SRX

 View Only
last person joined: 15 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

SRX345 - DHCP not relaying over a policy-based IPSEC VPN

  • 1.  SRX345 - DHCP not relaying over a policy-based IPSEC VPN

    Posted 12-15-2020 18:39
    Edited by Simon Barr 12-16-2020 02:53

    I have an SRX345 at a remote site, connected back to the main network using an IPSEC policy-based tunnel. The tunnel is connected and traffic is passing successfully, but I cannot get DHCP to relay. I have several older SRX units at other sites, and I am using the same configuration, albeit using the older DHCP configuration commands.   I am using the more modern JDHCP syntax for the new unit and am wondering if I'm missing something. 

    Note: This is NOT a policy-based VPN, I can't edit the title.  I was tired and mis-typed.

    root@srx345> show dhcp relay statistics
    Packets dropped:
    Total 34
    Interface not configured 34

    Messages received:
    BOOTREQUEST 9
    DHCPDECLINE 0
    DHCPDISCOVER 9
    DHCPINFORM 0
    DHCPRELEASE 0
    DHCPREQUEST 0
    DHCPLEASEACTIVE 0
    DHCPLEASEUNASSIGNED 0
    DHCPLEASEUNKNOWN 0
    DHCPLEASEQUERYDONE 0

    Messages sent:
    BOOTREPLY 0
    DHCPOFFER 0
    DHCPACK 0
    DHCPNAK 0
    DHCPFORCERENEW 0
    DHCPLEASEQUERY 0
    DHCPBULKLEASEQUERY 0


    Partial config below:

    from-zone VPN to-zone Corp {
    policy VPN_To_Corp {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    log {
    session-close;
    }
    }
    }
    }
    from-zone Corp to-zone VPN {
    policy Corp_To_VPN {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    log {
    session-close;
    }
    count;
    }
    }
    }
    zones {
    security-zone VPN {
    description "Tunneled traffic between sites";
    address-book {
    address CorpWholeNet 10.0.0.0/8;
    }
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    st0.0 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    security-zone Corp {
    address-book {
    address Corp 10.xxx.xxx.0/23;
    }
    host-inbound-traffic {
    system-services {
    any-service;
    }
    protocols {
    all;
    }
    }
    interfaces {
    irb.2 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    interfaces {
    ge-0/0/10 {
    gigether-options {
    802.3ad ae1;
    }
    }
    ge-0/0/11 {
    gigether-options {
    802.3ad ae1;
    }
    }
    ae1 {
    aggregated-ether-options {
    lacp {
    active;
    }
    }
    unit 0 {
    family ethernet-switching {
    interface-mode trunk;
    vlan {
    members [ vlan2 ];
    }
    }
    }
    }
    irb {
    unit 2 {
    family inet {
    address 10.xxx.xxx.254/23;
    }
    st0 {
    unit 0 {
    family inet;
    family inet6;
    }
    }
    }
    forwarding-options {
    dhcp-relay {
    server-group {
    dhcp-server {
    10.0.0.1;
    }
    }
    group relay1 {
    active-server-group dhcp-server;
    source-ip-change;
    interface irb.2;
    }
    }
    }
    routing-options {
    static {
    route xxx.xxx.xxx.xxx/32 next-hop xxx.xxx.xxx.xxx;
    route 0.0.0.0/0 next-hop st0.0;
    }
    }
    protocols {
    l2-learning {
    global-mode switching;
    }
    rstp {
    interface all;
    }
    }
    vlans {
    vlan2 {
    description Corp;
    vlan-id 35;
    l3-interface irb.2;
    }