[vpn-help] Again: no response vom DHCP server (Fortigate 80C 4.0 MR1)

[Matthew Grooms]

On 8/2/2010 5:39 AM, Weber, Uwe wrote:
> Hi there
>
> Another no response vom DHCP server issue: I have set up a ipsec dialup
> vpn against a FGT 80C, did all the testing with their native Forticlient
> and everthing was fine. As we had some PCs with the actual Shrew vpn
> client software already installed, I gave it a try and it worked fine as
> well.
>
> Over the weekend some users connected to the vpn and it suddently
> stopped working with the message: no response from DHCP server.
>
> (It is DHCP over IPSEC on the FGT)
>
> When I looked into it today the first thing that I found was that I
> could still connect with the fortigate client and I could not with the
> Shrew client. The second thing, that I found, was that all the leases
> from the DHCP-over-IPSEC range had already been leased out, but were not
> active (since no client was connected) Then I cleared all the leases via
> command line on the FGT and yeeeehaaaaaa! could connect with the
> Shrew-client again.
>
> It would be nice, if that could be fixed, because I really like the
> client and would only reluctantly uninstall it from my clients and use
> the Forticlient instead J
>

Hi Uwe,

This sounds like a different problem from the DHCP over IPsec related 
issue that was reported previously. It pertains to the client not using 
a consistent MAC address for the DHCP discover. Since each connection is 
processed as a different machine, the gateway hands out a new DHCP 
address for each Shrew connection attempt which eventually exhausts the 
DHCP pool. My guess is that the Fortigate client wasn't effected by this 
because it retained the MAC value previously sent and gets handed an 
address which is still reserved. The easiest solution will be for the 
client to offer the same MAC address each time so it doesn't cause this 
problem. I haven't gotten around to this yet, but it shouldn't be too 
difficult to add. I'll keep you posted.

-Matthew