Two downstream interfaces were enable DHCP on USG5320, G0/0/1 connected with PC directly and G0/0/2 connected with a layer 2 switch. Either the PC connected directly or the PC connected with a layer 2 switch obtained the ip address slowly, even failed to obtain. Usually, PC need to ask for the ip address 2 time or more and obtained the ip.
1. Checked the configuration of DHCP, and found no problem.
2. Change another PC to do the test, they still obtained ip slowly.
3. Checked the CPU of USG, and found no problem. Obtain packets on PC, and found that USG reply the PC’s request usually when the PC sends 3 or 4 DHCP DISCOVER packets.
4. Check the port of USG which connect with layer 2 switch, there are lots of the multicast packets in this port. Clear the counter and found that the number of multicast packets increases quickly. The result is as follow:
GigabitEthernet0/0/2 current firewall zone : trust
Last 5 minutes input rate 3464649 bytes/sec, 6273 packets/sec
Last 5 minutes output rate 1926950 bytes/sec, 2052 packets/sec
Input: 1768177463 packets, 2241678285 bytes
918086 broadcasts, 1309931573 multicasts
32363568 errors, 0 runts, 32363494 giants, 1 FCS
72 length error, 1 code error, 0 align errors
Output: 521626117 packets, 1741018106 bytes
169183 broadcasts, 0 multicasts
Checked the interface connected with PC directly. The result is as follow:
GigabitEthernet0/0/1 current firewall zone : trust
Output queue : (Urgent queue : Size/Length/Discards) 0/50/0
Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0
Last 5 minutes input rate 17403 bytes/sec, 25 packets/sec
Last 5 minutes output rate 2011 bytes/sec, 17 packets/sec
Input: 9992 packets, 6398651 bytes
233 broadcasts, 249 multicasts
0 errors, 0 runts, 0 giants, 0 FCS
0 length error, 0 code error, 0 align errors
Output:7313 packets, 845994 bytes
45 broadcasts, 0 multicasts
The count is much less, and increase much slowly. Checked the log and found lots of attack packets. The log is as follow:
2012-05-15 10:42:30 USG-5310-XXX %%01SEC/4/ATCKDF(l): AttackType: IP spoof attack; Receive IfIndex: GigabitEthernet0/0/2.6 ; from 192.168.201.100 ; to 22.214.171.124 ; begin time: 2012/5/15 10:42:1; end time: 2012/5/15 10:42:25; total packets: 4;
2012-05-15 10:44:00 USG-5310-XXX %%01SEC/4/ATCKDF(l): AttackType: IP spoof attack; Receive IfIndex: GigabitEthernet0/0/2.6 ; from X.X.170.77 X.X.22.175 ; to 126.96.36.199 188.8.131.52 X.X.255.255 ; begin time: 2012/5/15 10:43:34; end time: 2012/5/15 10:43:58; total packets: 14;
Checked the configuration of device, there are no multicast application.
Shut down G/0/0/2, and the PC which connected with USG directly could obtain ip quickly. It shows that the problem is caused by multicast packet at G/0/0/2.
5. Because of the abnormal multicast packet at G0/0/2, not only it affects DHCP of the self-interface, but also affects other interface.
1. Configuration problem.
2. PC problem.