Hosts on internal networks that are hidden behind Security Gateway's IP / ClusterXL's IP address are not able to obtain an IP address from DHCP Server when using DHCP Relay.
Kernel debug on Security Gateway / on cluster members ('fw ctl debug -m fw + drop') shows that DHCP Offer and DHCP Ack packets from DHCP Server are dropped on the Outbound interfaces towards the Hosts:
Kernel debug on Security Gateway / on cluster members ('fw ctl debug -m fw + nat xlate xltrc') shows that Unicast DHCP (non-relayed) packets from Hosts are dropped on the Inbound interface:
Hosts on internal networks are sometimes not able to obtain an IP address from DHCP Server when using DHCP Relay.
Kernel debug on cluster member ('fw ctl debug -m fw + sync') that sends the initial DHCP Request to DHCP Server shows that the symbolic link is not synchronized to other members:
;FW-1: non_sync_vpn_ports: protocol: 17, DPORT 67, DST VIP_Address_of_Cluster - is in no hide, not syncing;;
;not synchronizing : non sync flag fwlddist_slink: d=8158 tuple=
<0,Hex_IP_Address_of_DHCP_Server,43,Hex_VIP_Address_of_Cluster,43,11;0,Hex_VIP_Address_of_Cluster,43,Hex_IP_Address_of_DHCP_Server,43,11@0/0>
Kernel debug on cluster members ('fw ctl debug -m fw + drop') shows that the reply packets from the DHCP Server are dropped on the Outbound interface towards the Hosts:
The issue occurs in a scenario that involves multiple DHCP Relay interfaces (multiple interfaces facing multiple subnets that sent DHCP Discover packets).
When a DHCP Offer is sent from the DHCP Server to DHCP Relay agent, it is sent to ClusterXL VIP address. By default, on Active member this DHCP Offer packet undergoes ClusterXL NAT "Fold" - the Destination IP address of the DHCP Offer packet is changed from ClusterXL VIP to the physical IP address of the receiving interface (the interface facing the DHCP Server), which is not the IP address of the DHCP Relay interface (the interface facing the Host that sent a DHCP Discover).
This creates following connection link in Check Point kernel tables:
[DHCP Server -> DHCP Relay interface agent's VIP address] -> [Translated: DHCP Server -> Physical IP address of receiving interface]
Once additional DHCP packets from different DHCP Relay interfaces are received, link collisions occur in Check Point kernel tables because additional DHCP packets will be translated to same physical IP address of the receiving interface (the interface facing the DHCP Server).
The drops of DHCP Offer and DHCP Ack packets occur in the following cases:
When IP ranges of both DHCP Relay interfaces (including Security Gateways' IP addresses) are behind NAT.
When the DHCP Request is sent at the same time through two different interfaces.
When NAT is applied to second DHCP Reply, behind NATed IP address toward broadcast IP address with the same Source/Destination ports, but with different originators.
The drops of unicast DHCP (non-relayed) packets occur in the following case:
Incorrect connections are created in Check Point FireWall kernel when NAT is used.
In VRRP cluster, RouteD daemon modifies the source IP address of DHCP Request packets to internal VRRP address. Relevant Manual NAT rules must be created.