HI Matthew, I had a roadwarrior test with the fixed version and we were able to see, that really the original build of the client gets a new lease for evrey conncetion attempt, whereas the fixed version get its previous lease as registered with the DHCP server. 100% success! Thanks a lot for the quick resolution.
Uwe ________________________________________ Von: Matthew Grooms [[email protected]] Gesendet: Dienstag, 10. August 2010 07:13 An: Weber, Uwe Cc: [email protected] Betreff: Re: AW: [vpn-help] Again: no response vom DHCP server (Fortigate 80C 4.0 MR1) On 8/5/2010 4:32 AM, Weber, Uwe wrote: > Hi Uwe, > > This sounds like a different problem from the DHCP over IPsec related > issue that was reported previously. It pertains to the client not using > a consistent MAC address for the DHCP discover. Since each connection is > processed as a different machine, the gateway hands out a new DHCP > address for each Shrew connection attempt which eventually exhausts the > DHCP pool. My guess is that the Fortigate client wasn't effected by this > because it retained the MAC value previously sent and gets handed an > address which is still reserved. The easiest solution will be for the > client to offer the same MAC address each time so it doesn't cause this > problem. I haven't gotten around to this yet, but it shouldn't be too > difficult to add. I'll keep you posted. > > -Matthew > > -- Matthew, you exactly hit the nail: In the meantime, I found out, that > really the FGT went out of DHCP-Leases and wasn't able to had out more > leases to the Shrew-Clients (which are always the same) but seem to come > with a different MAC and so requesting a new IP from IPSEC-DHCP instead > of reclaiming the previous lease. Forticlient alwys comes with the same > MAC as you said, and subsequently gets the old lease. My workaround so > far is, that I have set the lease time to one hour, which prevents the > DHCP pool from getting exhausted. So far this worked for me :) But if > there is not a specific reason for the Shrew client software to use a > different MAC for each connection attempt, and if you can change this > behavior, you should do it, because logically seen it would be clear to > me, that a connection (or a virtual IPSEC interface) always uses the > same MAC. As far as I have seen it, every IPSEC client does use one and > the same MAC address (which is even configurable in some cases iirc) for > every connection butcause the MAC logically belongs to the interface and > not to the connection imho. Regards Uwe Hi Uwe, Please test this build. It should hand out the same IP address to the client each time ... http://www.shrew.net/download/vpn/vpn-client-2.1.6-dhcpfix-1.exe ... if you can provide feedback quickly enough, I will roll the change into 2.1.6 for the release. -Matthew -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
