Forum Discussion

wangardm's avatar
wangardm
Icon for Nimbostratus rankNimbostratus
May 03, 2021

Move DHCP Server for SSL VPN (with Edge Client) to an internal MS DHCP via iAPP

Dear all,

 

we have a working SSL VPN configured via Big IP Edge Client, DHCP Server is running on the F5 APM. Now

we have to move the DHCP Server to the internal MS DHCP Service and installed a iAPP (APM_DHCP.app) as a Relay Agent.

We see the Discover on the DHCP Server and the offer from the DHCP Server with the IP form the correct range. But after the client

tried to get the offered IP (request) the DHCP Server sends a "NAK" and declined it. We see nothign in the DHCP logs why. Also th debug on the F5 Applainces shows no further info for me why this happens.

Also the Wirehark trace shows the NAk by the DHCP Server but we have no clue why. I have also wireshark traces but can not find a reason for the NAK because all shows find before.

 

Maybe any help on this?

Thanks an regards

Martin

 

 

 DEBUG ont he F5 BIG-IP Console:

13:25:11.114924 00:1d:d8:e4:22:12 > 00:09:0f:09:00:04, ethertype 802.1Q (0x8100), length 364: vlan 805, p 0, ethertype IPv4, (tos 0x0, ttl 255, id 45001, offset 0, flags [DF], proto UDP (17), length 326)

    10.8.5.25.18839 > 10.129.5.40.bootps: [bad udp cksum 0x200d -> 0xb86a!] BOOTP/DHCP, Request, length 298, htype 20, hlen 4, hops 1, xid 0x6715d734, Flags [none] (0x0000)

          Gateway-IP 10.6.8.10

          Vendor-rfc1048 Extensions

            Magic Cookie 0x63825363

            DHCP-Message Option 53, length 1: Discover

            Vendor-Class Option 60, length 6: "f5-APM"

            MSZ Option 57, length 2: 1344

            Lease-Time Option 51, length 4: 4294967295

            Agent-Information Option 82, length 34:

              Circuit-ID SubOption 1, length 12: 83.x.x.x

              Remote-ID SubOption 2, length 18: 84.167.6.206:51076 out slot1/tmm6 lis=

13:25:11.117660 00:09:0f:09:00:04 > 00:1d:d8:e4:22:12, ethertype 802.1Q (0x8100), length 376: vlan 805, p 0, ethertype IPv4, (tos 0x0, ttl 124, id 19, offset 0, flags [none], proto UDP (17), length 338)

    10.129.5.40.bootps > 10.6.8.10.bootps: [udp sum ok] BOOTP/DHCP, Reply, length 310, htype 20, hlen 4, xid 0x6715d734, Flags [none] (0x0000)

          Your-IP 10.6.8.16

          Server-IP 10.129.5.40

          Gateway-IP 10.6.8.10

          Vendor-rfc1048 Extensions

            Magic Cookie 0x63825363

            DHCP-Message Option 53, length 1: Offer

            Subnet-Mask Option 1, length 4: 255.255.255.0

            RN Option 58, length 4: 43200

            RB Option 59, length 4: 75600

            Lease-Time Option 51, length 4: 86400

            Server-ID Option 54, length 4: 10.129.5.40

            Agent-Information Option 82, length 34:

              Circuit-ID SubOption 1, length 12: 83.x.x.x

              Remote-ID SubOption 2, length 18: 84.167.6.206:51076 in slot1/tmm0 lis=

13:25:11.119743 00:1d:d8:e4:22:12 > 00:09:0f:09:00:04, ethertype 802.1Q (0x8100), length 413: vlan 805, p 0, ethertype IPv4, (tos 0x0, ttl 255, id 3103, offset 0, flags [DF], proto UDP (17), length 338)

    10.6.8.10.bootps > 10.129.5.40.bootps: [bad udp cksum 0x2308 -> 0x292e!] BOOTP/DHCP, Request, length 310, htype 20, hlen 16, hops 1, xid 0x6715d734, Flags [none] (0x0000)

          Gateway-IP 10.6.8.10

          Vendor-rfc1048 Extensions

            Magic Cookie 0x63825363

            DHCP-Message Option 53, length 1: Request

            Server-ID Option 54, length 4: 10.129.5.40

            Requested-IP Option 50, length 4: 10.6.8.16

            Vendor-Class Option 60, length 6: "f5-APM"

            MSZ Option 57, length 2: 1344

            Lease-Time Option 51, length 4: 4294967295

            Agent-Information Option 82, length 34:

              Circuit-ID SubOption 1, length 12: 83.x.x.x

              Remote-ID SubOption 2, length 18: 84.167.6.206:51076 out slot1/tmm0 lis=/Common/APM_DHCP.app/__DHCP-for-APM-0

13:25:11.121173 00:09:0f:09:00:04 > 00:1d:d8:e4:22:12, ethertype 802.1Q (0x8100), length 366: vlan 805, p 0, ethertype IPv4, (tos 0x0, ttl 124, id 20, offset 0, flags [none], proto UDP (17), length 328)

    10.129.5.40.bootps > 10.6.8.10.bootps: [udp sum ok] BOOTP/DHCP, Reply, length 300, htype 20, hlen 16, xid 0x6715d734, Flags [Broadcast] (0x8000)

          Gateway-IP 10.6.8.10

          Vendor-rfc1048 Extensions

            Magic Cookie 0x63825363

            DHCP-Message Option 53, length 1: NACK

            Server-ID Option 54, length 4: 10.129.5.40 in slot1/tmm0 lis=

 

BIG-IP
BIG-IP Access Policy Manager (APM)
devops
  • AlexBCT's avatar
    AlexBCT
    Icon for Cumulonimbus rankCumulonimbus
    May 04, 2021

    Hi Martin,

     

    The problem you are describing sounds a lot like this one: https://social.technet.microsoft.com/Forums/en-US/20e50652-5a19-4dee-a6af-4c09f3fcfd1b/windows-dhcp-server-replying-with-dhcp-nak-rfc3527-link-selection-suboption?forum=winserveripamdhcpdns

     

    There is a solution discussed about halfway down the page (creating an addtional DHCP scope and then excluding it)

     

    Would that help?