Weird DHCP behaviour in different VLAN


G

Guest

Hi there,

i'm stuck on the following problem with XP clients on a switched network:

Several windows xp professional (SP1 and SP2) clients, members of a Windows
2003 Domain boot daily on a switched network, getting a dynamic IP address
without troubles (DHCP Server = Windows 2003 DC) as long as they live in the
default vlan 1.
As soon as i move a workstation to a different VLAN by setting the switch
port to the desired VLAN, windows is no longer able to get an IP address.
There is a firewall (Checkpoint) between the clients on this VLAN and the
DHCP aerver which has as dhcp relay service configured to forward the DHCP
Discovery packets straight to the DHCP server.
But: WLAN also lives in a different VLAN and the same firewall separates
both client and server in the same manner as described before and guess what:
it works for WLAN!

Trying to isolate the cause, i've booted one of this XP workstations from a
Live-Linux CD and it worked flawlessly, thus i'm pretty confident that the
problem is not on the firewall or switch configuration.
Also a PC with Vista RC1 manages to get the IP address from DHCP within the
same VLAN, with the same patch cable, pluged to the exact same switch port!

At the company i work for, there are lots of other locations i´ve set up in
the same manner and had no such problems.

Initially, i was excluding the possibility this could be related to group
policies or XP SP2 Firewall (which is turned off by GP) since the DHCP
procedure happens much earlier than that, nevertheless now i'm starting to
think that this could in fact be a XP TCP-IP related issue.

Did you already had similar problems, any idea i could go for?

Many thanks in advance and sorry for the long post.

Filipe
 
Ad

Advertisements

D

Dan Abernathy

From your description the problem does sound as if it's client-side. Have
you run a packet trace to verify that the affected XP workstations are in
fact putting DHCPDISCOVER packets on the wire? If so, do you see a DHCPOFFER
reply coming from the server on the other subnet?
 
G

Guest

Hello Dan,

thanks a lot for your answer.

In fact, i did already traced the network and found out that the client
sends out the DHCPDISCOVER to the broadcast, which gets catched by the
firewall and forwarded to the DHCP Server. The DHCP Server sends out a
DHCPOFFER reply containing the right information (IP address, Mas, Lease
Time, Router, etc...) which the client is able to see but doesn't "use" it.
No DHCPREQUEST and ACK from here, it just stucks...

Thanks so far
Filipe
 
D

Dan Abernathy

Hmm.

http://support.microsoft.com/kb/835304/en-us

Are you seeing three DHCPOFFER replies from the server, or only one? According to this article, under certain circumstances, XP clients send out three DHCPDISCOVER packets, and only accept the third DHCPOFFER received. Could be your firewall in the middle is rejecting the "duplicate"discovery packets from the client, and only forwarding the first one on to the server - which would generate only one offer reply from the server.
 
G

Guest

Hello Dan,

i got 3 of them, everything is coming through.
After being stuck on this for 3 days now, i've decided to replace the
dhcprelay for this particular VLAN with the one offered by the network switch
and it worked right away!
I've no doubt that it got to be related to the relay agent at the firewall
but, why does this works with Vista and with Linux and with XP doesn't?
Got to be a misunderstanding between the checkpoint relay agent and xp's
dhcp client, or worst case, a problem with xp's TCP-IP implementation.

For now i have a workaround which takes some pressure away but still weird...

Thanks for your help so far
 
Ad

Advertisements

D

Dan Abernathy

I agree, it seems like Windows XP and your CheckPoint box don't agree on
what a proper DHCP sequence looks like. It's difficult to say which one is
at fault. The CheckPoint might be "correcting" something it thinks is wrong
with the offer packets before passing them to the client network. Cisco's
PIX firewalls are notorious for messing with traffic like SMTP when the
"fixup" stuff is turned on. I wonder if the CheckPoint isn't similarly
enforcing some rigid rules about how it thinks DHCP packets should look, in
the name of security.

Vista has a totally rewritten TCP/IP stack, and obviously the one Linux is
using will be different from XP as well, so you can't rule out something
weird with XP's implementation. Microsoft has a habit of occasionally adding
proprietary junk to open standards, resulting in sub-par compatibility with
non-Microsoft systems.
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top