[Kea-users] Kea DHCPv6 does not respond to relay-forward packets from FortiGate

Mark Blackford mblackford at agn.tech
Thu Jul 24 15:13:31 UTC 2025 

Hello Ugur,

Two suggestions:

  1.  I include the  IPv6 Address in interfaces:
"Dhcp6": {
    "interfaces-config": {
        "interfaces": [ "ens224/fc00:d2c0:10:170::23" ]
    },



  1.  I turn up many more loggers to see everything when testing in LAB .  Specifically – turn up the packets to see if you are getting the packet to Kea.

"loggers": [
      {
        "name": "kea-dhcp6",
        "severity": "DEBUG",
        "debuglevel": 99,
        "output_options": [
          {
            "output": "/var/log/kea/dhcp6.log",
            "maxver": 10
          }
        ]
      },
      {
        "name": "kea-dhcp6.lease-query-hooks",
        "severity": "DEBUG",
        "debuglevel": 99,
        "output_options": [
          {
            "output": "/var/log/kea/dhcp6-blq.log",
            "maxver": 10
          }
        ]
      },
      {
        "name": "kea-dhcp6.dhcpsrv",
        "severity": "DEBUG",
        "debuglevel": 99,
        "output_options": [
          {
            "output": "/var/log/kea/dhcp6-dhcpsrv.log",
            "maxver": 10
          }
        ]
      },
      {
        "name": "kea-dhcp6.leases",
        "severity": "DEBUG",
        "debuglevel": 99,
        "output_options": [
          {
            "output": "/var/log/kea/dhcp6-leases.log",
            "maxver": 10
          }
        ]
      },
      {
        "name": "kea-dhcp6.packets",
        "severity": "DEBUG",
        "debuglevel": 99,
        "output_options": [
          {
            "output": "/var/log/kea/isc-dhcp6-like-logging.log",
            "maxver": 10
          }
        ]
      }
    ]



From: Kea-users <kea-users-bounces at lists.isc.org> on behalf of Ugur Ucar <ugur.ucar at live.de>
Date: Wednesday, July 23, 2025 at 7:46 PM
To: kea-users at lists.isc.org <kea-users at lists.isc.org>
Subject: [Kea-users] Kea DHCPv6 does not respond to relay-forward packets from FortiGate
Hello everyone,

I'm currently trying to get Kea DHCPv6 to work with a FortiGate (model 900D) as a DHCPv6 relay agent. Unfortunately, although Kea receives the relay-forward packets (confirmed via tcpdump), it does not respond at all — and worse, it doesn't even log any processing activity or errors.

I run Kea in debug mode with `debuglevel 99`, and I see no indication that Kea is handling the packets. The system has no firewall active, and the relay-forward messages appear correct.

Details:

- OS: Ubuntu 24.04
- Kea version: 2.5.6
- IP6: fd10::1/64
- IP6 GW: fd10::256
- Relay: FortiGate 900D
- Relay link-address: `fd20::254`
- Interface-ID: `00000044` (binary format)
- Kea is listening on interface `ens33`
- No IPv6 forwarding enabled (`net.ipv6.conf.all.forwarding = 0`)
- Firewall is inactive (`ufw status` and `ip6tables -L` confirm)

I’ve tried several variations with `interface-id` in the config, including the escaped binary version. Nothing results in Kea processing or responding to the packets.

Here’s the **relevant Kea configuration**:

```json
{
  "Dhcp6": {
    "interfaces-config": {
      "interfaces": [ "ens33" ]
    },
    "lease-database": {
      "type": "memfile",
      "persist": true,
      "name": "/var/lib/kea/dhcp6.leases",
      "lfc-interval": 3600
    },
    "loggers": [
      {
        "name": "kea-dhcp6",
        "output_options": [
          {
            "output": "stdout"
          }
        ],
        "severity": "DEBUG",
        "debuglevel": 99
      }
    ],
    "shared-networks": [
      {
        "name": "shared1",
        "relay": {
          "ip-addresses": [ "fd20::254" ]
        },
        "subnet6": [
          {
            "id": 1,
            "subnet": "fd20::/64",
            "interface-id": "\u0000\u0000\u0000D",
            "pools": [
              {
                "pool": "fd20::10 - fd20::ffff"
              }
            ],
            "option-data": [
              {
                "name": "dns-servers",
                "code": 23,
                "space": "dhcp6",
                "data": "fd10::1"
              },
              {
                "name": "domain-search",
                "code": 24,
                "space": "dhcp6",
                "data": "domain.com"
              }
            ]
          }
        ]
      }
    ]
  }
}

Here’s a short tcpdump excerpt, confirming Kea receives the relay-forward packet:

23:23:32.316253 IP6 _gateway.dhcpv6-server > dhcp04.dhcpv6-server:
dhcp6 relay-fwd (linkaddr=fd20::254 peeraddr=fe80::b450:e39e:1239:30d
  (relay-message (dhcp6 solicit (xid=87f8d9 ... )))
  (interface-ID 00000044...))

At this point, I’m not sure if the issue is:
        •       A misconfiguration in my Kea config (e.g., interface-id encoding)?
        •       An incompatibility with FortiGate relay packets?
        •       A limitation or bug in Kea?

I’d really appreciate any insights or suggestions on what to try next.

Thanks in advance!

Best regards,
Ugur

--
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.

Kea-users mailing list
Kea-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20250724/fcc4b91a/attachment-0001.htm>

More information about the Kea-users mailing list