DHCP Relay trauma with PIX 7.0

Unanswered Question
Aug 21st, 2007


I'm having a big problem getting dhcp relay to work with PIX 7.

The setup:

2 x PIX 515s(7.0) with a VPN tunnel connecting PIX A and PIX B. PIX A has 5 interfaces and the VPN tunnel terminates on it's inside interface. PIX B has only 2 interfaces and the VPN tunnel terminates on it's outside interface.

The tunnel works fine in all respects but dhcp. PIX B has the client terminals attached to its inside interface. The config for PIX B is as follows:

dhcprelay server outside

dhcprelay enable inside

dhcprelay setroute inside

dhcprelay timeout 60

PIX A receives the request on its inside interface. The dhcp server sits on a lower security interface, and there is a staic mapping of the relevant subnets between the inside and server interfaces.

An acl permits all traffic from the server interface (PIX A) back to the client subnet on PIX B.

Yet a packet trace of PIX B shows the dhcp request leaving but not returning.

A trace of PIX A shows the request coming in AND being responded to by the server on its server interface but then the packet vanishes. i.e no sign of it entering the tunnel back toward PIX B.

I'm finding this hard to analyse as in terms of IP connectivity everything but dhcp works as it should do. Am I missing some dhcprelay config on PIXA?

Any ideas gratefully received. This problem has dragged on for weeks now.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mike_perish Tue, 08/21/2007 - 07:33


We ran in to this same issue about a year ago. I found part of an e-mail conversation with our SE but I wasn't able to find a bug number that referenced the problem. We ended up using a 2500 router to provide DHCP.

Even with using the relay agent options on the PIX, DHCP address aren't able be served through the WLC to the wireless clients. I'll look to see if I can find a few more details or documentation on the problem.

Hope this Helps!


PDEdwards Tue, 08/21/2007 - 07:43


Thanks for your response. We're not using wireless but any further info you have on a bug would be gratefully received.



mike_perish Tue, 08/21/2007 - 07:53


Sorry, I assumed you were using a WLC. I know that the virtual interface on the WLC won't work with a 501 PIX to serve DHCP (even wtih relay setup properly). We watched as the PIX kept dropping the DHCP request packets from the WLC.




This Discussion



Trending Topics - Security & Network