This article explains possible reasons why FortiGate is not assigning a DHCP lease to a machine for a specific subnet configured in a scope.
Scope
FortiGate.
Solution
Diagram:
DHCP Server config:
config system dhcp server edit 16 set lease-time 86400 set domain "redseamall.com" set default-gateway 192.168.100.10 set netmask 255.255.255.0 set interface "port1" config ip-range edit 1 set start-ip 192.168.100.21 set end-ip 192.168.100.245 next end config options edit 1 set code 150 set type ip set ip "192.168.100.7" next end set dns-server1 172.18.150.1 set dns-server2 8.8.4.4 set dns-server3 8.8.8.8 next edit 2 set dns-service default set default-gateway 172.18.150.1 set netmask 255.255.255.0 set interface "port1" next edit 1 set domain "redseamall.com" set default-gateway 172.18.120.1 set netmask 255.255.255.0 set interface "port1" config ip-range edit 1 set start-ip 172.18.120.50 set end-ip 172.18.120.200 next end set dns-server1 172.18.150.1 set dns-server2 8.8.4.4 set dns-server3 8.8.8.8 next end
When we request an IP for VLAN 1 (scope 172.18.120.0/24 – ‘edit 1’ entry), FortiGate can assign a leased IP for the machine.
DHCP_Server # diagnose debug application dhcps -1 Debug messages will be on for 30 minutes. ... [note]DHCPDISCOVER from 00:75:6e:69:05:02 via 172.18.120.1(ethernet) [debug]deled ip 172.18.120.50 mac 00:75:6e:69:05:02 in vd root [debug]added ip 172.18.120.50 mac 00:75:6e:69:05:02 in vd root [debug]packet length 305 [debug]op = 1 htype = 1 hlen = 6 hops = 1 [debug]xid = f8d2c223 secs = 0 flags = 0 [debug]ciaddr = 0.0.0.0 [debug]yiaddr = 0.0.0.0 [debug]siaddr = 0.0.0.0 [debug]giaddr = 172.18.120.1 [debug]chaddr = 00:75:6e:69:05:02 [debug]filename = [debug]server_name = [debug] host-name = "universe-esx05" [debug] dhcp-message-type = 1 [debug] dhcp-parameter-request-list = 1,3,6,15,31,33,43,44,46,47,121,249,252 [debug] dhcp-class-identifier = "MSFT 5.0" [debug] dhcp-client-identifier = 1:0:75:6e:69:5:2 [debug] option-82 = 1:7:76:6c:61:6e:31:32:35 [debug] ... [note]DHCPOFFER on 172.18.120.50 to 00:75:6e:69:05:02 via 172.18.120.1(ethernet) ... [debug]sending on port1(ethernet) [debug]locate_network prhtype(1) pihtype(1) [debug]find_lease(): packet contains preferred client IP, cip.s_addr is 172.18.120.50 [debug]find_lease(): leaving function with lease set [debug]find_lease(): the lease's IP is 172.18.120.50 [note]DHCPREQUEST for 172.18.120.50 from 00:75:6e:69:05:02 via 172.18.120.1(ethernet) [debug]DHCP client doesn't want DHCP server to perform A RR (FQDN-to-address) DNS updates. [debug]deled ip 172.18.120.50 mac 00:75:6e:69:05:02 in vd root [debug]added ip 172.18.120.50 mac 00:75:6e:69:05:02 in vd root [debug]packet length 348 [debug]op = 1 htype = 1 hlen = 6 hops = 1 [debug]xid = f8d2c223 secs = 0 flags = 0 [debug]ciaddr = 0.0.0.0 [debug]yiaddr = 0.0.0.0 [debug]siaddr = 0.0.0.0 [debug]giaddr = 172.18.120.1 [debug]chaddr = 00:75:6e:69:05:02 [debug]filename = [debug]server_name = [debug] host-name = "universe-esx05" [debug] dhcp-requested-address = 172.18.120.50 [debug] dhcp-message-type = 3 [debug] dhcp-server-identifier = 172.18.150.1 [debug] dhcp-parameter-request-list = 1,3,6,15,31,33,43,44,46,47,121,249,252 [debug] dhcp-class-identifier = "MSFT 5.0" [debug] dhcp-client-identifier = 1:0:75:6e:69:5:2 [debug] option-81 = 0:0:0:75:6e:69:76:65:72:73:65:2d:65:73:78:30:35:2e:63:6f:6e:74:6f:73:6f:2e:63:6f:6d [debug] option-82 = 1:7:76:6c:61:6e:31:32:35 [debug] ... [note]DHCPACK on 172.18.120.50 to 00:75:6e:69:05:02 via 172.18.120.1(ethernet) ...
However, when requesting an IP for DHCP scope lease under VLAN 16, the errors ‘leaving function without a lease’ and ‘There is no requesting IP in subnet!’ are received.
DHCP_Server # diagnose debug application dhcps -1 Debug messages will be on for 30 minutes. DHCP_Server # diagnose debug enable [debug]locate_network prhtype(1) pihtype(1) [debug]find_lease(): packet contains preferred client IP, cip.s_addr is 192.168.100.21 [debug]search through all subnets to find an ip lease (192.168.100.21) [debug]There is no requesting IP in subnet! [note]DHCPREQUEST for 192.168.100.21 from 00:75:6e:69:05:02 via 192.168.100.10(ethernet) [note]DHCPNAK on 192.168.100.21 to 00:75:6e:69:05:02 via 192.168.100.10(ethernet) [debug]packet length 342 [debug]op = 1 htype = 1 hlen = 6 hops = 1 [debug]xid = e016ec2c secs = 0 flags = 0 [debug]ciaddr = 0.0.0.0 [debug]yiaddr = 0.0.0.0 [debug]siaddr = 0.0.0.0 [debug]giaddr = 192.168.100.10 [debug]chaddr = 00:75:6e:69:05:02 [debug]filename = [debug]server_name = [debug] host-name = "universe-esx05" [debug] dhcp-requested-address = 192.168.100.21 [debug] dhcp-message-type = 3 [debug] dhcp-class-identifier = "MSFT 5.0" [debug] dhcp-client-identifier = 1:0:75:6e:69:5:2 [debug] option-81 = 0:0:0:75:6e:69:76:65:72:73:65:2d:65:73:78:30:35:2e:63:6f:6e:74:6f:73:6f:2e:63:6f:6d [debug] option-82 = 1:7:76:6c:61:6e:31:32:35 [debug] ... [debug]packet length 277 [debug]op = 2 htype = 1 hlen = 6 hops = 1 [debug]xid = e016ec2c secs = 0 flags = 80 [debug]ciaddr = 0.0.0.0 [debug]yiaddr = 0.0.0.0 [debug]siaddr = 172.18.150.1 [debug]giaddr = 192.168.100.10 [debug]chaddr = 00:75:6e:69:05:02 [debug]filename = [debug]server_name = [debug] ... [debug]locate_network prhtype(1) pihtype(1) [debug]find_lease(): leaving function WITHOUT a lease [note]DHCPDISCOVER from 00:75:6e:69:05:02 via 192.168.100.10(ethernet) [debug]There is no requesting IP in subnet! [debug]locate_network prhtype(1) pihtype(1) [debug]find_lease(): leaving function WITHOUT a lease [note]DHCPDISCOVER from 00:75:6e:69:05:02 via 192.168.100.10(ethernet) [debug]There is no requesting IP in subnet! [debug]locate_network prhtype(1) pihtype(1) [debug]find_lease(): leaving function WITHOUT a lease [note]DHCPDISCOVER from 00:75:6e:69:05:02 via 192.168.100.10(ethernet) [debug]There is no requesting IP in subnet!
This is because an entry was created (ID 2) without an assigned range using port1. So every subsequent entry (ex: ID 3,4,5….or 16) will fail to allocate an IP. FortiGate will search for a scope starting with ID 1 and when there is a match a lease will be assigned, if in the middle there is an entry without a range FortiGate will stop and throw that error.
The solution in this case is to remove the entry with ID 2 or configure an IP range.