SRX

Dear Experts,

 

I'm strugling with dhcp client setup on SRX300 (JunOS 15.1X49-D130.6).Any help will be appretiated. 

I've 2 ISP's, connected to ge-0/0/0 and ge-0/0/1 and I'm not able to obtain IP address from their networks with my brand new SRX. Everything works as expected with other devices if I place them as dhcp clients instead of SRX (Mikrotik and Huawei AR3) and If I plug ge-0/0/1 in my internal network switch, it will obtain IP address.

 

I've tryed various configurations, including https://www.juniper.net/documentation/en_US/junos/topics/example/security-device-dhcp-client-configuring.html . There are no suspicious messages in the log and I'm really puzzled what is wrong.

What is the minimal working dhcp client configuration for this version ?

 

My configuration is:

root@srx300> show configuration interfaces ge-0/0/1
description External2;
speed 100m;
link-mode full-duplex;
mac c4:6e:1f:xx:xx:xx;
gigether-options {
no-auto-negotiation;
}
unit 0 {
family inet {
dhcp-client {
lease-time 86400;
retransmission-attempt 6;
retransmission-interval 5;
update-server;
vendor-id ether;
force-discover;
options {

no-hostname;}}}}

 

This is show interface:

root@srx300> show interfaces ge-0/0/1
Physical interface: ge-0/0/1, Enabled, Physical link is Up
Interface index: 138, SNMP ifIndex: 512
Description: External2
Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Link-mode: Full-duplex, Speed: 100mbps, BPDU Error: None, MAC-REWRITE Error: None,
Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Auto-negotiation: Disabled, Remote fault: Online
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags : None
CoS queues : 8 supported, 8 maximum usable queues
Current address: c4:6e:1f:xx:xx:xx, Hardware address: d8:b1:22:xx:xx:xx
Last flapped : 2018-06-26 15:06:31 EEST (01:30:03 ago)
Input rate : 6536 bps (12 pps)
Output rate : 0 bps (0 pps)
Active alarms : None
Active defects : None
Interface transmit statistics: Disabled

Logical interface ge-0/0/1.0 (Index 75) (SNMP ifIndex 520)
Flags: Up SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 245351
Output packets: 39
Security: Zone: untrust
Allowed host-inbound traffic : dhcp
Protocol inet, MTU: 1500
Flags: Sendbcast-pkt-to-re

 

security-zone untrust {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
dhcp; }}}}

 

Kind regards,

D

Just found https://forums.juniper.net/t5/SRX-Services-Gateway/SRX300-legacy-DHCP-vs-JDHCP-client-identifier/td-p/312455 .

Probably this is the problem, format of the client-identifier (from the PCAP seems that my SRX never got DHCPOFFER):

dhcp-client client-identifier

Are there any updates on this topic, is it known ussue or I'm lucky to be from the very limited set of affected customers?

 

To make sure the issue is same, can you share the below output?

root@srx> monitor traffic interface ge-0/0/1 no-resolve matching udp

Here is output of monitoring:

 

root@srx300> monitor traffic interface ge-0/0/1 no-resolve matching udp
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on ge-0/0/1, capture size 96 bytes

13:17:49.972502 Out IP truncated-ip - 227 bytes missing! 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
13:17:50.566062 In IP 85.11.142.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
13:17:50.906842 In IP 85.11.142.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
13:17:51.618186 In IP 85.11.142.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
13:17:53.967700 In IP 85.11.142.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
13:17:54.150080 In IP 85.11.142.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
13:17:54.775443 In IP 85.11.142.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
13:17:54.788166 In IP 85.11.142.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
13:17:56.731943 In IP 85.11.142.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
13:17:57.973722 Out IP truncated-ip - 227 bytes missing! 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
13:17:58.078341 In IP 85.11.142.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
13:18:06.148443 In IP 85.11.142.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
13:18:06.237035 In IP 85.11.142.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
13:18:08.003315 In IP 85.11.142.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
13:18:09.147342 In IP 85.11.142.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
13:18:10.690920 In IP 85.11.142.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
13:18:10.824397 In IP 85.11.142.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
13:18:11.424669 In IP 85.11.142.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
13:18:12.718007 In IP 85.11.142.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
13:18:13.975075 Out IP truncated-ip - 227 bytes missing! 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]
13:18:14.762646 In IP 85.11.142.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
13:18:21.204740 In IP 85.11.142.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
13:18:22.775247 In IP 85.11.142.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
13:18:28.035983 In IP 85.11.142.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
13:18:29.252263 In IP 85.11.142.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
^C
470 packets received by filter
0 packets dropped by kernel

From this output we can see you are getting some DHCP reply. On the other link you posted the server was completely ignoring the DHCP request sent from SRX. This could be a different issue.

Can you remove below options from your config and test?

lease-time 86400;
retransmission-attempt 6;
retransmission-interval 5;
update-server;
vendor-id ether;
force-discover;
options {

no-hostname;}}}}
If you still see same behavior, please share below output to understand whats the DHCP reply we receive from server.

root@srx300> monitor traffic interface ge-0/0/1 no-resolve matching udp extensive

Interface configuration:

 

root@srx300> show configuration interfaces ge-0/0/1
description External2;
speed 100m;
link-mode full-duplex;
mac c4:6e:1f:57:ba:4a;
gigether-options {
no-auto-negotiation;
}
unit 0 {
family inet {
dhcp-client;
}
}

 

This is the result:

(request with Hostname Option 12, length 6: "srx300").

 

As you wrote, DHCP server is not replying to the requests, in the same time it is sending valid ACK's to the other clients (90:f6:52:c0:63:5d) ... 

 

15:21:41.472260 Out
Juniper PCAP Flags [Ext], PCAP Extension(s) total length 16
Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
Device Interface Index Extension TLV #1, length 2, value: 35328
Logical Interface Index Extension TLV #4, length 4, value: 75
-----original packet-----
c4:6e:1f:57:ba:4a > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 301: (tos 0x0, ttl 64, id 30479, offset 0, flags [none], proto: UDP (17), length: 287) 0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from c4:6e:1f:57:ba:4a, length 259, xid 0x67cb140, Flags [Broadcast] (0x8000)
Client-Ethernet-Address c4:6e:1f:57:ba:4a
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Lease-Time Option 51, length 4: 86400
Hostname Option 12, length 6: "srx300"
15:21:42.636540 In
Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 16
Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
Device Interface Index Extension TLV #1, length 2, value: 35328
Logical Interface Index Extension TLV #4, length 4, value: 75
-----original packet-----
PFE proto 2 (ipv4): (tos 0x0, ttl 16, id 0, offset 0, flags [none], proto: UDP (17), length: 328) 85.11.142.1.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 300, xid 0x599b5271, Flags [Broadcast] (0x8000)
Client-IP 85.11.142.99
Your-IP 85.11.142.99
Server-IP 85.11.142.1
Client-Ethernet-Address 90:f6:52:c0:63:5d
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: ACK
Server-ID Option 54, length 4: 85.11.142.1
Lease-Time Option 51, length 4: 600
Subnet-Mask Option 1, length 4: 255.255.255.0
Default-Gateway Option 3, length 4: 85.11.142.1
Domain-Name-Server Option 6, length 4: 8.8.8.8
15:21:46.548897 In
Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 16
Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
Device Interface Index Extension TLV #1, length 2, value: 35328
Logical Interface Index Extension TLV #4, length 4, value: 75
-----original packet-----
PFE proto 2 (ipv4): (tos 0x0, ttl 16, id 0, offset 0, flags [none], proto: UDP (17), length: 328) 85.11.142.1.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 300, xid 0x12cb543, Flags [Broadcast] (0x8000)
Client-IP 85.11.142.138
Your-IP 85.11.142.138
Server-IP 85.11.142.1
Client-Ethernet-Address b0:48:7a:b5:15:59
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: ACK
Server-ID Option 54, length 4: 85.11.142.1
Lease-Time Option 51, length 4: 600
Subnet-Mask Option 1, length 4: 255.255.255.0
Default-Gateway Option 3, length 4: 85.11.142.1
Domain-Name-Server Option 6, length 4: 8.8.8.8

Update:

Issue was fixed:

-ISP1 have to restart local equipment

-ISP2 (most probably) changed something, everything was back to normal 30min after my service call.

 

Probably I have to have 3rd ISP to avoid such a situations