Security

 View Only
last person joined: 2 days ago 

Ask questions and share experiences with Juniper Connected Security. Discuss Advanced Threat Protection, SecIntel, Secure Analytics, Secure Connect, Security Director, and all things related to Juniper security technologies.

SRX Receives DHCP-Discover, But Client Doesn't Get DHCP-Offer... How?

  • 1.  SRX Receives DHCP-Discover, But Client Doesn't Get DHCP-Offer... How?

    Posted 03-18-2022 05:42
    Hi all,

    So I am trying to get an IP address for my MistAP through my DHCP server which is my SRX Router. I have my MistAP in a security zone and also Vlan Id 99 (Native Vlan). The problem is that I cannot get my MistAP to get an IP address. I have done Packet Capture on the interfaces irb.99 on my SRX, and to ge-0/0/47 in my ex2300 which is where my MistAP is getting power from (PoE). Here is my config for a more in-depth review :
    SRX

        services {

            ssh;

            xnm-clear-text;

            dhcp-local-server {

               group MistAP {

                    overrides {

                       no-unicast-replies; SRX - DHCP-Client-not-accepting-unicast-DHCP-offer

                    }

                    interface irb.99;

                }



    {...}

    security

    zones {

                security-zone DMZ {

                address-book {

                    address MistAP-Net 10.10.99.0/29;

                }

                host-inbound-traffic {

                    system-services {

                        all;

                    }

                    protocols {

                        all;

                    }

                }

                    irb.99 {

                        host-inbound-traffic {

                            system-services {

                                all;

                            }

                            protocols {

                                all;

                            }

                        }

                    }

                }

            }

        }

    }


    interfaces

        irb {

            unit 99 {

                family inet {

                    address 10.10.99.1/29;

                }

            }

        }

     

    access {

        address-assignment {

            pool MistAP {

                family inet {

                    network 10.10.99.0/29;

                    range APs {

                        low 10.10.99.2;

                        high 10.10.99.4;

                    }

                    dhcp-attributes {

                        server-identifier 10.10.99.1;

                        name-server {

                            10.10.100.21;

                            203.22.124.73;

                        }

                        router {

                            10.10.99.1;

                        }

                    }

                }

            }

        }

    }



    vlans {

        Mist-APs {

            vlan-id 99;

            l3-interface irb.99;

           }

    }

    Trunk Interfaces

    EX2300 - INTERFACES
    ge-0/0/0 {

            native-vlan-id 99;

            unit 0 {

                family ethernet-switching {

                    interface-mode trunk;

                    vlan {

                       members [ MistAP ];

                    }

                    storm-control default;

                }

            }

        }

    ge-0/0/47 { (CONNECTED TO MISTAP)

            native-vlan-id 99;

            unit 0 {

                family ethernet-switching {

                    interface-mode trunk;

                    vlan {

                       members [ MistAP ];

                    }

                    storm-control default;

                }

            }

        }



    SRX - INTERFACES

    ge-0/0/5 {

        native-vlan-id 99;

        unit 0 {

            family ethernet-switching {

                interface-mode trunk;

                vlan {

                   members [ Mist-APs ];

                }

            }

        }

    }                                      


    When I went to check, I can reach 10.10.99.1 Gateway; Plus, here are the Packet Captures I got from my ge-0/0/47 at my EX2300 && SRX irb.99 interface

    EX2300 CAPTURE:

    EX2300 - Packet Capture on ge-0/0/47 - MistAP-Juniper AP34 Directly Connected + PoE

     

    11:52:21.525968  In

            Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 28

              Device Media Type Extension TLV #3, length 1, value: Ethernet (1)

              Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)

              Device Interface Index Extension TLV #1, length 2, value: 695

              Logical Interface Index Extension TLV #4, length 4, value: 545

              Logical Unit Number Extension TLV #5, length 4, value: 99

              IRB Information Extension TLV #9, length 4, value: Logical Interface Index: 545

            -----original packet-----

            PFE proto 2 (ipv4): (tos 0x0, ttl 255, id 0, offset 0, flags [none], proto: UDP (17), length: 396) 0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from ac:23:16:85:cb:b6, length 300, xid 0x26e83697, Flags [none] (0x0000)

              Client-Ethernet-Address ac:23:16:85:cb:b6

              Vendor-rfc1048 Extensions

                Magic Cookie 0x63825363

                DHCP-Message Option 53, length 1: Discover

                Client-ID Option 61, length 7: ether ac:23:16:85:cb:b6

                MSZ Option 57, length 2: 576

                Parameter-Request Option 55, length 9:

                  Subnet-Mask, Default-Gateway, Domain-Name-Server, Hostname

                  Domain-Name, BR, NTP, Vendor-Option

                  Option 180

                Vendor-Class Option 60, length 12: "Mist AP43-WW"

     

    --- DIDN'T RECEIVED (DHCP-Message: Offer) frame from SRX [DHCP Server] ---



    SRX CAPTURE:

    SRX [DHCP Server]- tcpdump -vvvns 9600 -c 20 -i irb.99 (Packet Capture)

    11:52:22.539668  In

            Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 28

              Device Media Type Extension TLV #3, length 1, value: Ethernet (1)

              Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)

              Device Interface Index Extension TLV #1, length 2, value: 33536

              Logical Interface Index Extension TLV #4, length 4, value: 81

              Logical Unit Number Extension TLV #5, length 4, value: 99

              IRB Information Extension TLV #9, length 4, value: Logical Interface Index: 81

            -----original packet-----

            IP (tos 0x0, ttl  64, id 0, offset 0, flags [none], proto: UDP (17), length: 328) 0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from ac:23:16:85:cb:b6, length 300, xid 0x26e83697, Flags [none] (0x0000)

              Client-Ethernet-Address ac:23:16:85:cb:b6 (MAC ADDRESS OF MISTAP)

              Vendor-rfc1048 Extensions

                Magic Cookie 0x63825363

                DHCP-Message Option 53, length 1: Discover

                Client-ID Option 61, length 7: ether ac:23:16:85:cb:b6

                MSZ Option 57, length 2: 576

                Parameter-Request Option 55, length 9:

                  Subnet-Mask, Default-Gateway, Domain-Name-Server, Hostname

                  Domain-Name, BR, NTP, Vendor-Option

                  Option 180

                Vendor-Class Option 60, length 12: "Mist AP43-WW"

                END Option 255, length 0

                PAD Option 0, length 0, occurs 18

    11:52:22.540182 Out

            Juniper PCAP Flags [Ext], PCAP Extension(s) total length 34

              Device Media Type Extension TLV #3, length 1, value: Ethernet (1)

              Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)

              Device Interface Index Extension TLV #1, length 2, value: 33536

              Logical Interface Index Extension TLV #4, length 4, value: 81

              Logical Unit Number Extension TLV #5, length 4, value: 99

              IRB Information Extension TLV #9, length 4, value: Logical Interface Index: 81

                L2 Output Logical Interface Index Extension TLV #11, length 4, value: 75

            -----original packet-----

            IP (tos 0x0, ttl  64, id 7877, offset 0, flags [none], proto: UDP (17), length: 307) 10.10.99.1.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 279, xid 0x26e83697, Flags [none] (0x0000)

              Your-IP 10.10.99.3

              Client-Ethernet-Address ac:23:16:85:cb:b6

              Vendor-rfc1048 Extensions

                Magic Cookie 0x63825363

                       DHCP-Message Option 53, length 1: Offer

                Lease-Time Option 51, length 4: 86400

                Subnet-Mask Option 1, length 4: 255.255.255.248

                Server-ID Option 54, length 4: 10.10.99.1

                Default-Gateway Option 3, length 4: 10.10.99.1

               Domain-Name-Server Option 6, length 8: 10.10.100.21

                END Option 255, length 0

               PAD Option 0, length 0


    Also, if I do #show dhcp server bindings, it says this:
    10.10.99.3 48           ac:23:16:85:cb:b6        71987       SELECTING        irb.99

    My SRX can get the DHCP Discover frames from the MIST Access Point; however, the Offer is not being received by the EX2300 switch... How can it be possible? They are on the same VLAN, there are native VLAN 99 on all trunks from Access Point to Router. The network 10.10.99.0/29 irb.99 is in the same security zone and host-inbound-traffic is set to all for system-services and protocols!

    Strangely, if I reboot the Access Point a couple of times, at first it is like the MistAP has gotten an IP, but then after a couple of seconds, it flashed 3 times yellow which indicates not IP address Assigned. 

    I am out of ideas of what could be the problem... I would appreciate it if someone can help me Troubleshooting this issue :)



    ------------------------------
    Nick Cuervo Vanin
    ------------------------------