Remote Site Not Receiving DHCP Offering from Palo Alto Firewall Configured as DHCP Server
11523
Created On 02/01/20 02:27 AM - Last Modified 09/16/21 00:04 AM
Symptom
- Palo Alto Firewall configured with DHCP Server enabled on an interface as per guide: Configure an Interface as a DHCP Server
- Two separate sites configured with WiFi (managed via Cisco Meraki).
- Location 1 behind VLAN1: WiFi devices can get IP Addresses
- Location 2 behind VLAN2: WiFi devices not receiving IP Addresses
- Packet capture taken on Palo Alto Firewall shows no Discover message seen from Location 2 behind VLAN2
- Packet capture taken on the Cisco Meraki show devices sending DHCP Discover messages but not seen on Palo Alto Firewall
502 09:11:47.454361 0.0.0.0 255.255.255.255 DHCP 346 DHCP Discover - Transaction ID 0x72844b 566 09:11:49.515871 0.0.0.0 255.255.255.255 DHCP 594 DHCP Inform - Transaction ID 0x6e0x
Topology
Palo Alto Firewall (DHCP Server) => Cisco Meraki => Switch => WIFi clients (DHCP Clients)
Environment
- Palo Alto Firewall acting as DHCP Server
- DHCP Clients behind Cisco Meraki
Cause
- On that working site site there was a VLAN1 configured on both the router and the switch while on the failing site, the VLAN2 was only configured on the switch and missing on the router which was needed for Discover messages to reach back to Palo Alto Firewall.
Resolution
Once the missing VLAN2 was added on the router interface connected to the switch, the DHCP Discover messages were now seen by the Palo Alto Firewall.
Additional Information
Getting Started: Packet Capture
CLI Commands to Troubleshoot DHCP