its a really weird problem i've got.
Sometimes out of nothing, the wan side of the SRX ( ge0-0-0) drops the IP that it gets from the modem and wont bind any ip-adress. i have to restart the modem couple of times, untill the SRX gets a ip-adress, but sometimes it wont work hours even days!!
but when i always connect my laptop directly to the modem, i get a ip-adress in a SECOND!!
Also i cant delete the command, when i type delete in the edit mode, it wont find anything after i type set,
serdar@SRX210# delete set ^syntax error................
not working also...why?
here is some configuration for the DHCP
set interfaces ge-0/0/0 description UPC-INTERNETset interfaces ge-0/0/0 unit 0 family inet dhcp lease-time infiniteset interfaces ge-0/0/0 unit 0 family inet dhcp retransmission-attempt 6set interfaces ge-0/0/0 unit 0 family inet dhcp retransmission-interval 20set interfaces ge-0/0/1 speed 1gset interfaces ge-0/0/1 mtu 9014set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcpset security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services bootpset security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services dnsset security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
serdar@SRX210> show system services dhcp client
Logical Interface name ge-0/0/0.0 Hardware address 78:19:f7:d9:74:40 Client status init Address obtained 0.0.0.0 Update server disabled
serdar@SRX210> show system services dhcp globalGlobal settings: BOOTP lease length infinite
DHCP lease times: Default lease time 1 day Minimum lease time 1 minute Maximum lease time infinite
DHCP options: Name: name-server, Value: [ 18.104.22.168, 22.214.171.124 ]
serdar@SRX210> show system services dhcp statisticsPackets dropped: Total 664
Messages received: BOOTREQUEST 0 DHCPDECLINE 0 DHCPDISCOVER 0 DHCPINFORM 0 DHCPRELEASE 0 DHCPREQUEST 0
Messages sent: BOOTREPLY 0 DHCPOFFER 0 DHCPACK 0 DHCPNAK 0
serdar@SRX210> show system softwareInformation for junos:
Comment:JUNOS Software Release [12.1R1.9]
really weird occasion has occured now:
when setting the modem in bridge mode, the SRX wont get any dhcp lease...
when setting the modem in router mode, it get a 192.168.1.100/24 adress....
really a pain in the @ss
SRX not getting DHCP might be for many reasons.
1. I have seen DHCP server sending the DHCP OFFER with Unicast flag set and this is against RFC so SRX will not accept the offer . DHCP offer has to be Broadcast.
2. I would suggest you to upgrade to latest 11.4 Junos code or 12.1X44-D35 (JTAC recommended) and test the DHCP settings.
3. You cannot add set command after delete. Delete is used to delete specific configuration.
set is used to configure new configuration line.
[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too] .....
1. i will look into the dhcp offer of the modem packets.
2. i will also try to update, but where can i find the updat?
3. how am i supposed to delete the command? its really weird. im in the edit mode, and cant delete any 'set' lines..
run show configuration | display set # this shows all the set command but cant delete them somehow.
1. SRX upgrade procedures:
2. how to delete configuration;
show configuration | display set.
will list all configuraton with set at the starting of the line.
replace set with delete and it will delete that line :
show configuration| display set
set system host-name testing
set system time-zone GMTset system authentication-order passwordset system authentication-order tacplusset system ports console log-out-on-disconnectset system ports auxiliary disable
Replace set with delete :
delete system host-name testingdelete system time-zone GMTdelete system authentication-order passworddelete system authentication-order tacplusdelete system ports console log-out-on-disconnectdelete system ports auxiliary disable
This should help you with deleting configuration.
Thanks & Regards,
1. dont have the right access to download from the web... :(((
2. haha thanks... i got so messed up... i didnt think of it... lol....
i tried several firmwares, and all have the same problem.... they can get no assign to an WAN-IP from my modem. i checked also the packages and its not Unicast but Broadcast.
what stays over? i even tried to change the modem, and i got the same problem again
Thanks for the update.
If your PC is able to get an ip address, then Sometimes ISP saves the MAC address of PC to the binded ip address.
if that is the case , then ISP has to flush the MAC address of your machine so that SRX can get the ip address.
Or note down your PC mac address and configure that mac address of your PC to SRX Ge-0/0/0 interface and try to renew the dhcp and verify if it works.
set interfaces ge-0/0/0 mac PCmac
and renew the dhcp process using the following command:
request system services dhcp renew
Then share the following output:
show system services dhcp client statistics
It has the MAC address of the firewall, because it was working and suddenly at 2-3AM it stopped. the only binding was with my PC and Firewall. Its normal that those CMTS dhcp-servers learns minimal 2 MAC addresses. so i dont think thats the problem.
Thanks for the update, as you still have 1 more week for ISP to get back you, i would suggest the following as updated earlier:
note down your PC mac address and configure that mac address of your PC to SRX Ge-0/0/0 interface and try to renew the dhcp and verify if it works.
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
I would suggest you run this command. If you set the lease to infinite, then the IP address is not flushed when it ISP changes. You should allow system to use the dhcp lease set by ISP. Your situation is very strange. Would this happen to be a COX modem?
delete interfaces ge-0/0/0 unit 0 family inet dhcp lease-time
the lease-time i added after it didnt work anymore....
I also have contacted my ISP about this problem, i hope they will contact me in 1 week, after then i update this topic again.
Thanks for your help guys.
Do you have screens enabled, specifically IP_Spoofing? If yes, try disabling that specific one and test.
Try >clear system services dhcp binding ? and clear the address associated with mac.
>clear system services dhcp binding ? and clear the address associated with mac.
then >request system services dhcp renew
Take a look at this article;
How to verify whether the DHCP packets are being detected as spoofed packets:
I also noticed this, can you ensure that update server is enabled?
1. there is nothing enabled for ip_spoofing
2. even after i did get a WAN-IP on my laptop, i tried to clone the mac on the interface and then request wan-ip on SRX from the dhcp server that i read on the windows ipconfig:
serdar@SRX210# run show system services dhcp client statisticsPackets dropped: Total 0
Messages received: DHCPOFFER 0 DHCPACK 0 DHCPNAK 0
Messages sent: DHCPDECLINE 0 DHCPDISCOVER 66 DHCPREQUEST 0 DHCPINFORM 0 DHCPRELEASE 0 DHCPRENEW 0 DHCPREBIND 0
serdar@SRX210# run show system services dhcp client
Logical Interface name ge-0/0/0.0 Hardware address xxxxxxx #### LaptopMAC Client status init Server address 10.15.136.1 Address obtained 0.0.0.0 Update server enabled
From the statistics, we can only see DHCP discover packets sent from SRX but no DHCP reply from ISP Router.
I think you need to talk to ISP and verify if they are receiving DHCP Discover sent by SRX and why they are not replying with DHCP offer.
its really a frustrating problem, because it worked in the beginning, and out of sudden it wont get any address.
How can i see what kind of dhcp discover the interface is sending?
is it possible that i can duplicate the packets to another interface? like span-port on the srx?
i tried it with this... but no succes...
The situation is weird. It seems like the installation has become corrupted, especially the dhcp infrastructure. I have a few recommendations to try.
BTW any relevant info in the messages log file?
>show system storage (verify enough free disk space)>request system storage cleanup dry-run (see files that can be deleted to free up more disk space)>request system storage cleanup
>show system services dhcp binding>show system services dhcp conflict
>clear system services dhcp conflict
>show system services dhcp client
>show system connections (see if listening|established for dhcp ports 67 & 68)
>show system process
If no resolution, enable debugging:
#set system services dhcp traceoptions file dhcp-fail#set system services dhcp traceoptions file files 3 size 2m#set system services dhcp traceoptions flag all
1- If you have an option reset the modem. Follow same proceedures like powering it off for 1 minute. You can also try this; Plugh in cable to PC and get IP address; instead of using dhcp, delete the dhcp from the ge-0/0/0 interface and set family inet but use the IP address that the PC gets, then plug in the cable to SRX. And test that.
2- use a different port, if you have one free port available. say for example, you have a port fe-0/0/6, plug in the cable to the port and from th top of the heirarchy, use the following command:
user@srx#replace pattern ge-0/0/0 with fe-0/0/0
where ge-0/0/0 is the existing interface being used fro dhcp and fe-0/0/0 is the new interface you will test with. Commit confirmed will appy the new configuration temporarily for 10 minutes. If it works and you wish to keep it, enter commit only before the expiration of 10 minutes.
3- Resinstall the Junos OS but add these 3 options: "force reboot no-copy" . Do not use the switch "unlink"!
BTW, do you have a firewall filter applied recently that could be blocking dhcp traffic? Can you post a sanitized output of your SRX configuration
i think i found the problem..... its insidee the discover package of the firewall, pleaase compare it with my laptop discover package.
I got response to this package:
on srx: >show chassis mac-address and compare it to see if the SRX is sending the same address.run show interfaces ge-0/0/0 extensive | match address Current address: 78:19:f7:d9:74:40, Hardware address: 78:19:f7:d9:74:40 Address spoofing: 0This will show any mac address conflictsSeems okay, just that Juniper is not getting a IP address.>show arp (verify that remote ISP is communicating properly with SRX)>clear arpBTW what results did you get from my previous suggestions?
1. system storage cleanupetc. tried so many times...
2. every service works great etc, as far as i can see....
---> warning: dhcp-service subsystem not running - not needed by configuration.
also replacing ge000 with fe005 didnt wotk
serdar@SRX210# replace pattern ge-0/0/0 with fe-0/0/5error: target statement 'fe-0/0/5' already exists[edit interfaces]'ge-0/0/0'could not rename to 'fe-0/0/5'
so i want to delete it before replacing but it wont...
serdar@SRX210# delete interfaces fe-0/0/5
serdar@SRX210# commit[edit security zones security-zone UNTRUST]'interfaces fe-0/0/5.0'Interface fe-0/0/5.0 must be configured under interfaceserror: configuration check-out failed
but i did configure the fe-0/0/5 as the ge0.0.0
but no result
4. i already installed, 11.4 12.1 couple of times, also downgraded to 10.x
5. arp doesnt show the Modem or some address of the ISP, shows only lan network connections.
but i see the interface LED blinking, and im sure that i get alot of ARP request on my firewall through the Modem.
6. chassis mac address is correct...
i also checked the RFC, it defines that you only need to send option 53, dhcp discover, everything else MAY be sent and is not a MUST, so i know definitely that the ISP has to change something.
TTL is 1 in the DHCP-Discover !!!!!!
need to change it... have changed it to 64....
root@SRX% vi /etc/rc.custom # cat doesnt work#!/sbin/sh
sysctl -w net.inet.ip.mcast_ttl=64
root@SRX% chmod 777 /cf/etc/rc.custom
Excellent work. I never even though about that at allt!! I followed up your work and found out this is a problem not new to you and that manifes itself in specific situations and it seems with specific vendors and ISPs.
As you correctly observed, the SRX as a DHCP client sends the DHCP Discover packet with a TTL of 1 whereas a PC (and maybe other vendors) send the DHCP Discover packet with TTL= 128. The modem from the ISP decrements the TTL = 0, hence the packet is dropped and never gets sent to the ISP. (I bet you could see it if you looked in the logs on the Modem. it seems also to be a problem with COMCAST modems). Why it stopped working is anyones guess. But my thoughts is that an update pushed to the modem resulted in the problem, since it was working before, because it seems the SRX has always sent the DHCP Discover TTL=1. The real fix is that the ISP should ensure that their modem do not drop DHCP Discover packets with TTL=1. That brings up how some modem works by cloning the client MAC address.
The other solutions is that Juniper could update the code so the SRX now sends DHCP Discover TTL=3 (that should be sufficent number of hops for a firewall, or a value greater than 1).
The next solution is what you have done which is to manually change the TTL.
SOLUTION:Manually change the TTL value that the SRX uses on its DHCP requests from the shell.>start shell%su rootroot@% sysctl -w net.inet.ip.mcast_ttl=64
well i did it through a shell...
when you only edit the sysctl, at the next reboot it will forget it...
if you need to do it permanentely, also after a firmware update i think, you have to do this as in your link it says...
Now i have to work out another problem, Port forwarding doesnt work 🙂
i will leave it to tomorrow, now im really enough tired....
have to watch the WC NED_ARG
A year later but exactly the same issue SRX not getting an address from a FritzBox (backup ADSL connection)
Model: srx220h2JUNOS Software Release [12.1X44-D35.5]
Changing the TTL fixed it...
Thank you !!!
Im very happy that it also helped you 🙂
also please note:
there are UPC/Ziggo modems like thompson/ubee etc, that this will NOT work.
in my case it worked only with a cisco 3825(something like that)
I appreciate that this is a very old post however I have just joint the world of Juniper and have bought an SRX210 to use as my home internet router so i can remote access it for studying/practice but cant for the life of me get the WAN inerface to obtaine a DHCP address from my Virgin Media Modem.
I have managed to change the TTL to 64 but when I try to action the perminant fix I get a blank screen with just loads of ~ on it this is after submitting the command:
I would be very grateful if you could help me work out what I am doing wrong.
As with Peter, my /etc/rc.custom file gets wiped out during a device reboot. I am not trying to solve the issue of DHCP IP Address, instead I am turning off SSLv3 and TLS 1.0. This is needed to pass a PCI scan. I can run my script manually, but I need to run it after a system boot to update a configuration file.
I have tried crontab as well as putting it in /etc/rc.custom. Neither work. I just need the script to run when the system starts up.
We are running 12.3X48-D36 on a SRX 210HE2
Thanks in advance.