mocah
join:2003-04-11
Slovenia
| IOS 12.4(20) ZBF - DHCP server problems
Hi,
recently I have installed new IOS 12.4(20) on Cisco 1812. After upgrade DHCP server stoped working if Zone Based Firewall is configured on interfaces if ZBF is not configured on interfaces than DHCP server is works.
Does any body have similar problem? |
|
aryoba
Premium,MVM
join:2002-08-22 | There are probably something on the Zone-Based Firewall configuration that prevent the DHCP mechanism to work. Did you run packet tracer and troubleshoot further to find out which configuration part that prevent the DHCP mechanism to work? |
|
mr_dirt
join:2006-02-14
Denver, CO
| reply to mocah
said by mocah  :Hi, After upgrade DHCP server stoped working if Zone Based Firewall is configured on interfaces Did the same firewall policy work prior to the upgrade?
12.4(20)T introduces a new firewall infrastructure, so there are probably a lot of corner cases that aren't fully tested. It look like you found one. 
Any chance you post the policy-maps, class-maps, and zone-pair configuration between the zone where DHCP fails, and the self zone? |
|
mocah
join:2003-04-11
Slovenia | reply to mocah
I have used the same configuration for at least 6 months. The only way that I can use DHCP server from router is if I disable ZBF. Currently I can not access router but I will post config tomorrow. |
|
mocah
join:2003-04-11
Slovenia
| reply to mocah
Here is config:
I am going to vacation for 14 days so I wont be able to reply.
Thank you and kind regards,M |
|
mr_dirt
join:2006-02-14
Denver, CO
| Thanks for posting your config. If anything, I suspect that 12.4(20)T fixed a problem that you were relying on being broken. 
Unless I'm mistaken, your configuration makes no allowance for bootp/dhcp client requests to the router's dhcp server. In the past, I suspect that dhcp requests were following a code path that didn't call the firewall. With the changes to the FW (need to locate a doc that describes the changes), the FW gets better control over the various router-local capabilities, including, apparently, the DHCP interaction.
If you add inspection or pass for the dhcp traffic in one of the class-maps in your 'Vlan2Self-pmap', this should sort this out. |
|
mocah
join:2003-04-11
Slovenia | I opened (with ACL) ports UDP 67 and 68 to and from Self zone. Unfortunately clients still do not get IP address from server.
Any other way to allow DHCP traffic from Self zone to "private" one? |
|
mr_dirt
join:2006-02-14
Denver, CO | Can you post your revised configuration, please? |
|
mocah
join:2003-04-11
Slovenia
| reply to mocah
I have the same problem on Cisco 871. Because the config on Cisco 871 is simpler I will post that config:
|
|
mocah
join:2003-04-11
Slovenia
| reply to mocah
I was testing config over a weekend. Unfortunately I still did not find solution how to allow DHCP traffic.
Firewall is reporting following:
Also I noticed that ARP table is not showing clients with dynamic IP addres, only static ones.
Thank you and kind regards,M |
|
hoover87
join:2008-08-17
Anacortes, WA | You may want to try the latest 124-15.XZ code as it usually has more bug fixes than the mainline releases.
--
»www.ketchumits.com |
|
mr_dirt
join:2006-02-14
Denver, CO
| said by hoover87 :You may want to try the latest 124-15.XZ code as it usually has more bug fixes than the mainline releases. 12.4(15)XZ was released before 12.4(20)T, at a time when the infrastructure under (20)T FW was still in development. You'll have bigger problems than DHCP not working if you load (15)XZ (CSCsm15782).
Marko, sorry I haven't replied. I've had my hands full. Give me a little time. |
|
