SRX

 View Only
last person joined: 17 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  srx cluster no dhcp lease on reth sub interfaces

    Posted 11-17-2020 06:44
    Hello all,

    I'm new to juniper and trying to test srx320 in HA cluster mode.


    I'm stuck in this stage where after setting up the clusters on srx320, I'm not able to get the dhcp server to provide ip lease on reth1 sub interfaces reth1.10 reth1.20 reth1.30. I've searched quite a few forums on juniper sites and matched the config however still unsuccessful. DHCP client is connected for test purposes on node 0 physical interface ge-0/0/5 which is set as family ethernet-switching vlan members 20.

    Appreciate your support in Tshoot.

    Please see config below,

    services {

            ssh {

                root-login allow;

                connection-limit 5;

            }                               

            netconf {                       

                ssh;                       

            }

            dhcp-local-server {

                group DATA {

                    interface reth1.20;

                }

            }

            web-management {

                https {

                    system-generated-certificate;

                    interface all;

                }

    chassis {

        cluster {

            control-link-recovery;

            reth-count 2;

            heartbeat-interval 2000;

            redundancy-group 0 {

                node 0 priority 200;

                node 1 priority 100;

            }

            redundancy-group 1 {

                node 0 priority 200;

                node 1 priority 100;

            }

        }                           

    zones {

            security-zone trust {

                host-inbound-traffic {

                    system-services {

                        all;

                        dhcp;

                    }

                    protocols {

                        all;

                    }

                }

                interfaces {

                    irb.0;

                    reth1.10 {

                        host-inbound-traffic {

                            system-services {

                                ping;

                                ssh;

                                traceroute;

                                dhcp;

                            }

                        }

                    }

                    reth1.20 {

                        host-inbound-traffic {

                            system-services {

                                ping;

                                ssh;

                                traceroute;

                                dhcp;

                            }

                        }                   

                    }

                    reth1.30 {

                        host-inbound-traffic {

                            system-services {

                                dhcp;

                                ping;

                                ssh;

                                traceroute;

                            }

    }

    interfaces {

        ge-0/0/2 {

            description FABRIC;

        }

        ge-0/0/3 {

            gigether-options {

                redundant-parent reth0;

            }

        }

        ge-0/0/4 {

            gigether-options {

                redundant-parent reth1;

            }

        }

        ge-0/0/5 {

            unit 0 {

                family ethernet-switching {

                    vlan {

                        members 20;

                    }

                }

            }

        }               

    reth1 {

            vlan-tagging;

            redundant-ether-options {

                redundancy-group 1;

            }

            unit 10 {

                vlan-id 10;

                family inet {

                    address 192.168.1.1/24;

                }

            }

            unit 20 {

                vlan-id 20;

                family inet {

                    address 172.16.16.1/24 {

                        primary;

                    }

                }

            }

            unit 30 {

                vlan-id 30;

                family inet {

                    address 172.16.17.1/24;

                }

    access {

        address-assignment {

            pool DATA {

                family inet {

                    network 172.16.16.0/24;

                    range r1 {

                        low 172.16.16.20;

                        high 172.16.16.250;

                    }

                    dhcp-attributes {

                        name-server {

                            8.8.8.8;

                        }

                        router {

                            172.16.16.1;

                        }           



  • 2.  RE: srx cluster no dhcp lease on reth sub interfaces

    Posted 11-17-2020 16:25
    Edited by bdale 11-18-2020 17:38
    Hi there,

    Your configuration looks good - if you put a device in VLAN 20 with a static IP address in the correct range, are you able to ping the gateway on reth1.20? (172.16.16.1)

    Also, can you provide the output of the following commands:

    show version
    show chassis cluster status
    show interfaces reth1.20

    ------------------------------
    Cheers,

    Ben Dale
    JNCIE-SEC #63
    JNCIP-SP
    JNCIP-ENT
    JNCIP-DC
    ------------------------------



  • 3.  RE: srx cluster no dhcp lease on reth sub interfaces

    Posted 11-18-2020 02:37
    Hi Ben,

    Thanks for your response.

    I've put manual IP 172.16.16.2/24 and tried to ping the default gateway on reth1.20 172.16.16.1, no success.

    please see below requested,

    root@srx320-poe-02> show version
    node0:
    --------------------------------------------------------------------------
    Hostname: srx320-poe-01
    Model: srx320-poe
    Junos: 19.4R2.6
    JUNOS Software Release [19.4R2.6]

    node1:
    --------------------------------------------------------------------------
    Hostname: srx320-poe-02
    Model: srx320-poe
    Junos: 19.4R2.6
    JUNOS Software Release [19.4R2.6]

    ---------------------------------------------------------

    root@srx320-poe-02> show chassis cluster status
    Monitor Failure codes:
    CS Cold Sync monitoring FL Fabric Connection monitoring
    GR GRES monitoring HW Hardware monitoring
    IF Interface monitoring IP IP monitoring
    LB Loopback monitoring MB Mbuf monitoring
    NH Nexthop monitoring NP NPC monitoring
    SP SPU monitoring SM Schedule monitoring
    CF Config Sync monitoring RE Relinquish monitoring
    IS IRQ storm

    Cluster ID: 1
    Node Priority Status Preempt Manual Monitor-failures

    Redundancy group: 0 , Failover count: 1
    node0 200 secondary no no None
    node1 100 primary no no None

    Redundancy group: 1 , Failover count: 1
    node0 200 secondary no no None
    node1 100 primary no no None
    -------------------------------------------------------

    root@srx320-poe-02> show interfaces reth1.20
    Logical interface reth1.20 (Index 72) (SNMP ifIndex 575)
    Flags: Up SNMP-Traps 0x0 VLAN-Tag [ 0x8100.20 ] Encapsulation: ENET2
    Statistics Packets pps Bytes bps
    Bundle:
    Input : 0 0 0 0
    Output: 0 0 0 0
    Adaptive Statistics:
    Adaptive Adjusts: 0
    Adaptive Scans : 0
    Adaptive Updates: 0
    Security: Zone: trust
    Allowed host-inbound traffic : bfd bgp dvmrp igmp ldp msdp nhrp ospf pgm pim rip
    router-discovery rsvp sap vrrp dhcp ping ssh traceroute
    Protocol inet, MTU: 1500
    Max nh cache: 100000, New hold nh limit: 100000, Curr nh cnt: 0, Curr new hold cnt: 0,
    NH drop cnt: 0
    Flags: Sendbcast-pkt-to-re
    Addresses, Flags: Primary Is-Preferred Is-Primary
    Destination: 172.16.16/24, Local: 172.16.16.1, Broadcast: 172.16.16.255



  • 4.  RE: srx cluster no dhcp lease on reth sub interfaces

    Posted 11-18-2020 17:38
    Okay, I see your issue now:

    In your output, the SRX chassis cluster has failed over to node1, however based on the configuration above, you don't have the interfaces on the second node configured, so traffic from VLAN 20 won't be able to reach the gateway address (and the DHCP listener).

    First, let's fix up the fabric interfaces (make sure ge-0/0/1 and ge-0/0/2 on both nodes are connected together)

    set interfaces fab0 fabric-options member-interfaces ge-0/0/2
    set interfaces fab1 fabric-options member-interfaces ge-3/0/2

    Now, we'll increase the reth-count to match the number of physical interfaces on the unit

    set chassis cluster reth-count 8

    Now change the redundancy-group to port mapping so that the reth, redundancy group and interface numbers all line up (you'll thank me later):

    delete redundancy-group 1

    set redundancy-group 3 node 0 priority 200
    set redundancy-group 3 node 1 priority 100

    set redundancy-group 4 node 0 priority 200
    set redundancy-group 4 node 1 priority 100

    set interfaces ge-0/0/3 gigether-options redundant-parent reth3
    set interfaces ge-0/0/4 gigether-options redundant-parent reth4

    Now add the bit that was missing originally - you need to configure the interfaces on node1 to be part of the redundancy groups as well - node1 is is referenced as FPC 3:

    set interfaces ge-3/0/3 gigether-options redundant-parent reth3
    set interfaces ge-3/0/4 gigether-options redundant-parent reth4

    Now we'll rename reth1 to reth4 and update the security-zone mappings:

    rename interface reth1 to reth4
    set interfaces reth4 redundant-ether-options redundancy-group 4

    delete security zones security-zone trust interface reth1.10
    delete security zones security-zone trust interface reth1.20
    delete security zones security-zone trust interface reth1.30

    delete security zones security-zone trust interface reth4.10
    delete security zones security-zone trust interface reth4.20
    delete security zones security-zone trust interface reth4.30

    We'll also set up reth3, even though it doesn't appear to be used in your config right now:

    set interfaces reth3 redundant-ether-options redundancy-group 3

    Now let's fix the redundancy groups so that if a reth member fails, the L3 fails across nodes

    set chassis cluster redundancy-group 3 interface-monitor ge-0/0/3 weight 255
    set chassis cluster redundancy-group 3 interface-monitor ge-3/0/3 weight 255
    set chassis cluster redundancy-group 4 interface-monitor ge-0/0/4 weight 255
    set chassis cluster redundancy-group 4 interface-monitor ge-3/0/4 weight 255
    ​​
    Now you should be good to go.  If you want more detail about the above, check out the Chassis Cluster configuration guide:

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-verification.html

    ------------------------------
    Cheers,

    Ben Dale
    JNCIE-SEC #63
    JNCIP-SP
    JNCIP-ENT
    JNCIP-DC
    ------------------------------



  • 5.  RE: srx cluster no dhcp lease on reth sub interfaces

    Posted 11-22-2020 01:07
    Hi Ben,

    posting reply again, as I replied to your reply 3 days ago with a picture file of topology, however its not yet posted, not sure why.

    Anyways. 

    Thanks again for your detailed correction in the configuration and thanks for the correct mapping of the ports on FW with RG and reth interfaces :) that really clears up the confusion.

    so after apply above corrections,  I'm now able to ping from a laptop (connected on a ex switch>srx reth4) on vlan 20 with static ip to its default gate way 172.16.16.1 and to internet 8.8.8.8. However dhcp server on SRX is still not leasing IP. But now I see when I run , packets are dropped.

    root@srx320-poe-01# run show dhcp server statistics
    Packets dropped:
    Total 1
    dhcp-service total 1

    Offer Delay:
    DELAYED 0
    INPROGRESS 0
    TOTAL 0

    Messages received:
    BOOTREQUEST 0
    DHCPDECLINE 0
    DHCPDISCOVER 0
    DHCPINFORM 0
    DHCPRELEASE 0
    DHCPREQUEST 0
    DHCPLEASEQUERY 0
    DHCPBULKLEASEQUERY 0
    DHCPACTIVELEASEQUERY 0

    Messages sent:
    BOOTREPLY 0
    DHCPOFFER 0
    DHCPACK 0
    DHCPNAK 0
    DHCPFORCERENEW 0
    DHCPLEASEUNASSIGNED 0
    DHCPLEASEUNKNOWN 0
    DHCPLEASEACTIVE 0
    DHCPLEASEQUERYDONE 0

    {primary:node0}[edit]
    root@srx320-poe-01#

    I don't think putting a dhcp relay on the switch would be needed but still I've put the dhcp relay settings on the switch to test if it helps in dhcp lease, it doesn't.


    root@SW02# run show configuration forwarding-options
    storm-control-profiles default {
    all;
    }
    dhcp-relay {
    server-group {
    SRX-Cluster {
    172.16.16.1;
    }
    }
    active-server-group SRX-Cluster;
    group DATA {
    interface ge-0/0/47.0;
    }
    }


    This is how the topology is,  laptop (vlan 20) > EX SW02 > primary srx reth 4 

    Please can you further assist in correcting the DHCP issue? I've allowed dhcp on reth4.20 trust zone as well

    root@srx320-poe-01# show security zones security-zone trust
    host-inbound-traffic {
    system-services {
    all;
    dhcp;
    }
    protocols {
    all;
    }
    }
    interfaces {
    irb.0;
    reth4.10;
    reth4.20 {
    host-inbound-traffic {
    system-services {
    ping;
    ssh;
    traceroute;
    dhcp;
    all;
    }
    protocols {
    all;
    }
    }
    }
    reth4.30;
    }

    Many thanks for your support.
    Regards
    Zeeshan