DHCP Relay over Routing-Based IPsec in SFOS 18.0.1 not working

DHCP Relay should not need a Firewall rule. 

I remember, that DHCP Relay is not supported for VTI, but i am not 100% sure. Read something about this. 

Do you have multiple DHCP Relays configured on this Appliance? If you delete all except one, is it working? 

Did you tick the option "relay on IPsec"? Please disable this option and try again. 

DHCP Relay should not need a Firewall rule. 

I remember, that DHCP Relay is not supported for VTI, but i am not 100% sure. Read something about this. 

Do you have multiple DHCP Relays configured on this Appliance? If you delete all except one, is it working? 

Did you tick the option "relay on IPsec"? Please disable this option and try again. 

I have only one DHCP relay and I have tried both with activated "relay over IPsec" and without.

If DHCP relay is not supported over routing-based IPsec that would be a major deficiency.

Depends on the setup. 

You could easily switch to RED Site to Site and use this setup for DHCP Relay until this is supported. 

Another question would be, which routing do you use, PBR or static? 

Static. Works much more reliably than SD-WAN.
Especially if there is only one line and one IPsec and only a handful of networks.
RED works with SSL VPN not IPsec.
The routing-based VPN is far too efficient in that any change in routings do not need a restart of the VPN, while both policy-based IPsec and RED need a restart after any change.

RED should interact like VTI from this perspective. As you do not have any routing information at all. You have a VTI (RED) and thats it. Routing will be take place in the routing stack, so no restart should be needed to propagate new networks etc. 

Policy based is correct, thats the old fashion way (Remote / Local network). 

It depends on the performance and the bandwidth of both appliances. Most likely you cannot hit the hardware limitation with a RED tunnel. 

To get back to this issue. XG has a Flood prevention for DHCP Relay to avoid problems with "too many relays". It will try to reach the DHCP Server several times, if no reply comes back, it stops and drop the DHCP requests for this DHCP server. 

So the question is, do you see any DHCP Relay requests on the VTI outbound? if you use the tcpdump on the xfrm interface? 

Do you see any traffic on the other End? 

Both with TCPDUMP and Packet Capture I can see only the incoming packets on port 68 UDP on the LAN port. No outgoing traffic. The packets are blocked by the firewall witn an "ACL exeption"

Does your setup work with a RED Interface or not? Same configuration only switching the XFRM with a RED Interface? 

Cannot so easily test as the device is now productive. Have for the moment used a local DHCP server.