Same DHCP pools on 2 interfaces
Symptom
Same DHCP pools are set on 2 interfaces for redundancy. Should one of the interfaces go down, the other interface can continue to serve DHCP clients. However same IP ends up assigned to 2 clients.
Environment
Same IP range 192.168.249.6 - 192.168.249.15 is on 2 dhcp server interfaces, 1/3 and 1/4.
ethernet1/3 18 1 L3-Trust vr:default 0 192.168.249.1/24
ethernet1/4 19 1 DMZ vr:default 0 172.16.249.1/24
In the below output, it can be seen that both servers show total 10 IPs usable and same IP is given 2 different mac addresses. Both pools have different id as well:
> show dhcp server lease interface all
interface: "ethernet1/3" id: 18 Allocated IPs: 1, Total number of IPs in pool: 10. 10.0% used
ip mac hostname state duration lease_time
192.168.249.6 00:50:56:9b:55:a8 4e7ba3c2-2c87-4 committed 0 Tue Sep 12 18:35:27 2023
interface: "ethernet1/4" id: 19 Allocated IPs: 1, Total number of IPs in pool: 10. 10.0% used
ip mac hostname state duration lease_time
192.168.249.6 00:50:56:9b:76:b9 xxxxx committed 0 Tue Sep 12 18:37:26 2023
Cause
Each interface acts as independent server and manages its own lease.
Resolution
>Set different IP pools on each interface.
>In HA environment, set the entire pool on one interface and use that interface in link monitoring. So that if the dhcp server interface goes down, HA failover will be triggered and dhcp will continue to work through the new active firewall. For more details on HA failover, please refer to the link below: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/set-up-activepassive-ha/define-ha-failover-conditions
>Use the option "Ping IP when allocating new IP" under DHCP. to enable the server to ping the IP address before it assigns an address to its client. If the ping receives a response, that means a different client already has that address, so it is not available for assignment. The server assigns the next address from the pool instead.