What is this?

This is basically where I write down stuff that I work with at my job as a GIS Technical Analyst (previously system administrator). I do it because it's practical for documentation purposes (although, I remove stuff that might be a security breach) and I hope it can be of use to someone out there. I frequently search the net for help myself, and this is my way of contributing.

Sunday, May 16, 2010

Windows XP and DHCP relay

An interesting issue occurred today. We have a new subnet (temporarily) set up on one of our Checkpoint Firewall legs.

The subnet has a HP ProCurve 6600 router/switch with another subnet serving a number of Windows XP / Windows 7 clients using DHCP. They all get their IP-Addresses from a internal DHCP server (via DHCP relay (the vlan has "ip helper-address 10.10.5.5" set)).

The network setup is illustrted below:


client net (10.13.0.0/16)
   |
   |
[Procurve 6600 router]

 w/DHCP relay enabled
   |
   |
firewall net (10.14.0.0/16)
   |
   |
[Checkpoint firewall] ------ Internet (99.98.97.18/30)
   |
   |
Server net (10.10.0.0/16)
   |
   |

[DHCP Server 10.10.5.5]


The problem was as follows:
Windows XP clients (and Windows server 2003 it turned out) on the client net were not able to obtain IP-addresess. They would work fine using a static IP-adress, but issuing the commands "ipconfig /release" followed by a "ipconfig /renew" would simply time out and result in a 169.x.x.x address. What's more interesting was that Windows 7 clients worked without a problem.

I tried all the following:
- Opening all Checkpoint firewall ports between the Client Net and the Server Net
- enabling a "permit ip any any" ACL on the 6600 router
- Verifying all routes and ports (esp. UDP 67/68)

Finally I installed good old Microsoft Network monitor on a XP client and ran a trace. The log showed:

{DHCP:0, UDP:2, IPv4:3} 0.0.0.0 255.255.255.255 DHCP DHCP:Request, MsgType = DISCOVER, TransactionID = 0xBC62C647

so far so good, the clients sends a broadcast looking for a DHCP server.

{DHCP:0, UDP:2, IPv4:3} 99.98.97.18 10.13.4.97 DHCP DHCP:Reply, MsgType = OFFER, TransactionID = 0xBC62C647

We actually get a reply, but source appears to be the Internet hide-behind (NAT) address of our firewall. The destination address is the one we requested. However - inside the packet the identy of the DHCP server is "ServerIP: 10.10.5.5". I'm not sure whether this is a security mechanism in XP but after turning off NAT so source address matched the ServerIP-identity everything worked like a charm on both Windows XP and Windows 7 clients (see the log):

{DHCP:0, UDP:2, IPv4:1} 0.0.0.0 255.255.255.255 DHCP DHCP:Request, MsgType = DISCOVER, TransactionID = 0xC6A77CFC
{DHCP:0, UDP:2, IPv4:1} 10.10.5.5 255.255.255.255 DHCP DHCP:Reply, MsgType = OFFER, TransactionID = 0xC6A77CFC
{DHCP:0, UDP:2, IPv4:1} 10.10.5.5 255.255.255.255 DHCP DHCP:Reply, MsgType = ACK, TransactionID = 0xC6A77CFC