Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Clients cannot obtain an IP because DHCP Request violates "local ACL“

Hi,

 i'am using XG 17.5.9 MR-9 and configured

a) two Bridge to AP LAN wireless networks (172.20.0.x)

b) a guest wlan (separate zone) (172.16.50.x). The DHCP server should deliver dynamic lease ip's in range 172.16.50.100 - 172.16.50.200.

 

Both networks referencing the same AP30. The" Bridge to AP LAN" accesses are working well, but not the wlan in separate zone because the DHCP Client requests will be dropped always ("dropped by LOCAL_ACL" according to packet capture).

 I have worked through https://community.sophos.com/kb/en-us/125170, https://community.sophos.com/kb/en-us/123133 and https://community.sophos.com/kb/en-us/132814 but no success so far.

What i have to do to achieve the guest wlan clients are getting their ip's via DHCP?

Many thanks in advance,

Christian



This thread was automatically locked due to age.
  • Hi  

    Please login to SSH Console access of the firewall and access the Advanced shell and capture tcpdump for any MAC address from the Guest zone.

    # tcpdump -i any | grep <MAC ID>
     
    Please also share DHCP server configuration

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hi Keyur,

    thank you very much for your quick answer. Pls find the output as requested:

     

    SFVH_SO01_SFOS 17.5.9 MR-9# tcpdump -i any | grep 48:e2:44:6d:4c:3f
    tcpdump: Starting Packet Dump
    14:47:26.747292 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 348:
    14:47:26.747292 vxlan3.103, IN: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 48:e2:44:6d:4c:3f (oui Unknown), length 300
    14:47:26.747292 GUESTCST11, IN: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 48:e2:44:6d:4c:3f (oui Unknown), length 300
    14:47:26.970161 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 48:
    14:47:27.975043 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 48:
    14:47:28.960173 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 48:
    14:47:29.962756 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 48:
    14:47:29.994452 vxlan3, IN:   M 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 81:
    14:47:29.996121 vxlan3, IN:   M 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 91:
    14:47:30.044619 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 116:
    14:47:30.045899 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 116:
    14:47:30.045917 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 116:
    14:47:30.793863 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 116:
    14:47:30.793893 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 116:
    14:47:30.794620 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 116:
    14:47:30.890361 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 348:
    14:47:30.890361 vxlan3.103, IN: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 48:e2:44:6d:4c:3f (oui Unknown), length 300
    14:47:30.890361 GUESTCST11, IN: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 48:e2:44:6d:4c:3f (oui Unknown), length 300
    14:47:31.546480 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 116:
    14:47:31.547215 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 116:
    14:47:31.549917 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 116:
    14:47:32.297853 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 116:
    14:47:32.298593 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 116:
    14:47:32.301160 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 116:
    14:47:34.303426 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 348:
    14:47:34.303426 vxlan3.103, IN: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 48:e2:44:6d:4c:3f (oui Unknown), length 300
    14:47:34.303426 GUESTCST11, IN: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 48:e2:44:6d:4c:3f (oui Unknown), length 300
    14:47:42.302872 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 348:
    14:47:42.302872 vxlan3.103, IN: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 48:e2:44:6d:4c:3f (oui Unknown), length 300
    14:47:42.302872 GUESTCST11, IN: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 48:e2:44:6d:4c:3f (oui Unknown), length 300
    14:47:59.161138 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 348:
    14:47:59.161138 vxlan3.103, IN: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 48:e2:44:6d:4c:3f (oui Unknown), length 300
    14:47:59.161138 GUESTCST11, IN: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 48:e2:44:6d:4c:3f (oui Unknown), length 300
    14:48:31.145165 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 348:
    14:48:31.145165 vxlan3.103, IN: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 48:e2:44:6d:4c:3f (oui Unknown), length 300
    14:48:31.145165 GUESTCST11, IN: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 48:e2:44:6d:4c:3f (oui Unknown), length 300
    14:48:32.861656 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 98:
    14:48:33.602805 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 98:
    14:48:34.354014 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 98:
    14:48:35.122426 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 348:
    14:48:35.122426 vxlan3.103, IN: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 48:e2:44:6d:4c:3f (oui Unknown), length 300
    14:48:35.122426 GUESTCST11, IN: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 48:e2:44:6d:4c:3f (oui Unknown), length 300
    14:48:43.632007 vxlan3, IN:   B 48:e2:44:6d:4c:3f (oui Unknown) ethertype Unknown (0x0067), length 348:
    14:48:43.632007 vxlan3.103, IN: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 48:e2:44:6d:4c:3f (oui Unknown), length 300
    14:48:43.632007 GUESTCST11, IN: IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 48:e2:44:6d:4c:3f (oui Unknown), length 300
    ^C20698 packets captured
    24397 packets received by filter
    0 packets dropped by kernel

     

    and the config of the corresponding DHCP server :

     

    thanks in advance and regards

    Christian

  • Hi  

    Thank you for providing a screenshot and logs.

    The configuration seems to be correct and a request is coming to the XG through vxlan3.103 and send to GUESTCST11 Interface but the response is not there, I would request you to contact technical support to investigate the issue further as we required to check certain other parameters and logs, please open a support case.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link