F5 DHCP Relay in multi-hop configuration issue

I'm having issues with DHCP in forward mode. Client and gateway is on one VLAN while the BigIP is on a second VLAN and DHCP servers is on a third.

When I configure the VS with DHCP profile relay it will pass on the packets to the DHCP server but change the gateway field in the UDP-packets to the BigIPs IP-address. When I set it to forward mode it stops forwarding the packets. I thought that forward mode would do the same as relay except change the gateway address in the packet, but I'm not all that well versed in things DHCP.

I've talked to support but they said they'd escalate the issue.

Hi,

I'm experiencing the same symtoms on 11.6.0 HF4 (packet stats on VS but nothing on the pool).

Tcpdump shows the same thing: packets arrive on the client vlan but nothing outputs from the bigip.

Did you find a solution since then ?

Thanks!

Thanks boneyard, I think we will have to resort to contacting F5.

Bernie - we use HA, but active/standby, so I wouldn't have thought the hashing would be an issue. We only have a single DHCP server in the pool at the moment, but even if we had more, from what I have read the DHCP profile makes the request hit all pool members at the same time.

I'll wait for our F5 guru to be back in the office and try tcpdump to try see what is happening at the packet level, and then escalate to F5 if we don't see anything useful.

Thanks everyone for your help.

DHCP relay works fine but I recall running into an issue where the request and response were getting hashed to different TMMs.

BIGIP uses an IP/port hash to distribute connections and, because the request and response are on 67 & 68, the response got treatment from a different TMM and dropped on the floor. I'm reasonably certain they'd have fixed it by now but, if all else fails, I'd turn off CMP on that VS if it isn't already.

I'd start with some of the previous suggestions to ensure we're at least getting this far though.

If you could send the output of the tcpdump kunjun suggested above as well as the VS configuration we should be able to spot what the problem is

perhaps not something you want to hear, but have you tried contacting support? it seems the experience here with using the F5 for DHCP relay are limited.

Anyone have any experience with DHCP via F5? I'm still interested to know whether a working setup, either in single-hop or multi-hop mode, shows stats on the pool members or not.

Unfortunately I haven't had a chance to do any further testing with this as yet.

Does anyone happen to know whether the pool members of a DHCP VS should show traffic stats? This should be relevant regardless of whether it's in a multi-hop or single-hop configuration.

It seems like the traffic is leaving. You can verify the traffic from cli

tcpdump -ni 0.0 port 67 or 68

You should see traffic incoming to LTM and outgoing from LTM as it captures traffic on all interfaces. This will help to verify the SNAT.

You also can specify the interface and helps to check if the traffic leaves by the interface facing DHCP server.

eg: tcpdump -ni 1.2 port 67 or 68

Hi Kunjan,

Thanks again for your thoughts.

I have attached an image of the stats from the VS. Unfortunately I'm not familiar enough with the F5 to know how to do a tcpdump of the traffic, and the resource we have who does that kind of thing is not available for 2 weeks.

If I create a DHCP scope for that subnet, I am concerned that it will potentially cause issues for the subnet, as it's a production environment. Wireshark should show the traffic hitting the DHCP server regardless of that anyway, which it does not.

Cheers.

Hi Philip, on the DHCP stats screen do you see OUT traffic for DISCOVER? a tcpdump on the outgoing interface will tell if the traffic send to DHCP server and also the outgoing interface IP.

You may also want to try creating a scope for 10.2.0.0, outgoing interface subnet.