SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX 300 - DHCP subsystem not running

    Posted 08-22-2016 22:16

    I can't seem to get DHCP to work on the new SRX 300.

     

    The error I get is “dhcp subsystem not running”…

     

    I gather there's two ways of doing it, the old SRX100 method and a new one (see below)

     

    Is there a trick to this ?

     

     

    The old way was just:

     

    Services{

    ….

    dhcp {

                pool 192.168.15.0/24 {

                    address-range low 192.168.15.50 high 192.168.15.150;

                    default-lease-time 3600;

                    name-server {

                        8.8.8.8;

                    }

                    router {

                        192.168.15.1;

                    }

                }

            }

    }

     

     

     

    I tried the new way:

     

    Services {

    ….

    dhcp-local-server {

                    group Data-Vlan-DHCP {

                    interface irb.1;

                    interface vlan.1;

                    }

            }

     

    ……

     

    access {

                    address-assignment {

                                    pool DHCP_Data_Network {

                                                    family inet {

                                                                    network 192.168.15.0/24;

                                                                    range 192_168_15_0 {

                                                                                    low 192.168.15.50;

                                                                                    high 192.168.15.150;

                                                                    }

                                                                    dhcp-attributes {

                                                                                    name-server {

                                                                                                    8.8.8.8;

                                                                                    }

                                                                                    router {

                                                                                                    192.168.15.1;

                                                                                    }

                                                                    }

                                                    }

                                    }

                    }

    }

     

     

     

     

    Neither worked.

    See my config below:

     

     

     

    ## Last commit: 2016-08-09 04:03:12 GMT+10 by root
    version 15.1X49-D50.3;
    system {
    host-name Laser-SRX300;
    time-zone GMT+10;
    root-authentication {
    encrypted-password "???????????????????"; ## SECRET-DATA
    }
    name-server {
    8.8.8.8;
    }
    name-resolution {
    no-resolve-on-input;
    }
    services {
    ssh;
    telnet;
    xnm-clear-text;
    web-management {
    http {
    interface all;
    }
    https {
    system-generated-certificate;
    interface all;
    }
    session {
    idle-timeout 60;
    }
    }
    dhcp-local-server {
    group Data-Vlan-DHCP {
    interface irb.1;
    interface vlan.1;
    }
    }
    }
    syslog {
    archive size 100k files 3;
    user * {
    any emergency;
    }
    file messages {
    any critical;
    authorization info;
    }
    file interactive-commands {
    interactive-commands error;
    }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    archival {
    configuration {
    transfer-on-commit;
    }
    }
    license {
    autoupdate {
    url https://ae1.juniper.net/junos/key_retrieval;
    }
    }
    ntp {
    server 0.oceania.pool.ntp.org;
    }
    }
    security {
    alg {
    sip disable;
    ike-esp-nat {
    enable;
    }
    }
    flow {
    tcp-mss {
    all-tcp {
    mss 1400;
    }
    }
    }
    screen {
    ids-option untrust-screen {
    icmp {
    ping-death;
    }
    ip {
    source-route-option;
    tear-drop;
    }
    tcp {
    syn-flood {
    alarm-threshold 1024;
    attack-threshold 200;
    source-threshold 1024;
    destination-threshold 2048;
    timeout 20;
    }
    land;
    }
    }
    }
    nat {
    source {
    rule-set nat_to_internet {
    from zone DataNetwork;
    to zone Internet;
    rule nat_to_data_net_rule {
    match {
    source-address 0.0.0.0/0;
    destination-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    }
    destination {
    pool port_fwd_6180 {
    address 192.168.15.151/24 port 6180;
    }
    pool port_fwd_6181 {
    address 192.168.15.151/24 port 6181;
    }
    pool port_fwd_6182 {
    address 192.168.15.151/24 port 6182;
    }
    pool port_fwd_6183 {
    address 192.168.15.151/24 port 6183;
    }
    pool port_fwd_6184 {
    address 192.168.15.151/24 port 6184;
    }
    pool port_fwd_6185 {
    address 192.168.15.151/24 port 6185;
    }
    pool port_fwd_6186 {
    address 192.168.15.151/24 port 6186;
    }
    pool port_fwd_6187 {
    address 192.168.15.151/24 port 6187;
    }
    pool port_fwd_6188 {
    address 192.168.15.151/24 port 6188;
    }
    pool port_fwd_9630 {
    address 192.168.15.200/24 port 9630;
    }
    pool port_fwd_9631 {
    address 192.168.15.200/24 port 9631;
    }
    pool port_fwd_9632 {
    address 192.168.15.200/24 port 9632;
    }
    rule-set dst-nat {
    from zone Internet;
    rule port_fwd_6180 {
    match {
    destination-address 0.0.0.0/0;
    destination-port 6180;
    }
    then {
    destination-nat {
    pool {
    port_fwd_6180;
    }
    }
    }
    }
    rule port_fwd_6181 {
    match {
    destination-address 0.0.0.0/0;
    destination-port 6181;
    }
    then {
    destination-nat {
    pool {
    port_fwd_6181;
    }
    }
    }
    }
    rule port_fwd_6182 {
    match {
    destination-address 0.0.0.0/0;
    destination-port 6182;
    }
    then {
    destination-nat {
    pool {
    port_fwd_6182;
    }
    }
    }
    }
    rule port_fwd_6183 {
    match {
    destination-address 0.0.0.0/0;
    destination-port 6183;
    }
    then {
    destination-nat {
    pool {
    port_fwd_6183;
    }
    }
    }
    }
    rule port_fwd_6184 {
    match {
    destination-address 0.0.0.0/0;
    destination-port 6184;
    }
    then {
    destination-nat {
    pool {
    port_fwd_6184;
    }
    }
    }
    }
    rule port_fwd_6185 {
    match {
    destination-address 0.0.0.0/0;
    destination-port 6185;
    }
    then {
    destination-nat {
    pool {
    port_fwd_6185;
    }
    }
    }
    }
    rule port_fwd_6186 {
    match {
    destination-address 0.0.0.0/0;
    destination-port 6186;
    }
    then {
    destination-nat {
    pool {
    port_fwd_6186;
    }
    }
    }
    }
    rule port_fwd_6187 {
    match {
    destination-address 0.0.0.0/0;
    destination-port 6187;
    }
    then {
    destination-nat {
    pool {
    port_fwd_6187;
    }
    }
    }
    }
    rule port_fwd_6188 {
    match {
    destination-address 0.0.0.0/0;
    destination-port 6188;
    }
    then {
    destination-nat {
    pool {
    port_fwd_6188;
    }
    }
    }
    }
    rule port_fwd_9630 {
    match {
    destination-address 0.0.0.0/0;
    destination-port 9630;
    }
    then {
    destination-nat {
    pool {
    port_fwd_9630;
    }
    }
    }
    }
    rule port_fwd_9631 {
    match {
    destination-address 0.0.0.0/0;
    destination-port 9631;
    }
    then {
    destination-nat {
    pool {
    port_fwd_9631;
    }
    }
    }
    }
    rule port_fwd_9632 {
    match {
    destination-address 0.0.0.0/0;
    destination-port 9632;
    }
    then {
    destination-nat {
    pool {
    port_fwd_9632;
    }
    }
    }
    }
    }
    }
    }
    policies {
    from-zone DataNetwork to-zone DataNetwork {
    policy data2data {
    description "Allows traffic within Data zone";
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone DataNetwork to-zone VoiceNetwork {
    policy data2voice {
    description "Allows traffic between Data and Voice zones";
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone DataNetwork to-zone Internet {
    policy data2www {
    description "Allows traffic between Data and Internet zones";
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone VoiceNetwork to-zone Internet {
    policy voice2www {
    description "Allows traffic between Voice and Internet zones";
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone VoiceNetwork to-zone DataNetwork {
    policy voice2data {
    description "Allows traffic between Voice and Data zones";
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone SIPconnection to-zone SIPconnection {
    policy sip2sip {
    description "Allows traffic between sip zones";
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone SIPconnection to-zone DataNetwork {
    policy sip2data {
    description "Allows traffic between SIP and Data zones";
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone SIPconnection to-zone VoiceNetwork {
    policy sip2voice {
    description "Allows traffic between SIP and Voice zones";
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone DataNetwork to-zone SIPconnection {
    policy data2sip {
    description "Allows traffic between Data and SIP zones";
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone VoiceNetwork to-zone SIPconnection {
    policy voice2sip {
    description "Allows traffic between Voice and SIP zones";
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone Internet to-zone DataNetwork {
    policy www2data {
    description "Allows traffic between Internet and Data zones";
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone Internet to-zone VoiceNetwork {
    policy www2voice {
    description "Allows traffic between Internet and Voice zones";
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    }
    zones {
    security-zone DataNetwork {
    description "Data vlan";
    interfaces {
    irb.1 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    security-zone VoiceNetwork {
    description "Voice vlan";
    interfaces {
    irb.20 {
    host-inbound-traffic {
    system-services {
    all;
    }
    }
    }
    }
    }
    security-zone SIPconnection {
    description "SIP Connection";
    interfaces {
    irb.30 {
    host-inbound-traffic {
    system-services {
    all;
    }
    }
    }
    }
    }
    security-zone Internet {
    description "Telstra NBN Connection";
    interfaces {
    ge-0/0/0.0 {
    host-inbound-traffic {
    system-services {
    all;
    }
    }
    }
    }
    }
    }
    }
    interfaces {
    ge-0/0/0 {
    description "Telstra NBN Internet";
    unit 0 {
    encapsulation ppp-over-ether;
    }
    }
    ge-0/0/1 {
    description "SIP Port";
    unit 0 {
    family ethernet-switching {
    interface-mode access;
    vlan {
    members SIP-VLAN;
    }
    native-vlan-id default;
    }
    }
    }
    ge-0/0/2 {
    description "Voice Port";
    unit 0 {
    family ethernet-switching {
    interface-mode access;
    vlan {
    members Voice-VLAN;
    }
    native-vlan-id default;
    }
    }
    }
    ge-0/0/3 {
    description "Data Port";
    unit 0 {
    family ethernet-switching {
    interface-mode access;
    vlan {
    members default;
    }
    native-vlan-id default;
    }
    }
    }
    ge-0/0/4 {
    description "Data Port";
    unit 0 {
    family ethernet-switching {
    interface-mode access;
    vlan {
    members default;
    }
    native-vlan-id default;
    }
    }
    }
    ge-0/0/5 {
    description "Trunk Port";
    unit 0 {
    family ethernet-switching {
    interface-mode trunk;
    vlan {
    members all;
    }
    }
    }
    }
    irb {
    unit 1 {
    description Data;
    family inet {
    address 192.168.15.1/24;
    }
    }
    unit 20 {
    description Voice;
    family inet {
    address 172.16.1.1/24;
    }
    }
    unit 30 {
    description Voice;
    family inet {
    address 192.168.20.1/24;
    }
    }
    }
    vlan {
    unit 1 {
    description Data;
    family inet {
    address 192.168.15.1/24;
    }
    }
    unit 20 {
    description Voice;
    family inet {
    address 172.16.1.1/24;
    }
    }
    unit 30 {
    description Voice;
    family inet {
    address 192.168.20.1/24;
    }
    }
    }
    pp0 {
    unit 0 {
    pppoe-options {
    underlying-interface ge-0/0/0.0;
    idle-timeout 0;
    auto-reconnect 20;
    client;
    }
    family inet {
    negotiate-address;
    }
    }
    }
    }
    routing-options {
    static {
    route 0.0.0.0/0 next-hop pp0.0; ## Internet - Telstra NBN interface
    route 203.52.0.0/16 next-hop 192.168.20.2;
    route 203.41.188.96/28 next-hop 192.168.20.2;
    route 203.42.70.224/28 next-hop 192.168.20.2;
    route 144.140.208.16/29 next-hop 192.168.20.2;
    route 144.140.162.40/29 next-hop 192.168.20.2;
    route 144.140.208.32/28 next-hop 192.168.20.2;
    route 144.140.162.48/28 next-hop 192.168.20.2;
    route 144.140.208.80/28 next-hop 192.168.20.2;
    route 144.140.162.80/28 next-hop 192.168.20.2;
    route 203.52.1.160/28 next-hop 192.168.20.2;
    route 203.52.0.160/28 next-hop 192.168.20.2;
    route 203.52.3.160/28 next-hop 192.168.20.2;
    route 203.44.43.160/28 next-hop 192.168.20.2;
    route 203.52.2.160/28 next-hop 192.168.20.2;
    route 203.44.44.160/28 next-hop 192.168.20.2;
    route 203.44.42.0/27 next-hop 192.168.20.2;
    route 203.44.42.224/27 next-hop 192.168.20.2;
    }
    }
    protocols {
    l2-learning {
    global-mode switching;
    }
    }
    vlans {
    SIP-VLAN {
    description "Voice Network";
    vlan-id 30;
    l3-interface irb.30;
    }
    Voice-VLAN {
    description "Voice Network";
    vlan-id 20;
    l3-interface irb.20;
    }
    default {
    description "Data Network";
    vlan-id 1;
    l3-interface irb.1;
    }
    }
    access {
    address-assignment {
    pool DHCP_Data_Network {
    family inet {
    network 192.168.15.0/24;
    range 192_168_15_0 {
    low 192.168.15.50;
    high 192.168.15.150;
    }
    dhcp-attributes {
    name-server {
    8.8.8.8;
    }
    router {
    192.168.15.1;
    }
    }
    }
    }
    }
    }


    #srx300
    #dhcpsubsystem
    #srx300


  • 2.  RE: SRX 300 - DHCP subsystem not running

     
    Posted 08-22-2016 22:52

    Hello,

     

    Can you post the complete error message?

    Which command you are attempting to run when the error message appears?

    I am assuming that there is no issue with committing the configuration.

     

    Regards,

     

    Rushi



  • 3.  RE: SRX 300 - DHCP subsystem not running

     
    Posted 08-23-2016 01:09

    Hi, 

     

    The error possibly indicates the dhcp daemon not running.

    Maybe you could try restarting it:

    restart dhcp-service gracefully

    or "restart dhcp gracefully".

    Cheers,
    Ashvin

     



  • 4.  RE: SRX 300 - DHCP subsystem not running

     
    Posted 08-23-2016 02:55

    ASAIK, on 15.1 we dont have old dhcp, its the new jdhcp and your configuration is also for new jdhcp model.

     

    Can you run below commmand to confirm if JDHCP is running?

     

    root# run show system processes extensive | match dhcp
    1281 root 1 96 0 50280K 12060K select 19:38 0.00% jdhcpd

     

    And if you see jdhcp running please use "restart dhcp-service " to refersh the process.



  • 5.  RE: SRX 300 - DHCP subsystem not running

     
    Posted 08-23-2016 02:58

    you may also remove the vlan.1 from DHCP configurations.



  • 6.  RE: SRX 300 - DHCP subsystem not running

    Posted 09-22-2016 01:48

    I couldn't get my SRX300 to pull an address on ge0/0/0 out of the box. I found it worked after upgrading to a newer Junos 15.1 version than the one it shipped with. In my case 15.1X49-D60.7 got DHCP working without other intervention.

     

    To be honest, the SRX300 is not a great out-of-the-box experience. The default setup seems a bit whimsical and the fact that it doesn't actually have functional DHCP and is configured in transparent mode out-of-the-box is unhelpful.

     



  • 7.  RE: SRX 300 - DHCP subsystem not running

    Posted 11-15-2016 04:54

    Hi,

     

    I am also using 15.1X49-D60.7 but still can't get a dhcp address.

    our configuration is SRX320 in a chassis cluster, and we are trying to get a dhcp allocation on a reth interface

     

    this is our config:

    set interfaces reth2 redundant-ether-options redundancy-group 2

    set interfaces reth2 unit 0 family inet dhcp-client

     

     

    set security zones security-zone untrust interfaces reth2.0 host-inbound-traffic system-services all

     

    when trying to restart dhcp-services we get the following error:

     

    restart dhcp-service gracefully
    error: Junos Dynamic Host Configuration Protocol process is not running
    error: Junos Dynamic Host Configuration Protocol process was not restarted

     

    any help will be highly appriciated 🙂



  • 8.  RE: SRX 300 - DHCP subsystem not running

    Posted 04-25-2017 03:44

    Hi all,

     

    any update on this one ?

    I am facing the same issue ?

    Can`t get an IP-Adress for reth-Interface with SRX300 running 15.1X49-D70.3.

     

    Thanks.

     

    Cheers, Christoph.