Certain subnets and hosts behind NAT cannot obtain or renew IP addresses over DHCP in R77
||Security Gateway, ClusterXL, VSX
|Platform / Model
Show All Information in this section
- Explanation for issue with DHCP on certain subnets
The issue occurs in a scenario that involves multiple DHCP Relay interfaces (multiple interfaces facing multiple subnets that sent DHCP Discover packets).
When a DHCP Offer is sent from the DHCP Server to DHCP Relay agent, it is sent to ClusterXL VIP address. By default, on Active member this DHCP Offer packet undergoes ClusterXL NAT "Fold" - the Destination IP address of the DHCP Offer packet is changed from ClusterXL VIP to the physical IP address of the receiving interface (the interface facing the DHCP Server), which is not the IP address of the DHCP Relay interface (the interface facing the Host that sent a DHCP Discover).
This creates following connection link in Check Point kernel tables:
[DHCP Server -> DHCP Relay interface agent's VIP address] -> [Translated: DHCP Server -> Physical IP address of receiving interface]
Once additional DHCP packets from different DHCP Relay interfaces are received, link collisions occur in Check Point kernel tables because additional DHCP packets will be translated to same physical IP address of the receiving interface (the interface facing the DHCP Server).
- Explanation for issue with DHCP and Manual NAT in Security Gateway / ClusterXL / VSX Cluster
The drops of DHCP Offer and DHCP Ack packets occur in the following cases:
- When IP ranges of both DHCP Relay interfaces (including Security Gateways' IP addresses) are behind NAT.
- When the DHCP Request is sent at the same time through two different interfaces.
- When NAT is applied to second DHCP Reply, behind NATed IP address toward broadcast IP address with the same Source/Destination ports, but with different originators.
The drops of unicast DHCP (non-relayed) packets occur in the following case:
- Incorrect connections are created in Check Point FireWall kernel when NAT is used.
- Explanation for issue with DHCP and Manual NAT in ClusterXL Load Sharing mode
- DHCP traffic is not configured to be synchronized between cluster members.
- Stick Decision Function (SDF) is disabled.
- Explanation for issue with DHCP and Manual NAT in VRRP cluster
- In VRRP cluster, RouteD daemon modifies the source IP address of DHCP Request packets to internal VRRP address. Relevant Manual NAT rules must be created.
Note: To view this solution you need to