PC obtain the ip address slowly because multicast packet affects DHCP

Publication Date:  2012-09-12 Views:  229 Downloads:  0
Issue Description
Two downstream interfaces were enable DHCP on USG5320, G0/0/1 connected with PC directly and G0/0/2 connected with a layer 2 switch. Either the PC connected directly or the PC connected with a layer 2 switch obtained the ip address slowly, even failed to obtain. Usually, PC need to ask for the ip address 2 time or more and obtained the ip.
Alarm Information
Null
Handling Process
1. Checked the configuration of DHCP, and found no problem.

2. Change another PC to do the test, they still obtained ip slowly.

3. Checked the CPU of USG, and found no problem. Capture packets on PC, and found that USG reply the PC’s request usually when the PC sends 3 or 4 DHCP DISCOVER packets.

4. Check the port of USG which connect with layer 2 switch, there are lots of the multicast packets in this port. Clear the counter and found that the number of multicast packets increases quickly. The result is as follow:
GigabitEthernet0/0/2 current firewall zone : trust
Last 5 minutes input rate 3464649  bytes/sec, 6273  packets/sec
Last 5 minutes output rate 1926950  bytes/sec, 2052  packets/sec
Input: 1768177463 packets, 2241678285 bytes
918086 broadcasts, 1309931573 multicasts
32363568 errors, 0 runts, 32363494 giants, 1 FCS
             72 length error, 1 code error, 0 align errors
Output: 521626117 packets,  1741018106 bytes
            169183 broadcasts, 0 multicasts

Checked the interface connected with PC directly. The result is as follow:
GigabitEthernet0/0/1 current firewall zone : trust
Output queue : (Urgent queue : Size/Length/Discards)  0/50/0
Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
Output queue : (FIFO queuing : Size/Length/Discards)  0/75/0
    Last 5 minutes input rate 17403  bytes/sec, 25  packets/sec
Last 5 minutes output rate 2011  bytes/sec, 17  packets/sec
    Input: 9992 packets, 6398651 bytes
           233 broadcasts, 249 multicasts
           0 errors, 0 runts, 0 giants, 0 FCS
           0 length error, 0 code error, 0 align errors
    Output:7313 packets,  845994 bytes
           45 broadcasts, 0 multicasts

The count is much less, and increase much slowly. Checked the log and found lots of attack packets. The log is as follow:
2012-05-15 10:42:30 USG-5310-ShengGongSiJiaShuYuan %%01SEC/4/ATCKDF(l): AttackType: IP spoof attack; Receive IfIndex: GigabitEthernet0/0/2.6 ; from 192.168.201.100 ; to 224.0.0.251 ; begin time: 2012/5/15 10:42:1; end time: 2012/5/15 10:42:25; total packets: 4;
2012-05-15 10:44:00 USG-5310-ShengGongSiJiaShuYuan %%01SEC/4/ATCKDF(l): AttackType: IP spoof attack; Receive IfIndex: GigabitEthernet0/0/2.6 ; from 169.254.170.77 169.254.22.175 ; to 224.0.0.252 224.0.0.251 169.254.255.255 ; begin time: 2012/5/15 10:43:34; end time: 2012/5/15 10:43:58; total packets: 14;

Checked the configuration of device, there are no multicast application.
Shut down G/0/0/2, and the PC which connected with USG directly could obtain ip quickly. It shows that the problem is caused by multicast packet at G/0/0/2.

5. Because of the abnormal multicast packet at G0/0/2, not only it affects DHCP of the self-interface, but also affects other interface.
Root Cause
1. Configuration problem.
2. PC problem.
3. Other.
Suggestions
Null

END