SRX

Hello,

I configured DHCP server on a chassis cluster (SRX340) but it doesn't work. Here's my configuration:

root@SRX1# show system services dhcp-local-server 
group office {
    interface reth0.10;
}

address-assignment {
    pool office {
        family inet {
            network 192.168.4.0/24;
            range range1 {
                low 192.168.4.20;
                high 192.168.4.253;
            }
            dhcp-attributes {
                name-server {
                    192.168.4.1;
                }
                router {
                    192.168.4.1;
                }
                propagate-settings reth0.10;
            }
        }
    }
}

root@SRX1# show security zones security-zone trust 
interfaces {
    reth0.10 {
        host-inbound-traffic {
            system-services {
                ping;
                ssh;
                traceroute;
                dhcp;
            }
        }
    }
    st0.1;
    st0.2;
}

root@SRX1# show interfaces reth0 
vlan-tagging;
redundant-ether-options {
    redundancy-group 1;
    minimum-links 1;
    lacp {
        passive;
        periodic fast;
    }
}
unit 10 {
    vlan-id 10;
    family inet {
        address X.X.X.X/24;
        address 192.168.4.1/24;
    }
}
unit 666 {
    vlan-id 666;
    family inet {
        address 10.10.10.1/24;
    }
}

I configured traceoptions to see the traffic:

root@SRX1# show security flow traceoptions 
file dhcp1.log;
flag all;
packet-filter pf1 {
    destination-port 68;
}
packet-filter pf2 {
    destination-port 67;
}

Jan 15 15:24:05 15:24:05.089933:CID-2:RT:<0.0.0.0/68->255.255.255.255/67;17,0x0> matched filter pf2:
                                        
Jan 15 15:24:05 15:24:05.089933:CID-2:RT:packet [328] ipid = 15780, @0x5ee7d324
 
Jan 15 15:24:05 15:24:05.089933:CID-2:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x5ee7d100, rtbl_idx = 0
 
Jan 15 15:24:05 15:24:05.089933:CID-2:RT: flow process pak fast ifl 71 in_ifp reth0.10
 
Jan 15 15:24:05 15:24:05.089933:CID-2:RT:pkt info: 0.0.0.0(68) -> 255.255.255.255(67), 17, flags (0x1000)
 
Jan 15 15:24:05 15:24:05.089933:CID-2:RT:Received pkt on non-active link of reth/vsd (reth0.10/1)
 
Jan 15 15:24:05 15:24:05.089933:CID-2:RT:flow_proc_rc: -1.
 
Jan 15 15:24:05 15:24:05.089933:CID-2:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
 
 
Jan 15 15:24:05 15:24:05.089059:CID-1:RT:<0.0.0.0/68->255.255.255.255/67;17,0x0> matched filter pf2:
                                        
Jan 15 15:24:05 15:24:05.089059:CID-1:RT:packet [328] ipid = 15780, @0x5ebeda24
                                        
Jan 15 15:24:05 15:24:05.089059:CID-1:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x5ebed800, rtbl_idx = 0
                                        
Jan 15 15:24:05 15:24:05.089059:CID-1:RT: flow process pak fast ifl 71 in_ifp reth0.10
                                        
Jan 15 15:24:05 15:24:05.089059:CID-1:RT: find flow: table 0x53f2ac0, hash 42465(0xffff), sa 0.0.0.0, da 255.255.255.255, sp 68, dp 67, proto 17, tok 7, conn-tag 0x00000000
                                        
Jan 15 15:24:05 15:24:05.089059:CID-1:RT:check self-traffic on reth0.10, in_tunnel 0x0
                                        
Jan 15 15:24:05 15:24:05.089059:CID-1:RT:retcode: 0xc02
                                        
Jan 15 15:24:05 15:24:05.089059:CID-1:RT:pak_for_self : proto 17, dst port 67, action 0x2
                                        
Jan 15 15:24:05 15:24:05.089059:CID-1:RT:insert usp tag for apps
                                        
Jan 15 15:24:05 15:24:05.089059:CID-1:RT:  flow bypass session.
                                        
Jan 15 15:24:05 15:24:05.089059:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
                                        
Jan 15 15:25:30 15:25:30.635069:CID-1:RT:<0.0.0.0/68->255.255.255.255/67;17,0x0> matched filter pf2:
                                        
Jan 15 15:25:30 15:25:30.635069:CID-1:RT:packet [328] ipid = 15783, @0x5ebf0d24
 
Jan 15 15:25:30 15:25:30.635069:CID-1:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x5ebf0b00, rtbl_idx = 0
 
Jan 15 15:25:30 15:25:30.635069:CID-1:RT: flow process pak fast ifl 71 in_ifp reth0.10
 
Jan 15 15:25:30 15:25:30.635069:CID-1:RT: find flow: table 0x53f2ac0, hash 42465(0xffff), sa 0.0.0.0, da 255.255.255.255, sp 68, dp 67, proto 17, tok 7, conn-tag 0x00000000
 
Jan 15 15:25:30 15:25:30.635069:CID-1:RT:check self-traffic on reth0.10, in_tunnel 0x0
 
Jan 15 15:25:30 15:25:30.635069:CID-1:RT:retcode: 0xc02
 
Jan 15 15:25:30 15:25:30.635069:CID-1:RT:pak_for_self : proto 17, dst port 67, action 0x2
 
Jan 15 15:25:30 15:25:30.635069:CID-1:RT:insert usp tag for apps
 
Jan 15 15:25:30 15:25:30.635069:CID-1:RT:  flow bypass session.
                                        
Jan 15 15:25:30 15:25:30.635069:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
                                        
                                        
Jan 15 15:25:31 15:25:31.930980:CID-1:RT:<0.0.0.0/68->255.255.255.255/67;17,0x0> matched filter pf2:
                                        
Jan 15 15:25:31 15:25:31.930980:CID-1:RT:packet [328] ipid = 15784, @0x5ec003a4
                                        
Jan 15 15:25:31 15:25:31.930980:CID-1:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 15, common flag 0x0, mbuf 0x5ec00180, rtbl_idx = 0
                                        
Jan 15 15:25:31 15:25:31.930980:CID-1:RT: flow process pak fast ifl 71 in_ifp reth0.10
                                        
Jan 15 15:25:31 15:25:31.930980:CID-1:RT: find flow: table 0x53f2ac0, hash 42465(0xffff), sa 0.0.0.0, da 255.255.255.255, sp 68, dp 67, proto 17, tok 7, conn-tag 0x00000000

Clearly, there is some DHCP traffic coming to SRX, but it doesn't return to the end client. I checked tcpdump on client's side and there are only dhcp request, but no answer.

Anyone, please? 

I see some dropped dhcp packets:

root@SRX1# run show dhcp server statistics    
Packets dropped:
    Total                      193
    No available addresses     193

Offer Delay:
    DELAYED                    0
    INPROGRESS                 0
    TOTAL                      0

Messages received:
    BOOTREQUEST                193
    DHCPDECLINE                0
    DHCPDISCOVER               193
    DHCPINFORM                 0
    DHCPRELEASE                0
    DHCPREQUEST                0
    DHCPLEASEQUERY             0
    DHCPBULKLEASEQUERY         0

Messages sent:
    BOOTREPLY                  0
    DHCPOFFER                  0
    DHCPACK                    0
    DHCPNAK                    0        
    DHCPFORCERENEW             0        
    DHCPLEASEUNASSIGNED        0        
    DHCPLEASEUNKNOWN           0        
    DHCPLEASEACTIVE            0        
    DHCPLEASEQUERYDONE         0

Jan 16 13:31:25.695834 jdhcpd_propagate_setting_to_pool_if_needed: Can't get interface by interface name reth0.10

Hello,

Please remove this line from Your config

               propagate-settings reth0.10;

This for scenarios when You have DHCP client on untrust interface and You want Your trust zone clients to have the same DNS/WINS etc settings. 

HTH

Thx

Alex

Your DHCP pool will only be matched for your primary IP address on the interface. In this case I suspect your X.X.X.X/24 is the primary address... and you don't have a DHCP pool for this prefix.

Try configuring 192.168.4.1/24 as the primary address on reth0.10:

set interfaces reth0.10 family inet 192.168.4.1/24 primary

Let us know if this solves your issue.

Thank you for all your replies. Bofh were helpful.

The "primary" parameter on IP address resolved the issue.