starting up the vpn client.
  We use this vpn system so the IT personell will be able to connect to restricted resources from their laptops anywhere in the network, also when using wireless.
  This was discovered when one admin wanted to connect from his laptop to a server that also happened to be the dhcp-server that had given his laptop his ip address before he used vpn.
  Should be easy enough for anyone else to test. Just ping your dhcp-server after starting the vpn connection. No RFC 1918 addresses of course, there must be a route from your vpn-concentrator to your dhcp-server and at least icmp echo must be open through any firewall/acl.
  The vpn version is 4.8.00.0440 on Windows XP configured to not allow local LAN access. I might test this with other versions/OS'es when I have the time.
  Regards,
  - Roger