FortiGate DHCP Reservations Missing for Company Machines (LAN)

sagvan · ‎01-27-2024

I've reserved specific IP addresses for our company machines based on their MAC addresses in FortiGate's Network > Interfaces > LAN > DHCP > Advanced > Reservations. However, these reserved entries aren't showing up in the DHCP Monitor tool.

Key Points:

Reservations made for company machines (not smartphones)
Machines have connectivity from PC and Server via LAN
Reservations confirmed in LAN DHCP settings
PC reservation on LAN visible in DHCP Monitor
Smartphone reservation on Wi-Fi visible in DHCP Monitor

Why are reserved IPs for company machines not showing up in the FortiGate DHCP Monitor? Any suggestions for troubleshooting? Does it even matter when they have connectivity? What does it mean?

I appreciate any insights and assistance you can offer. Thank you in advance for your time and expertise!

Sincerely,

Sagvan Saleem

ede_pfau · ‎01-27-2024

1- these hosts use static IPs

or

2- these hosts obtain their IPs from a different DHCP server on the network

As DHCP uses broadcasts for detection you might find a (rogue/second) DHCP server by sniffing:

in CLI: "diag sniffer packet any 'port 67 or port 68' " 6 0 a l (lowercase "L")

Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

AEK · ‎01-28-2024

If the clients have static IP they will not appear in DHCP monitor even if they are reserved.

They will be displayed only if they are dynamic.

AEK

View solution in original post

AEK · ‎01-27-2024

DHCP monitor shows only non-expired clients. Once lease time expires for a client it is not shown anymore even if it has reserved IP.

AEK

sagvan · ‎01-27-2024

@AEK
But some of the machines are up, and I can even ping them and access their web interfaces.
I am confused as DHCP monitor does not even show them as leased out.

Sagvan Saleem

AEK · ‎01-27-2024

I have the same and all DHCP clients are displayed correctly in DHCP monitor as shown below (FortiOS 6.2.15).

Which FortiOS do you have?

It also possible that you have another DHCP server in your network. In that case FG will not show the clients that acquire IP from a DHCP server other than FG.

AEK

ede_pfau · ‎01-27-2024

1- these hosts use static IPs

or

2- these hosts obtain their IPs from a different DHCP server on the network

As DHCP uses broadcasts for detection you might find a (rogue/second) DHCP server by sniffing:

in CLI: "diag sniffer packet any 'port 67 or port 68' " 6 0 a l (lowercase "L")

Ede

"Kernel panic: Aiee, killing interrupt handler!"

sagvan · ‎01-28-2024

@AEK @ede_pfau

I am only using FG DHCP. We don't have a dedicated DHCP server.

Also, those machines are using static addresses, but I reserved them so no other device would (with low chance) get the address.

Sagvan Saleem

AEK · ‎01-28-2024

If the clients have static IP they will not appear in DHCP monitor even if they are reserved.

They will be displayed only if they are dynamic.

AEK

sagvan · ‎01-28-2024

@ede_pfau @AEK
Thank you.

I just tested it again, and I learned that even with reservation, static addresses are not shown on DHCP monitor.

God bless you!

Sagvan Saleem

ede_pfau · ‎01-28-2024

That's not a problem at all.

Just before a DHCP server offers an IP address lease, it sends out an arp request to learn the MAC address (or just the existence) of a host with the offered IP address. If somehost answers, the server offers the next available address. If not, all is good, and the address is offered.

So, in order to protect your statically assigned addresses, you don't need to do anything. The DHCP server will respect any existing address. CAVEAT: that is, as long as that host is online. Usually not a problem with servers, but might be with, for instance, printers.

Therefore, a best practice that I follow is to use the one-digit host addresses for static assignment, and to start the DHCP range at .20 (and not at .1 which ALWAYS is the firewall's port).

Ede

"Kernel panic: Aiee, killing interrupt handler!"