防火墙未在 Global Protect DHCP配置文件的发现消息中发送网络子网

防火墙未在 Global Protect DHCP配置文件的发现消息中发送网络子网

1554
Created On 11/28/24 16:00 PM - Last Modified 10/17/25 19:47 PM


Symptom


服务器具有 IPV4 范围

> Pool-1 172.16.30.10- 172.16.30.100(这是DHCP配置文件中配置的相同 IP 池)

1 在 FW接口上配置DHCP服务器配置文件。
2 为 GP 客户端启用基于DHCP的 IP 分配。
3 从 GP 客户端发起VPN连接。

当中继 IP 设置为 172.16.30.1(通过 GP IP Mgmt 的服务路由)时,该 IP 来自池 1

当中继 IP 设置为 192.168.50.1 或其他接口(通过 GP IP Mgmt 的服务路由)时,该过程会失败,因为DHCP服务器上没有此网络的子网池,并且防火墙在网关级别回退到静态 IP

gpsvc.log 上的调试级别显示防火墙未收到来自服务器的 OFFER

{"level":"warn","task":"37-20","time":"2024-11-13T09:20:42.635705493-08:00","message":"HasFeatureSupport: query feature: dhcp, result: %!d(bool=true)"}
{"level":"warn","task":"37-20","time":"2024-11-13T09:20:42.635947646-08:00","message":"CIAM or DHCP is enabled, trying to get an IP from IPSvc..."}
{"level":"debug","time":"2024-11-13T09:20:42.63598157-08:00","message":"[IPSVC]-[Request]: received a DHCP request, the request is {Action:allocate ProjectName: ProjectGUID: Location: GatewayName:Test-GW UserDomain:nk Username:Nk HostID:0e9d32e4-daeb-4eb9-87a0-d1c64f19f0b9 MACAddr:78-e9-07-c9-86-04 Computer:E895D7D7-AD62-4 JoinedDomain: PreferredIP:10.10.150.1 ClientIP:10.46.224.87 ClientAppVer:6.0.10-814 IP: XID: Sequence: Allocator: AllocatorIP:}"}
{"level":"debug","time":"2024-11-13T09:20:42.635995701-08:00","message":"[IPSVC]-[Request]: Trying 0 Primary DHCP Server..."}
{"level":"warn","time":"2024-11-13T09:20:47.636511425-08:00","message":"[IPSVC]-[Request]: Request Timeout on Primary Server(s), req is {allocate   Test-GW Test-GW nk Nk 0e9d32e4-daeb-4eb9-87a0-d1c64f19f0b9 78-e9-07-c9-86-04 E895D7D7-AD62-4  10.10.150.1 10.46.224.87 6.0.10-814     }"}
{"level":"debug","time":"2024-11-13T09:20:47.636560003-08:00","message":"[IPSVC]-[Request]: Trying 1 Primary DHCP Server..."}
{"level":"warn","time":"2024-11-13T09:20:47.636573808-08:00","message":"[IPSVC]-[SendReceive]: DHCP DORA context timeout, request details: DHCPv4(xid=0x511e0f4f hwaddr=78:e9:07:c9:86:04 msg_type=DISCOVER, your_ip=0.0.0.0, server_ip=0.0.0.0)"}
{"level":"warn","time":"2024-11-13T09:20:47.63660764-08:00","message":"[IPSVC]-[AllocateIP]: DHCP OFFER is nil, cannot continue to send DHCP REQUEST..."}
{"level":"error","time":"2024-11-13T09:20:47.636617753-08:00","message":"[IPSVC]-[AllocateIP]: failed to received the DHCP ACK from DHCP Server"}


Environment


  • 国家电网
  • 全球保护网关
  • GP DHCP配置文件

Cause


DHCP服务器依靠 Discover 消息源 IP(GP IP Mgmt 的服务路由)来发放IP 地址

当 DISCOVER 消息的 SRC IP 在DHCP服务器中没有 IP 池时。服务器不会发出 OFFER 消息,并且该过程失败。这就是DHCP服务的工作原理。

DHCP是一种内部网络协议。DHCP 服务仅适用于同一子网。Windows DHCP设置中的范围可以大致视为一个子网。
获取 IP 有两个步骤。

  • 请求命中范围。这意味着请求的源 IP 在范围的 IP 范围内
  • 命中范围后,范围将匹配请求策略来获取 IP。

如果 DISCOVER 消息的源 IP 在DHCP服务器中没有 IP 池,则请求不会命中任何范围。然后请求失败。

Resolution


  • 在DHCP服务器中为 DISCOVER 消息的 SRC IP 配置 IP 池(这将作为网关 IP,并通过服务路由进行设置)
  • 对于跨子网分配 IP, DHCP服务器供应商有不同的解决方案。Windows DHCP服务器的解决方案是超级作用域。
    超级作用域将作用域组合在一起。因此,DISCOVER SRC IP 位于其中一个作用域中,它将命中超级作用域。超级作用域可以跨作用域拾取 IP。
  • Superscope.png


Additional Information


为 GP 网关配置DHCP配置配置文件
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HEZBCA4&lang=zh_CN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language