Restricted IP address in multiple DHCP relay agent environment


Symptoms


Consider the following scenario:

  • DHCP NAP is enabled in the environment
  • There are two HSRP routers configured as DHCP relay agent (IP Helper-Address) for failover
  • Client connects to corporate network

In this scenario, clients get a restricted IP address instead full access IP.

Cause


This issue occurs because both DHCP Relay Agents responds to the DHCP requests and they don't work as fail over.

  • The client sends a DHCP request and both Relay Agent send the requests to the DHCP server
  • DHCP server responds to the request with restricted IP address
  • The client get the response from one of the DHCP relay agent and it then send a request with SOH       
  • Now the response from the second DHCP relay agent comes and the client assume the IP address with restricted IP and discard the   response  from the both relay agent with full access IP

 In the network trace, you will see:

16754  0.0000000 <Time><Date> 0.0.0.0             255.255.255.255  DHCP        DHCP:Request, MsgType = REQUEST, TransactionID = 0x401B504D
16784  0.0085968 <Time><Date> 192.168.100.3       DS-CLIENTDHCP    DHCP:Reply, MsgType = ACK, TransactionID = 0x401B504D
16793  0.0003589 <Time><Date> 0.0.0.0             255.255.255.255  DHCP        DHCP:Request, MsgType = REQUEST, TransactionID = 0x401B504D, SOH:Vendor = Microsoft, Version 2, Request
16804  0.0004382 <Time><Date> 192.168.100.2       DS-CLIENTDHCP    DHCP:Reply, MsgType = ACK, TransactionID = 0x401B504D  - The client gets response from second DHCP relay agent after it sends the request with SOH and the client assumes that IP address and discard the following acknowledge.
16985  0.0201080 <Time><Date> 192.168.100.2       DS-CLIENTDHCP    DHCP:Reply, MsgType = ACK, TransactionID = 0x401B504D, SOH:Vendor = Microsoft, Version 2, Response
16994  0.0153142 <Time><Date> 192.168.100.3       DS-CLIENTDHCP    DHCP:Reply, MsgType = ACK, TransactionID = 0x401B504D, SOH:Vendor = Microsoft, Version 2, Response.

Resolution


Cisco has fixed the issue of duplicate DHCP forwarding in a later release of IOS. Basically IP helpers were not “HSRP aware” till this fix.

See Cisco documentation at http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp/configuration/12-4t/iap-udp-vrg.html#GUID-45267FAA-2D78-40AB-A010-30F5289C6D88

Benefits of the UDP Forwarding Support for Virtual Router Groups Feature

Forwarding is limited to the active router in the VRG instead of all routers within the VRG. Prior to the implementation of this feature, the only VRG support was HSRP. Within a VRG that is formed by HSRP, the forwarding of UDP-based broadcast and multicast packets is done by all the routers within the VRG. This process can cause some DHCP servers to operate incorrectly. The UDP Forwarding Support for VRGs feature limits forwarding to the active router in the VRG.