[vpn-help] Again: no response vom DHCP server (Fortigate 80C 4.0 MR1)
Matthew Grooms
mgrooms at shrew.net
Thu Aug 5 03:15:58 CDT 2010
On 8/2/2010 5:39 AM, Weber, Uwe wrote:
> Hi there
>
> Another no response vom DHCP server issue: I have set up a ipsec dialup
> vpn against a FGT 80C, did all the testing with their native Forticlient
> and everthing was fine. As we had some PCs with the actual Shrew vpn
> client software already installed, I gave it a try and it worked fine as
> well.
>
> Over the weekend some users connected to the vpn and it suddently
> stopped working with the message: no response from DHCP server.
>
> (It is DHCP over IPSEC on the FGT)
>
> When I looked into it today the first thing that I found was that I
> could still connect with the fortigate client and I could not with the
> Shrew client. The second thing, that I found, was that all the leases
> from the DHCP-over-IPSEC range had already been leased out, but were not
> active (since no client was connected) Then I cleared all the leases via
> command line on the FGT and yeeeehaaaaaa! could connect with the
> Shrew-client again.
>
> It would be nice, if that could be fixed, because I really like the
> client and would only reluctantly uninstall it from my clients and use
> the Forticlient instead J
>
Hi Uwe,
This sounds like a different problem from the DHCP over IPsec related
issue that was reported previously. It pertains to the client not using
a consistent MAC address for the DHCP discover. Since each connection is
processed as a different machine, the gateway hands out a new DHCP
address for each Shrew connection attempt which eventually exhausts the
DHCP pool. My guess is that the Fortigate client wasn't effected by this
because it retained the MAC value previously sent and gets handed an
address which is still reserved. The easiest solution will be for the
client to offer the same MAC address each time so it doesn't cause this
problem. I haven't gotten around to this yet, but it shouldn't be too
difficult to add. I'll keep you posted.
-Matthew
More information about the vpn-help
mailing list