Wired Intelligent Edge

Hello everyone, I'm having some issues with DHCP relay that I hope you can help with. My office has 3 VLANs. They're 1, 12, and 14. 12 and 14 are wireless networks. Our DHCP server is on VLAN 1. VLAN 1 clients get addresses no problem.

However, DHCP is not working for any wireless clients. The infrastructure is set up like this: a network of Aruba access points, tied under one virtual controller. There are 5 distribution switches, no IP routing, and one core switch with IP routing enabled. All switches are HP Procurves. I have DHCP-Relay enabled on the core switch, and IP helper addresses on VLANs 12 and 14 that point to the DHCP server's address. The default gateway of the DHCP server is the IP address of the VLAN 1 interface on the core switch.

I ran Wireshark on a client PC on VLAN 12 and simultaneously on the DHCP server when the client sent out a DHCP request. I can see the DHCP Discover message leave the client. On the server, I see a couple of different things. I can see incoming DHCP Discover messages, with a source IP of the VLAN 12 gateway and a destination IP of the server's IP. I can see the client PC's MAC address in the Client MAC address field, and the Relay agent's IP address. However, the server does not seem to be responding to these requests, as I can't find any DHCP Offers going out tied to these Discovers. However, I also see other Discover messages come in with the client PC's MAC. These one's have broadcast destination IP and MAC addresses, no source IP, and a source MAC of the client PC. There's no relay agent information in the packet. The server does generate an Offer in response to those messages; however, it broadcasts the Offer message (255.255.255.255 and ff:ff:ff:ff:ff:ff) and the client PC never receives it.

This is confusing me. It seems like somehow, some of the Discover messages are reaching the server as if they're coming from the local network. Others are coming in through the relay agent, but not being responded to. For those Offer messages being sent, there's no way for them to make it back to the client, because it's being broadcast to VLAN 1 and there's no way to make it back to VLAN 12. And shouldn't Offers be unicast to the requesting MAC address, anyway?

Any help would be greatly appreciated! Thanks guys.

EDIT: In the course of my troubleshooting I realized that the switch port that the DHCP server was connected to was tagged in all the wireless VLANs, untagged in VLAN 1. I removed all the tagged VLANs and left it untagged in VLAN 1. DHCP still doesn't work, but at least it's no longer getting those VLAN broadcasts.

Does the DHCP server have a route back to the relay agent's IP?  The server should be able to ping the relay agent's source VLAN IP.

Yes, that's the odd thing. I can ping from the server to the client and vice versa. If I configure the client with a static IP, it can access the Internet and ping any address in the network. It appears that DHCP is the only protocol not working properly.

That will happen if there is not a DHCP scope for the subnet. A DHCP server compares the IP address of the IP Helper address field to its configured scopes. Is there any chance that there is a typo in your scopes or that the DHCP server is not "Authorized". 

When a DHCP server receives a broadcast DHCP Discover, it compares it to the IP address that it owns on that interface to determine the scope to use.

You should have 3 scopes, one for each subnet. Each one will have a unique network, ip address range, and default gateway. You can probably use the same IP address for DNS.

---

@EricAtHP wrote:

That will happen if there is not a DHCP scope for the subnet. A DHCP server compares the IP address of the IP Helper address field to its configured scopes. Is there any chance that there is a typo in your scopes or that the DHCP server is not "Authorized". 

 

When a DHCP server receives a broadcast DHCP Discover, it compares it to the IP address that it owns on that interface to determine the scope to use.

 

You should have 3 scopes, one for each subnet. Each one will have a unique network, ip address range, and default gateway. You can probably use the same IP address for DNS.

---

I definitely agree that the simplest explanation would be that the DHCP server isn't properly configured to hand out IPs to that subnet, but I can't for the life of me figure out how that might be the case. For example, I have a scope defined for the subnet on VLAN 12 (192.168.12.0). The address pool is 12.20-12.200, more than enough for the few clients we have that need to connect to the WiFi. There are no reservations set. The scope options are configured to pass a default gateway (12.1), a DNS server (1.11, which is the same server as the DHCP server), and the domain name. I keep checking the numbering to make sure no one fat-fingered anything, but there doesn't appear to be anything wrong.

What is your DHCP server? I vaguely remember that some versions of windows limited dhcp to only work on directly attached subnets. 

Also, just to be sure, if this windows, from the dhcp admin tool, right click on the server and click the "Authorize" option. If it says "Unauthorize" then you have already done that. 

It seems that you have proven that the switch is working correctly and that for some reason the DHCP server isn't offering an address. Can you try a different DHCP Server? You didn't mention the type of switch you are workign with, but many switches have the ability to act as a DHCP Server in stead of just being a relay.

Antoher option would be to go back to the switch config where the server was tagged in the other vlans, and configure the server with tagged interfaces with IP addresses in each of the other vlans too.

It seems you have a good one here.

---

@EricAtHP wrote:

What is your DHCP server? I vaguely remember that some versions of windows limited dhcp to only work on directly attached subnets. 

 

Also, just to be sure, if this windows, from the dhcp admin tool, right click on the server and click the "Authorize" option. If it says "Unauthorize" then you have already done that. 

 

It seems that you have proven that the switch is working correctly and that for some reason the DHCP server isn't offering an address. Can you try a different DHCP Server? You didn't mention the type of switch you are workign with, but many switches have the ability to act as a DHCP Server in stead of just being a relay.

 

Antoher option would be to go back to the switch config where the server was tagged in the other vlans, and configure the server with tagged interfaces with IP addresses in each of the other vlans too.

 

It seems you have a good one here.

---

We're running Microsoft SBS 2011. Ancient stuff, I know. It should be capable of providing services to multiple subnets, just needs a good relay agent.

I checked the authorized setting, it's good to go.

It's getting to the point that we may institute another DHCP server. It'll probably work, I just hate doing that because the current setup should work, and it doesn't, and that angers and confuses me. I'd really like to figure it out and emerge triumphant from the field of battle.

I don't think I understand what you were suggesting at the end there. Are you saying give the server multiple virtual interfaces that are members of the different VLANs?

Thanks for the responses and help!

Depending on the NIC and driver, it may be possible to create a subinterface that is tagged in the other VLANs. But like you said, this isn't ideal. It would be better to get SBS working.

I did a little searching and found a post that said the windows firewall was blocking the traffic. Try disabling it as a test.

I also found a post that said running the Fix My Network Wizard three times worked. The first time that you run FNMW, the DHCP server role is installed. The second time that you run the FNMW wizard, it starts the DHCP service. The third time, the DHCP scope is created.

To run the Fix My Network Wizard

---

@EricAtHP wrote:

Depending on the NIC and driver, it may be possible to create a subinterface that is tagged in the other VLANs. But like you said, this isn't ideal. It would be better to get SBS working.

 

I did a little searching and found a post that said the windows firewall was blocking the traffic. Try disabling it as a test.

 

I also found a post that said running the Fix My Network Wizard three times worked. The first time that you run FNMW, the DHCP server role is installed. The second time that you run the FNMW wizard, it starts the DHCP service. The third time, the DHCP scope is created.

 

To run the Fix My Network Wizard

1. Open the Windows SBS Console.

2. On the navigation bar, click Network, and then click Connectivity.

3. In the task pane, click Fix my network.

4. Follow the instructions in the wizard. You can click each potential problem that the wizard lists to get more information about the problem.

I am confused too because it seems like you have done everything right.

---

Just responding to your last post. I took a look at the  Windows Firewall, and it was already disabled on the server. Unfortunately today is my last day here at this job, so I'll pass along your suggestion to the permanent administrator. Hopefully that helps, I just wish that I'd be around to follow up with you and let you know if it worked! Thanks again for your help.