Firewall is not sending the Network subnet in the Discover message for Global Protect DHCP profile

The server has  IPV4 scope

> Pool-1 172.16.30.10- 172.16.30.100(This is the same IP pool configured in the DHCP profile)

 1 Configure DHCP Server profile on a FW interface.
 2 Enable DHCP-based IP assigned for GP clients.
 3 Initiate VPN connection from GP client.

When the relay IP is set to 172.16.30.1 (via service route for GP IP Mgmt), The IP comes from pool 1

When the relay IP is set to 192.168.50.1 or another interface (via service route for GP IP Mgmt), The process fails because there is no subnet pool for this network on the DHCP server and the firewall falls back to static IP at the gateway level

The debug level on gpsvc.log shows the firewall did not receive an OFFER from the server

{"level":"warn","task":"37-20","time":"2024-11-13T09:20:42.635705493-08:00","message":"HasFeatureSupport: query feature: dhcp, result: %!d(bool=true)"}
{"level":"warn","task":"37-20","time":"2024-11-13T09:20:42.635947646-08:00","message":"CIAM or DHCP is enabled, trying to get an IP from IPSvc..."}
{"level":"debug","time":"2024-11-13T09:20:42.63598157-08:00","message":"[IPSVC]-[Request]: received a DHCP request, the request is {Action:allocate ProjectName: ProjectGUID: Location: GatewayName:Test-GW UserDomain:nk Username:Nk HostID:0e9d32e4-daeb-4eb9-87a0-d1c64f19f0b9 MACAddr:78-e9-07-c9-86-04 Computer:E895D7D7-AD62-4 JoinedDomain: PreferredIP:10.10.150.1 ClientIP:10.46.224.87 ClientAppVer:6.0.10-814 IP: XID: Sequence: Allocator: AllocatorIP:}"}
{"level":"debug","time":"2024-11-13T09:20:42.635995701-08:00","message":"[IPSVC]-[Request]: Trying 0 Primary DHCP Server..."}
{"level":"warn","time":"2024-11-13T09:20:47.636511425-08:00","message":"[IPSVC]-[Request]: Request Timeout on Primary Server(s), req is {allocate   Test-GW Test-GW nk Nk 0e9d32e4-daeb-4eb9-87a0-d1c64f19f0b9 78-e9-07-c9-86-04 E895D7D7-AD62-4  10.10.150.1 10.46.224.87 6.0.10-814     }"}
{"level":"debug","time":"2024-11-13T09:20:47.636560003-08:00","message":"[IPSVC]-[Request]: Trying 1 Primary DHCP Server..."}
{"level":"warn","time":"2024-11-13T09:20:47.636573808-08:00","message":"[IPSVC]-[SendReceive]: DHCP DORA context timeout, request details: DHCPv4(xid=0x511e0f4f hwaddr=78:e9:07:c9:86:04 msg_type=DISCOVER, your_ip=0.0.0.0, server_ip=0.0.0.0)"}
{"level":"warn","time":"2024-11-13T09:20:47.63660764-08:00","message":"[IPSVC]-[AllocateIP]: DHCP OFFER is nil, cannot continue to send DHCP REQUEST..."}
{"level":"error","time":"2024-11-13T09:20:47.636617753-08:00","message":"[IPSVC]-[AllocateIP]: failed to received the DHCP ACK from DHCP Server"}

• NFGW
• Global Protect Gateway
• GP DHCP profile

The DHCP server relies on the Discover message source IP (service route for GP IP Mgmt) to issue IP address

When the SRC IP of the DISCOVER message does not have an IP pool in the DHCP server. The server does not issue an OFFER Message and the process fails. This is how the DHCP service works.

DHCP is an internal networking protocol. DHCP service only works for the same subnet. A scope in Windows DHCP setting can be considered as a subnet roughly.
There are two steps to pick up an IP.

• a request hits a scope. it means the src IP of a request is in the IP range of a scope
• after hitting a scope, the scope will match the request policies to pick up an IP.

If the src IP of the DISCOVER message does not have an IP pool in the DHCP server, the request won't hit any scope. Then request fails.

• Configure the IP pool in the DHCP server for the SRC IP of the DISCOVER message (This will serve as the gateway IP and be set via the service route)
• To allocate IP across subnets, DHCP server vendors have different solutions. The solution for Windows DHCP server is superscope.
  A superscope combines scopes together. So a DISCOVER SRC IP is in one of the scopes, it will hit the superscope. The superscope can pick up IP across scopes.
• 

Configure DHCP profile for GP gateway