DHCP Relay and 2003 DHCP Server

I'm trying to consolidate my DHCP pools onto one 2003 server. Each
network is a Vlan. I setup a relay agent (called udp helper on the
3com switch) on our core. I've verified via ethereal that the server
receives the request from the relay with the correct relay agent
address, and that the DHCP server sends an ack with a valid address for
that network back to the relay agent. I've verified that the client
receives that ack via ethereal. Yet the client doesn't act like it
receives the ack and never configures itself. When I re-enable the
DHCP server that is physically in the vlan that I'm hoping to
replace, then all is well. Any input or direction would be
appreciated.

Andy

I did some more digging. When the client does a dhcp inform it gets a
reply from the server, as seen in the inform.pcap file (links to
follow). When the client goes to discover an address the server
recieves it and acks with an address that is not in the correct scope
(server.pcap) and the client never recieves the ack (renew.pcap). Can
anyone help me in figuring out why the server is handing out addresses
in the wrong scope? Through DHCP inform messages the server has the
client in the correct scope, but it offers an out of scope address.

Thanks for your time,
Andy

links:
http://argonath.exeter.k12.pa.us/~zi...es/inform.pcap
http://argonath.exeter.k12.pa.us/~zi...es/server.pcap
http://argonath.exeter.k12.pa.us/~zi...les/renew.pcap

It can do this if you have your Scopes in a Superscope. Superscopes are for
"multi-netting" and that is not what you are doing. VLANs are not multi-nets
even though they physically "appear" to be the same thing. You need the
Scopes to be separate independent distinct Scopes.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> I did some more digging. When the client does a dhcp inform it gets a
> reply from the server, as seen in the inform.pcap file (links to
> follow). When the client goes to discover an address the server
> recieves it and acks with an address that is not in the correct scope
> (server.pcap) and the client never recieves the ack (renew.pcap). Can
> anyone help me in figuring out why the server is handing out addresses
> in the wrong scope? Through DHCP inform messages the server has the
> client in the correct scope, but it offers an out of scope address.
>
> Thanks for your time,
> Andy
>
> links:
> http://argonath.exeter.k12.pa.us/~zi...es/inform.pcap
> http://argonath.exeter.k12.pa.us/~zi...es/server.pcap
> http://argonath.exeter.k12.pa.us/~zi...les/renew.pcap
>

Thanks for replying. The scopes were in a superscope. I removed them
from the superscope and tried it again with the same results. I
removed the scope and re-added it with the same results.

I don't know,...you may have a design problem in the VLANs,...no way I can
say for sure,...but I can say in any case no matter what,..get rid of the
SuperScope.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------



<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Thanks for replying. The scopes were in a superscope. I removed them
> from the superscope and tried it again with the same results. I
> removed the scope and re-added it with the same results.
>

The superscope is gone. When I captured the traffic with ethereal,
which is shown in server.pcap linked above, I get dhcp request packets
with the correct gateway ip. Is there something else that should be
present in the request? I'll paste in the tcpdump output of the
server.pcap file showing the request and reply. The gateway is clearly
not included in that mask.
Thanks so much for you help.

13:27:07.695811 IP (tos 0x0, ttl 30, id 2003, offset 0, flags [none],
length: 328) 192.168.4.1.bootpc > 192.168.63.18.bootps: [udp sum ok]
BOOTP/DHCP, Request from 00:0e:35:68:bf:0c, length: 300, hops:1,
xid:0xaf6a8a61, secs:768, flags: [none] (0x0000)
Gateway IP: 192.168.4.1
Client Ethernet Address: 00:0e:35:68:bf:0c
Vendor-rfc1048:
DHCPISCOVER
NOAUTO:Y
CID:[ether]00:0e:35:68:bf:0c
RQ:192.168.5.124
HN:"orome"
VC:"MSFT 5.0"
PR:SM+DN+DG+NS+WNS+WNT+WSC+RD+SR+T249+VO
13:27:07.695906 IP (tos 0x0, ttl 128, id 14813, offset 0, flags [none],
length: 355, bad cksum 0 (->3b49)!) 192.168.63.18.bootps >
192.168.4.1.bootps: [udp sum ok] BOOTP/DHCP, Reply, length: 327,
xid:0xaf6a8a61, flags: [none] (0x0000)
Your IP: 192.168.50.14
Server IP: 192.168.63.18
Gateway IP: 192.168.4.1
Client Ethernet Address: 00:0e:35:68:bf:0c
Vendor-rfc1048:
DHCP:OFFER
SM:255.255.240.0
RN:14400
RB:25200
LT:28800
SID:192.168.63.18
DN:"academic.exeter.k12.pa.us^@"
DG:192.168.48.1
NS:192.168.63.17,192.168.63.12
WNS:192.168.63.17
WNT:h-node

Can someone look at this DHCP request and offer to see why the DHCP
server is handing out addresses in the wrong scope? Is the request
missing something or is it ok? Thanks in advance.

13:27:07.695811 IP (tos 0x0, ttl 30, id 2003, offset 0, flags [none],
length: 328) 192.168.4.1.bootpc > 192.168.63.18.bootps: [udp sum ok]
BOOTP/DHCP, Request from 00:0e:35:68:bf:0c, length: 300, hops:1,
xid:0xaf6a8a61, secs:768, flags: [none] (0x0000)
Gateway IP: 192.168.4.1
Client Ethernet Address: 00:0e:35:68:bf:0c
Vendor-rfc1048:
DHCPISCOVER
NOAUTO:Y
CID:[ether]00:0e:35:68:bf:0c
RQ:192.168.5.124
HN:"orome"
VC:"MSFT 5.0"
PR:SM+DN+DG+NS+WNS+WNT+WSC+RD+SR+T249+VO
13:27:07.695906 IP (tos 0x0, ttl 128, id 14813, offset 0, flags [none],

length: 355, bad cksum 0 (->3b49)!) 192.168.63.18.bootps >
192.168.4.1.bootps: [udp sum ok] BOOTP/DHCP, Reply, length: 327,
xid:0xaf6a8a61, flags: [none] (0x0000)
Your IP: 192.168.50.14
Server IP: 192.168.63.18
Gateway IP: 192.168.4.1
Client Ethernet Address: 00:0e:35:68:bf:0c
Vendor-rfc1048:
DHCP:OFFER
SM:255.255.240.0
RN:14400
RB:25200
LT:28800
SID:192.168.63.18
DN:"academic.exeter.k12.pa.us^@"
DG:192.168.48.1
NS:192.168.63.17,192.168.63.12
WNS:192.168.63.17
WNT:h-node

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Can someone look at this DHCP request and offer to see why the DHCP
> server is handing out addresses in the wrong scope? Is the request
> missing something or is it ok? Thanks in advance.

I don't see anything wrong with it,...but I'm not *that* big of a geek that
I chew on the contents of DHCP Queries for a snack,...so that might be
something wrong that I am not seeing. :-)
I also wouldn't know what all the IP#s go to or if they would be correct
unless I knew as much about the design of your LAN as you do.

I think you have configuration issues with the VLANs so that the replies
never get back the the Clients,...but then I would have to know as much
about your LAN's design as you do to really say for sure on that too.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

Thanks for looking at it, I really do appreciate it. Here's what I see
in that transaction (and of course I would never look at queries either
for fun).

Request:
-relayed by 192.168.4.1(ok)
-previous address of host 192.168.5.124(ok)
*This network has a mask of 255.255.252.0 so the ip is in that mask

Reply:
-to gateway 192.168.4.1 (ok)
-offered address 192.168.50.14(not in subnet)
-offered subnet 255.255.240.0(not correct)

The offered information is valid for the vlan that the server is
physically in, but not for the vlan that the client is in. This offer
does get to the client, verified by ethereal, but the client seems to
ignore it.

Is there more that needs to be in the request than the gateway address?
I'll check my vlans, but this is on a 3com core switch and there isn't
much to configure.

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> The offered information is valid for the vlan that the server is
> physically in, but not for the vlan that the client is in. This offer
> does get to the client, verified by ethereal, but the client seems to
> ignore it.

That futher implies something wrong with the design of the VLANs of in the
way the LAN Router is configured to work with them. But again, without being
the guy who designed the VLANs I can't really say more than that. VLANs can
become a mess really fast if they are not carefully designed and
"kept-to-a-minimum",...you should preserve real physical segments (non-VLAN)
as much as possible and use VLANs to only supplement them.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------