[c-nsp] PixOS 7.0: (chained) dhcp relaying not working

[Matti Saarinen]

We have following, rather ugly setup. All PIXes are 516Es.


Net A -- (eth1/in) PIX-A (eth0/out) <---- VPN ----> ...

...  (out) PIX-B (in) --  dhcp servers



Short version:

Dhcp packets come from Net A. They are relayed through PIX-A in which
they are encapsulated in IPSec VPN. They are relayed to the outside
interface of PIX-B and from there to the dhcp servers. This works,
when PIX-B runs 6.3(3) but not when it runs 7.0.



Longer version (which hopefully has enough information):

On PIX-A: 

there are two VLANS on inside interface and there is dhcprelay enabled
on both. Dhcprelay server is defined on the outside interface of PIX-A
and the address is the address of the outside interface of PIX-B.

On PIX-A there is access list

access-list 101 permit udp host PIX-A/out eq bootps host PIX-B/out eq bootps 

and that access list is referenced on crypto-map that encapsulates the
packets inside IPSec.


On PIX-B:

there is dhcprelay server enabled on outside interface and on inside
interface are defined all the dhcp servers to which the dhcp packets
should be relayed.

There is again access list on PIX-B:

access-list 101 permit udp host PIX-B/out eq bootps host PIX-A/out eq bootps 


and a crypto map which references this access list.



This setup works when both devices run PixOS 6.3(3). When we upgraded
PIX-B to 7.0, dhcp relaying stopped working. All necessary security
associations were created on PIX-A. On PIX-B, there were no security
association related to dhcp.



Cheers,


-- 
- Matti -