SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Back to discussions
Expand all | Collapse all

Ipsec VPN DHCP relay

  • 1.  Ipsec VPN DHCP relay

    This message was posted by a user wishing to remain anonymous
    Posted 09-24-2024 10:31
    This message was posted by a user wishing to remain anonymous

    Hello everyone,

    I'm encountering a problem with my Juniper SRX320 setup configured with VRRP. Here's an overview of my configuration and the issue I'm facing:

    Setup:

    Devices:

    SRX1 (Primary): No 4G module, located at Site A.

    SRX2 (Backup): Equipped with a 4G module, located at Site B.

    Functionality:

    SRX1: Acts as the DHCP server for multiple networks. This setup works perfectly under normal conditions.

    SRX2: Serves as a backup default gateway in case of a fiber outage or similar issues at Site A.

    VRRP Configuration:

    VRRP is set up between SRX1 and SRX2, allowing SRX2 to take over as the default route when SRX1 becomes unavailable.

    Problem Scenario:

    When there is a disruption between Site A and Site B, SRX2 successfully takes over as the default gateway. However, in this failover state:

    Issue: Clients lose access to the DHCP server (SRX1) and only have internet connectivity until their DHCP lease expires.

    Attempted Solution: I set up a DHCP relay on SRX2 that points to the DHCP server SRX1 over a VPN tunnel. The VPN tunnel itself functions correctly, as I can ping all networks routed through it.

    Detailed Issue:

    Behavior:

    DHCP Discover: SRX2 successfully relays DHCPDISCOVER messages to SRX1.

    DHCP Offer: SRX1 never sends back DHCPOFFER messages over the VPN tunnel, even though I've created a static route pointing back to SRX2.

    Observations:

    Without the static route, DHCPOFFER messages are sent out through the default route.

    With a static route towards another accessible network, DHCPOFFER messages are sent out on all other interfaces except the VPN tunnel.

    Configurations:

    SRX1:

    vpn-tunnel st0.10 192.168.102.1/30

# Access Pool
pool 2204 {
    family inet {
        network 172.16.3.0/24;
        range 2204 {
            low 172.16.3.1;
            high 172.16.3.254;
        }
        dhcp-attributes {
            maximum-lease-time 172800;
            server-identifier 172.16.3.2;
            name-server {
                8.8.8.8;
                1.1.1.1;
            }
            router {
                172.16.3.1;
            }
        }
        excluded-range 2204 {
            low 172.16.3.1;
            high 172.16.3.63;
        }
    }
}

# Security Policies
from-zone vpn-zone to-zone vpn-zone {
    policy ALLOW-DHCP {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
            log {
                session-init;
                session-close;
            }
        }
    }
}

# Security Zone vpn-zone
host-inbound-traffic {
    system-services {
        any-service;
    }
}
interfaces {
    st0.10 {
        host-inbound-traffic {
            system-services {
                any-service;
            }
        }
    }
}

# System Services DHCP Local Server
pool-match-order {
    ip-address-first;
}
route-suppression {
    access-internal;
}
group default-group {
    ....
    interface st0.10;
}

requested-ip-interface-match;

# Static Route
route 172.16.0.3/32 next-hop 192.168.102.2;

    SRX2:

    # Security Policies from-zone DHCP_CLIENT_ZONE to-zone vpn-zone
policy ALLOW-DHCP {
    match {
        source-address any;
        destination-address any;
        application [ junos-dhcp-relay junos-dhcp-server junos-dhcp-client junos-ping ];
    }
    then {
        permit;
    }
}

# Security Policies from-zone vpn-zone to-zone vpn-zone
policy ALLOW-DHCP {
    match {
        source-address any;
        destination-address any;
        application [ junos-dhcp-relay junos-dhcp-server junos-dhcp-client junos-ping ];
    }
    then {
        permit;
    }
}

# Security Policies from-zone vpn-zone to-zone DHCP_CLIENT_ZONE
policy ALLOW-DHCP {
    match {
        source-address any;
        destination-address any;
        application [ junos-dhcp-relay junos-dhcp-server junos-dhcp-client junos-ping ];
    }
    then {
        permit;
    }
}

# Security Zone vpn-zone
host-inbound-traffic {
    system-services {
        ping;
        traceroute;
        dhcp;
    }
}
interfaces {
    st0.10;
}

# Security Zone DHCP_CLIENT_ZONE
host-inbound-traffic {
    system-services {
        ping;
        dhcp;
    }
    protocols {
        vrrp;
    }
}
interfaces {
    ge-0/0/0.2204;
}

# Forwarding Options
dhcp-relay {
    forward-snooped-clients all-interfaces;
    overrides {
        trust-option-82;
        delete-binding-on-renegotiation;
    }
    server-group {
        DHCP-SERVERS {
            192.168.102.1;
        }
    }
    group DHCP-RELAY {
        active-server-group DHCP-SERVERS;
        source-ip-change;
        interface ge-0/0/0.2204;
    }
}

    What I've Tried:

    1. Firewall Rules: Initially set to allow all traffic to ensure functionality.

    2. Static Routes: Created a static route on SRX1 pointing back to SRX2, but DHCPOFFER messages are still not sent over the VPN tunnel.

    3. Without Static Route: DHCPOFFER messages are sent through the default route, but not through the VPN tunnel.

    Current Issue:

    Despite the VPN tunnel functioning correctly (I can ping all networks routed through the tunnel), SRX1 does not send DHCPOFFER messages back over the tunnel when relayed from SRX2. It seems the DHCPOFFER messages are not attempting to route through the VPN tunnel, even with the static route in place.

    Questions:

    1. Why aren't DHCPOFFER messages being routed back through the VPN tunnel despite the static route?

    2. What configurations might I be missing to ensure DHCP offers are correctly relayed back to clients via the VPN tunnel?

    3. Are there any specific settings or policies on Juniper SRX devices that could prevent DHCP relay from functioning as expected over a VPN tunnel?

    Additional Information:

    VPN Tunnel Configuration:

    SRX1: st0.10 with IP 192.168.102.1/30

    SRX2: st0.10 with IP 192.168.102.2/30

    DHCP Pool on SRX1: 172.16.3.0/24 with excluded range 172.16.3.1-172.16.3.63

    I appreciate any insights or suggestions to resolve this DHCP relay issue during failover scenarios. Thank you!


    Captures from dhcp client, relay and server:
    Client

    	6c:62:fe:81:df:a1 > Broadcast, ethertype 802.1Q (0x8100), length 333: vlan 2204, p 0, ethertype IPv4, (tos 0x0, ttl  64, id 20595, offset 0, flags [none], proto: UDP (17), length: 315) 0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 6c:62:fe:81:df:a1, length 287, xid 0x41ff40ab, Flags [Broadcast] (0x8000)
	  Client-Ethernet-Address 6c:62:fe:81:df:a1
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    Parameter-Request Option 55, length 14:
	      Default-Gateway, Lease-Time, Subnet-Mask, Domain-Name
	      Domain-Name-Server, TFTP, BF, Option 120
	      Netbios-Name-Server, Vendor-Option, Option 150, Hostname
	      LOG, NTP
	    Requested-IP Option 50, length 4: 172.16.3.117
	    DHCP-Message Option 53, length 1: Request
	    Hostname Option 12, length 12: "HW4824030108"
	    Lease-Time Option 51, length 4: 86400
Reverse lookup was interrupted (check DNS reachability).

    SRX2

    PFE proto 2 (ipv4): (tos 0x0, ttl  64, id 20595, offset 0, flags [none], proto: UDP (17), length: 315) 0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 6c:62:fe:81:df:a1, length 287, xid 0x41ff40ab, Flags [Broadcast] (0x8000)
	  Client-Ethernet-Address 6c:62:fe:81:df:a1
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    Parameter-Request Option 55, length 14:
	      Default-Gateway, Lease-Time, Subnet-Mask, Domain-Name
	      Domain-Name-Server, TFTP, BF, Option 120
	      Netbios-Name-Server, Vendor-Option, Option 150, Hostname
	      LOG, NTP
	    Requested-IP Option 50, length 4: 172.16.3.117
	    DHCP-Message Option 53, length 1: Request
	    Hostname Option 12, length 12: "HW4824030108"
	    Lease-Time Option 51, length 4: 86400

    SRX1

    	PFE proto 2 (ipv4): (tos 0x0, ttl  64, id 5696, offset 0, flags [none], proto: UDP (17), length: 315) 192.168.102.2.bootps > 192.168.102.1.bootps: [udp sum ok] BOOTP/DHCP, Request from 6c:62:fe:81:df:a1, length 287, hops 1, xid 0x41ff40ab, Flags [Broadcast] (0x8000)
	  Gateway-IP 172.16.3.3
	  Client-Ethernet-Address 6c:62:fe:81:df:a1
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    Parameter-Request Option 55, length 14:
	      Default-Gateway, Lease-Time, Subnet-Mask, Domain-Name
	      Domain-Name-Server, TFTP, BF, Option 120
	      Netbios-Name-Server, Vendor-Option, Option 150, Hostname
	      LOG, NTP
	    Requested-IP Option 50, length 4: 172.16.3.117
	    DHCP-Message Option 53, length 1: Request
	    Hostname Option 12, length 12: "HW4824030108"
	    Lease-Time Option 51, length 4: 86400


  • 2.  RE: Ipsec VPN DHCP relay

    This message was posted by a user wishing to remain anonymous
    Posted 09-24-2024 15:36
    This message was posted by a user wishing to remain anonymous

    This route is also present in the SRX1 config.

    route 172.16.3.3/32 next-hop 192.168.102.2

    Original Message


  • 3.  RE: Ipsec VPN DHCP relay

    Posted 09-25-2024 12:21

    I would suggest you use monitor security flow to set up a flow trace on SRX1 for DHCP traffic so you can see what happens with the DHCPOFFER packet that goes missing. That may yield some clues.



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 4.  RE: Ipsec VPN DHCP relay

    This message was posted by a user wishing to remain anonymous
    Posted 09-26-2024 08:53
    This message was posted by a user wishing to remain anonymous

    I have set up a flow trace, but i cant see anything wrong. Maybe someone else can have a look.

    Relay (SRX2) 172.16.2.3

    DHCP-Server (SRX1) 192.168.102.1 

    vpn interface st0.10 

    Sep 26 13:14:10 13:14:10.572772:CID-0:RT:(flow_first_create_session) usp_tagged set session as mng session
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:First path alloc and instl pending session, natp=0xb63c540, id=257698098024
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:  flow_first_in_dst_nat: in <.local..0>, out <st0.10> dst_adr 172.16.2.3, sp 67, dp 67
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:  chose interface .local..0 as incoming nat if.
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:flow_first_rule_dst_xlate: packet 192.168.102.1->172.16.2.3 nsp2 0.0.0.0->172.16.2.3.
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:[JSF] Do ingress interest check. regd ingress plugins(2)
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:flag 0x9
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:[JSF][0]plugins(0x0) enabled for session = 257698098024  implicit mask(0x0), service request(0x0)
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:-jsf : no plugin ingress interested for session 257698098024
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.102.1, x_dst_ip 172.16.2.3, in ifp .local..0, out ifp st0.10 sp 67, dp 67, ip_proto 17, tos 0
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:flow_first_routing: Doing DESTINATION addr route-lookup
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:flow_ipv4_rt_lkup success 172.16.2.3, iifl 0x0, oifl 0x5f
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:flow_first_routing: setting out_vrf_id in lpak to 0, grp 0
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:Checking in-ifp from .local..0 to st0.10 for src: 192.168.102.1 in vr_id:0
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:  routed (x_dst_ip 172.16.2.3) from junos-host (.local..0 in 0) to st0.10, Next-hop: 172.16.2.3
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:Policy lkup: vsys 0 zone(2:junos-host) -> zone(16:vpn-zone) scope:0
 src vrf (0) dsv vrf (0) scope:0
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:             192.168.102.1/67 -> 172.16.2.3/67 proto 17
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:policy_flow_search_internal::2084 policy_posid -1 potential_match_num 0

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:policy_flow_search_internal::2093 policy_posid -1 potential_match_num 0

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:policy_flow_search_internal::2169 policy_posid -1 potential_match_num 0

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:flow_first_policy_search: policy search from zone junos-host-> zone vpn-zone (0x0,0x430043,0x43), result: 0x8cdfb38, pending: 0?, is_http_cached = 0
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:flow_first_policy_search: dynapp_none_policy: TRUE, uc_none_policy: TRUE, is_final: 0x0, is_explicit: 0x0, policy_meta_data: 0x0
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:  app 28, timeout 60s, curr ageout 60s
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:  permitted by policy self-traffic-policy(1)
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:  packet passed, Permitted by policy.
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:flow_first_policy_search:policy explicit matched or jdpi final matched, set session with dynamic_appid 0
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:flow_first_policy_search: Policy final match
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:  flow_conn_track_ent_lookup: zone connection track 0x10
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:flow_first_src_xlate:  incoming src port is : 67.
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False, nat_eim: False.
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:  dip id = 0/0, 192.168.102.1/67->192.168.102.1/67 protocol 0
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:flow_first_get_out_ifp: tunnel out 0x9f15de0, tun id 67109030, tun if ge-0/0/6.2030, tun bind if st0.10
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:  choose interface ge-0/0/6.2030(P2P) as outgoing phy if
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:is_loop_pak: No loop: on ifp: st0.10, addr: 172.16.2.3, rtt_idx:0
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:[JSF]Normal interest check. regd plugins 48, enabled impl mask 0x0
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:flag 0x9
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:get NULL sess plugin info 0xb63c540
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 257698098024 type 0

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:get NULL sess plugin info 0xb63c540
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 257698098024 type 0

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 257698098024 type 0

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 257698098024 type 0

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 257698098024 type 0

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 257698098024 type 0

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:get NULL sess plugin info 0xb63c540
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 257698098024 type 0

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 257698098024 type 2

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:get NULL sess plugin info 0xb63c540
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 257698098024 type 2

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 257698098024 type 0

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 257698098024 type 2

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 257698098024 type 1

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:get NULL sess plugin info 0xb63c540
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:get NULL sess plugin info 0xb63c540
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:get NULL sess plugin info 0xb63c540
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:get NULL sess plugin info 0xb63c540
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 257698098024 type 1

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:get NULL sess plugin info 0xb63c540
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:get NULL sess plugin info 0xb63c540
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 257698098024 type 1

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 257698098024 type 2

Sep 26 13:14:10 13:14:10.572772:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 257698098024, impli mask(0x0), post_nat cnt 0 svc req(0x0)
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:-jsf : no plugin interested for session 257698098024, free sess plugin info
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:jsf pre int check result 0 0 0 0
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:  service lookup identified service 28.
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:  flow_first_final_check: in <.local..0>, out <ge-0/0/6.2030>
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:In flow_first_complete_session
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:flow_first_complete_session, pak_ptr: 0x2088b10, nsp: 0xb63c540, in_tunnel: 0x0
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:before copy: nsp vec_list 0x0, nsp2 vec_list 0x0
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:after copy: nsp vec_list 0x0, nsp2 vec_list 0x0
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:construct v4 vector for nsp2 and nsp
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:  existing vector list 0x0-0x6859b078.
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:vector index for nsp2: 0
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:  existing vector list 0x0-0x6859b078.
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:vector index for nsp: 0
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:  Session (id:257698098024) created for first pak 0
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:first pak processing successful
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:  flow_first_install_session======> 0xb63c540
Sep 26 13:14:10 13:14:10.572772:CID-0:RT: nsp 0xb63c540, nsp2 0xb63c5e0, local_pak 0x2088b10
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:  make_nsp_ready_no_resolve()
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:flow_ipv4_rt_lkup success 192.168.102.1, iifl 0x0, oifl 0x0
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:  route lookup: dest-ip 192.168.102.1 orig ifp .local..0 output_ifp .local..0  orig-zone 2 out-zone 2 need_clear_fto 0 vsd 0, route_flag: 0x8
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:  route to 192.168.102.1
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:no need update ha
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:  flow_conn_track_ent_create: connection track on zone 2 not enabled
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:first path session installation succeeded
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:  flow got session.
Sep 26 13:14:10 13:14:10.572772:CID-0:RT: flow fast tcp/udp session id 257698098024
Sep 26 13:14:10 13:14:10.572772:CID-0:RT: vector bits 0x0 vector 0x6859b078 for session 257698098024
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:mbuf 0x61039280, exit nh 0x940010
Sep 26 13:14:10 13:14:10.572772:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x2088b10 associated with mbuf 0x61039280
Sep 26 13:14:10 13:14:10.572772:CID-0:RT: ---- flow_process_pkt rc 0x0 (fp rc 0)
Sep 26 13:14:14 13:14:14.599303:CID-0:RT:
Sep 26 13:14:14 13:14:14.599303:CID-0:RT:~~~FLOW <172.16.2.3/67->192.168.102.1/67;17,0x0> matched filter DHCP-MONITORING(0) in root-logical-system for iif st0.10 of root-logical-system:
Sep 26 13:14:14 13:14:14.599303:CID-0:RT:   packet [315] ipid = 1894, @0x5e5c3d48
Sep 26 13:14:14 13:14:14.599303:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 1, common flag 0x0, mbuf 0x5e5c3b00, rtbl_idx = 0
Sep 26 13:14:14 13:14:14.599303:CID-0:RT:flow_process_pkt: COS val at start: fc: 0, dp: 0

Sep 26 13:14:14 13:14:14.599303:CID-0:RT:flow process pak, mbuf 0x5e5c3b00, ifl 95, ctxt_type 1 inq type 6
Sep 26 13:14:14 13:14:14.599303:CID-0:RT: in_ifp <vpn-zone:st0.10>
Sep 26 13:14:14 13:14:14.599303:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x20e3280
Sep 26 13:14:14 13:14:14.599303:CID-0:RT:flow_process_pkt_exception: setting in_vrf_id in lpak to 0, grp 0
Sep 26 13:14:14 13:14:14.599303:CID-0:RT:host inq check inq_type 0x6
Sep 26 13:14:14 13:14:14.599303:CID-0:RT:pkt out of tunnel.Proceed normally
Sep 26 13:14:14 13:14:14.599303:CID-0:RT:  st0.10:172.16.2.3/67->192.168.102.1/67, udp
Sep 26 13:14:14 13:14:14.599303:CID-0:RT: find flow: table 0x6efc350, hash 7491(0xffff), sa 172.16.2.3, da 192.168.102.1, sp 67, dp 67, proto 17, tok 16, conn-tag 0x00000000, vrf-grp-id 0 , conn_tag_type: 0
Sep 26 13:14:14 13:14:14.599303:CID-0:RT:Found: session id 257698098024. sess tok 16
Sep 26 13:14:14 13:14:14.599303:CID-0:RT:  flow got session (id 257698098024).
Sep 26 13:14:14 13:14:14.599303:CID-0:RT:  flow session id 257698098024
Sep 26 13:14:14 13:14:14.599303:CID-0:RT:  refreshing session
Sep 26 13:14:14 13:14:14.599303:CID-0:RT: vector bits 0x0 vector 0x6859b078 for session 257698098024
Sep 26 13:14:14 13:14:14.599303:CID-0:RT:flow_insert_usp_tag insert usp tag for apps, rtt_id =0 usp_tag_ptr =0x5e5c3bac, mbuf=0x5e5c3b00

Sep 26 13:14:14 13:14:14.599303:CID-0:RT:mbuf 0x5e5c3b00, exit nh 0xfffb0006
Sep 26 13:14:14 13:14:14.599303:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x2088cf0 associated with mbuf 0x5e5c3b00
Sep 26 13:14:14 13:14:14.599303:CID-0:RT: ---- flow_process_pkt rc 0x0 (fp rc 0)
Sep 26 13:14:14 13:14:14.602969:CID-0:RT:
Sep 26 13:14:14 13:14:14.602969:CID-0:RT:~~~FLOW <192.168.102.1/67->172.16.2.3/67;17,0x0> matched filter DHCP-MONITORING(0) in root-logical-system for iif .local..0 of root-logical-system:
Sep 26 13:14:14 13:14:14.602969:CID-0:RT:   packet [279] ipid = 43616, @0x610259c1
Sep 26 13:14:14 13:14:14.602969:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 0, common flag 0x0, mbuf 0x61025780, rtbl_idx = 0
Sep 26 13:14:14 13:14:14.602969:CID-0:RT:flow_process_pkt: COS val at start: fc: 3, dp: 0

Sep 26 13:14:14 13:14:14.602969:CID-0:RT:flow process pak, mbuf 0x61025780, ifl 0, ctxt_type 0 inq type 5
Sep 26 13:14:14 13:14:14.602969:CID-0:RT: in_ifp <junos-host:.local..0>
Sep 26 13:14:14 13:14:14.602969:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x20e3280
Sep 26 13:14:14 13:14:14.602969:CID-0:RT:flow_process_pkt_exception: setting in_vrf_id in lpak to 0, grp 0
Sep 26 13:14:14 13:14:14.602969:CID-0:RT:host inq check inq_type 0x5
Sep 26 13:14:14 13:14:14.602969:CID-0:RT:flow_populate_lpak_from_usptag: usptag magic 0x9110114, vr-id 0, usp_tag=0x6102586c, mbuf=0x61025780
Sep 26 13:14:14 13:14:14.602969:CID-0:RT:Using out_ifp from pfe_tag with index 95
Sep 26 13:14:14 13:14:14.602969:CID-0:RT: ipv4 from host, pfe tag vr id set 0
Sep 26 13:14:14 13:14:14.602969:CID-0:RT:Using vr id from pfe_tag with value= 0
Sep 26 13:14:14 13:14:14.602969:CID-0:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0
Sep 26 13:14:14 13:14:14.602969:CID-0:RT:
Sep 26 13:14:14 13:14:14.602969:CID-0:RT:~~~FLOW <192.168.102.1/67->172.16.2.3/67;17,0x0> matched filter DHCP-MONITORING(0) in root-logical-system for iif .local..0 of root-logical-system:
Sep 26 13:14:14 13:14:14.602969:CID-0:RT:   packet [279] ipid = 43616, @0x610259c1
Sep 26 13:14:14 13:14:14.602969:CID-0:RT:Over-riding lpak->vsys with 0
Sep 26 13:14:14 13:14:14.602969:CID-0:RT:Doing IPSec traffic-selector match for [Proto:17] 192.168.102.1/67 -> 172.16.2.3/67

Sep 26 13:14:14 13:14:14.602969:CID-0:RT: Did not find traffic-selector enabled nsp_tunnel for  st0-ifp st0.10. Finding non-traffic-selector nsp_tunnel
Sep 26 13:14:14 13:14:14.602969:CID-0:RT: Found non-NHTB IPSec nsp_tunnel for ifp st0.10
Sep 26 13:14:14 13:14:14.602969:CID-0:RT: Found IPSec nsp_tunnel 0x9f15de0 for bind-ifp st0.10
Sep 26 13:14:14 13:14:14.602969:CID-0:RT:Using out-tunnel 0x9f15de0
Sep 26 13:14:14 13:14:14.602969:CID-0:RT: find flow: table 0x6efc350, hash 43088(0xffff), sa 192.168.102.1, da 172.16.2.3, sp 67, dp 67, proto 17, tok 2, conn-tag 0x00000000, vrf-grp-id 0 , conn_tag_type: 0
Sep 26 13:14:14 13:14:14.602969:CID-0:RT:  flow got session.
Sep 26 13:14:14 13:14:14.602969:CID-0:RT: flow fast tcp/udp session id 257698098024
Sep 26 13:14:14 13:14:14.602969:CID-0:RT: vector bits 0x0 vector 0x6859b078 for session 257698098024
Sep 26 13:14:14 13:14:14.602969:CID-0:RT:mbuf 0x61025780, exit nh 0x940010
Sep 26 13:14:14 13:14:14.602969:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x2088b10 associated with mbuf 0x61025780
Sep 26 13:14:14 13:14:14.602969:CID-0:RT: ---- flow_process_pkt rc 0x0 (fp rc 0)


    Original Message


  • 5.  RE: Ipsec VPN DHCP relay

    Posted 09-26-2024 12:51

    The trace pointed out something I missed before. You're relaying DHCP to 192.168.102.1 and you've bound the dhcp-group to st0.10 but you also have the "requested-ip-interface-match" configured, which is directing the DHCP server to ensure addresses issued are in the same subnet as the interface (st0.10) which is 192.168.102.0/30. Try relaying DHCP to 172.16.3.2 instead of 192.168.102.1 (you'll need a static route for 172.16.3.2 on SRX2 just like the 3.3 route one on SRX1).

    Or maybe try removing that requested-ip-interface-match option (though I'd rather not remove that if it can be avoided at all).



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 6.  RE: Ipsec VPN DHCP relay

    This message was posted by a user wishing to remain anonymous
    Posted 09-27-2024 10:39
    This message was posted by a user wishing to remain anonymous

    Thanks for the input, Nikolay! I tried what you suggested, but without success. By using the "show dhcp server statistics" i can see that the "Messages Sent: DHCPOFFER" is increasing, and that the DHCP-server has selected an IP for the client by using the "show dhcp server binding brief".

    I've attached the flowtrace from the new attempt where you can see that the "ge-0/0/6.2030" has been mentioned a few times since this is the physical interface of the VPN tunnel. Could this be a clue?

    SRX1 

    • 172.16.3.2 DHCP Server
    • st.10 VPN interface
    • ge-0/0/6.2030 Public facing interface
    • ge-0/0/7.2203 Directly attached interface of the 172.16.3.0/24 network

    SRX2 

    • 172.17.3.3 DHCP Relay

    DHCPDISCOVER message captured on SRX1:

    	PFE proto 2 (ipv4): (tos 0x0, ttl  64, id 8293, offset 0, flags [none], proto: UDP (17), length: 293) 172.16.2.3.bootps > 172.16.2.2.bootps: [udp sum ok] BOOTP/DHCP, Request from 00:cc:34:b5:02:7e, length 265, hops 1, xid 0x19d30e97, Flags [Broadcast] (0x8000)
	  Gateway-IP 172.16.2.3
	  Client-Ethernet-Address 00:cc:34:b5:02:7e
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    Hostname Option 12, length 12: "HW3621150011"
	    Lease-Time Option 51, length 4: 86400

    Show dhcp server binding brief on SRX1

    IP address        Session Id  Hardware address   Expires     State      Interface
172.16.2.201      2512        00:cc:34:b5:02:7e  172714      SELECTING  st0.10

    Flowtrace on SRX1

    Sep 27 08:46:30 08:46:30.849154:CID-0:RT:  Session (id:81604437305) created for first pak 0
Sep 27 08:46:30 08:46:30.849154:CID-0:RT:first pak processing successful
Sep 27 08:46:30 08:46:30.849154:CID-0:RT:  flow_first_install_session======> 0xb55db80
Sep 27 08:46:30 08:46:30.849154:CID-0:RT: nsp 0xb55db80, nsp2 0xb55dc20, local_pak 0x2088cf0
Sep 27 08:46:30 08:46:30.849154:CID-0:RT:flow_proc_loop_back:In loopback session processing
Sep 27 08:46:30 08:46:30.849154:CID-0:RT:duplicate_local_pak: duplicated pak has zone: Unknown, ifp: none, vsys: root-logical-system, 172.16.2.3->172.16.2.2, lports   430043, tlen 293
Sep 27 08:46:30 08:46:30.849154:CID-0:RT:flow_xlate_pak
Sep 27 08:46:30 08:46:30.849154:CID-0:RT: flow_xlate_udp_pak skip xlate .
Sep 27 08:46:30 08:46:30.849154:CID-0:RT:  post addr xlation: 172.16.2.3->172.16.2.2.
Sep 27 08:46:30 08:46:30.849154:CID-0:RT:proc_loopback_common: Found loop if ge-0/0/7.2203
Sep 27 08:46:30 08:46:30.849154:CID-0:RT:check self-traffic on ge-0/0/7.2203, in_tunnel 0x9f15de0 dp 67
Sep 27 08:46:30 08:46:30.849154:CID-0:RT:retcode: 0xc02
Sep 27 08:46:30 08:46:30.849154:CID-0:RT:pak_for_self : proto 17, dst port 67, action Allow, by not creating session
Sep 27 08:46:30 08:46:30.849154:CID-0:RT:flow_first_install_session: Loopback session processing aborted
Sep 27 08:46:30 08:46:30.849154:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 27 08:46:30 08:46:30.849154:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 81604437305 type 2

Sep 27 08:46:30 08:46:30.849154:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 27 08:46:30 08:46:30.849154:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 81604437305 type 1

Sep 27 08:46:30 08:46:30.849154:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 27 08:46:30 08:46:30.849154:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 81604437305 type 0

Sep 27 08:46:30 08:46:30.849154:CID-0:RT:get NULL sess plugin info 0xb55db80
Sep 27 08:46:30 08:46:30.849154:CID-0:RT:get NULL sess plugin info 0xb55db80
Sep 27 08:46:30 08:46:30.849154:CID-0:RT:get NULL sess plugin info 0xb55db80
Sep 27 08:46:30 08:46:30.849154:CID-0:RT:get NULL sess plugin info 0xb55db80
Sep 27 08:46:30 08:46:30.849154:CID-0:RT:get NULL sess plugin info 0xb55db80
Sep 27 08:46:30 08:46:30.849154:CID-0:RT:flow_insert_usp_tag insert usp tag for apps, rtt_id =0 usp_tag_ptr =0x5df382ac, mbuf=0x5df38200

Sep 27 08:46:30 08:46:30.849154:CID-0:RT:  flow bypass session.
Sep 27 08:46:30 08:46:30.849154:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x2088cf0 associated with mbuf 0x5df38200
Sep 27 08:46:30 08:46:30.849154:CID-0:RT: ---- flow_process_pkt rc 0x0 (fp rc 0)
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:~~~FLOW <172.16.2.2/67->172.16.2.3/67;17,0x0> matched filter DHCP-MONITORING(0) in root-logical-system for iif .local..0 of root-logical-system:
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:   packet [307] ipid = 2835, @0x61043fc1
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 0, common flag 0x0, mbuf 0x61043d80, rtbl_idx = 0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flow_process_pkt: COS val at start: fc: 3, dp: 0

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flow process pak, mbuf 0x61043d80, ifl 0, ctxt_type 0 inq type 5
Sep 27 08:46:30 08:46:30.852088:CID-0:RT: in_ifp <junos-host:.local..0>
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x20e3280
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flow_process_pkt_exception: setting in_vrf_id in lpak to 0, grp 0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:host inq check inq_type 0x5
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flow_populate_lpak_from_usptag: usptag magic 0x9110114, vr-id 0, usp_tag=0x61043e6c, mbuf=0x61043d80
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:Using out_ifp from pfe_tag with index 95
Sep 27 08:46:30 08:46:30.852088:CID-0:RT: ipv4 from host, pfe tag vr id set 0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:Using vr id from pfe_tag with value= 0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:~~~FLOW <172.16.2.2/67->172.16.2.3/67;17,0x0> matched filter DHCP-MONITORING(0) in root-logical-system for iif .local..0 of root-logical-system:
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:   packet [307] ipid = 2835, @0x61043fc1
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:Over-riding lpak->vsys with 0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:Doing IPSec traffic-selector match for [Proto:17] 172.16.2.2/67 -> 172.16.2.3/67

Sep 27 08:46:30 08:46:30.852088:CID-0:RT: Did not find traffic-selector enabled nsp_tunnel for  st0-ifp st0.10. Finding non-traffic-selector nsp_tunnel
Sep 27 08:46:30 08:46:30.852088:CID-0:RT: Found non-NHTB IPSec nsp_tunnel for ifp st0.10
Sep 27 08:46:30 08:46:30.852088:CID-0:RT: Found IPSec nsp_tunnel 0x9f15de0 for bind-ifp st0.10
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:Using out-tunnel 0x9f15de0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT: find flow: table 0x6efc350, hash 27962(0xffff), sa 172.16.2.2, da 172.16.2.3, sp 67, dp 67, proto 17, tok 2, conn-tag 0x00000000, vrf-grp-id 0 , conn_tag_type: 0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:  flow_first_create_session
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:Save init hash spu id 0 to nsp and nsp2!
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:(flow_first_create_session) usp_tagged set session as mng session
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:First path alloc and instl pending session, natp=0xa2f3d40, id=103079240264
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:  flow_first_in_dst_nat: in <.local..0>, out <st0.10> dst_adr 172.16.2.3, sp 67, dp 67
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:  chose interface .local..0 as incoming nat if.
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flow_first_rule_dst_xlate: packet 172.16.2.2->172.16.2.3 nsp2 0.0.0.0->172.16.2.3.
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:[JSF] Do ingress interest check. regd ingress plugins(2)
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flag 0x9
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:[JSF][0]plugins(0x0) enabled for session = 103079240264  implicit mask(0x0), service request(0x0)
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:-jsf : no plugin ingress interested for session 103079240264
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 172.16.2.2, x_dst_ip 172.16.2.3, in ifp .local..0, out ifp st0.10 sp 67, dp 67, ip_proto 17, tos 0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flow_first_routing: Doing DESTINATION addr route-lookup
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flow_ipv4_rt_lkup success 172.16.2.3, iifl 0x0, oifl 0x5f
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flow_first_routing: setting out_vrf_id in lpak to 0, grp 0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:Checking in-ifp from .local..0 to ge-0/0/7.2203 for src: 172.16.2.2 in vr_id:0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:  routed (x_dst_ip 172.16.2.3) from junos-host (.local..0 in 0) to st0.10, Next-hop: 172.16.2.3
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:Policy lkup: vsys 0 zone(2:junos-host) -> zone(16:vpn-zone) scope:0
 src vrf (0) dsv vrf (0) scope:0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:             172.16.2.2/67 -> 172.16.2.3/67 proto 17
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:policy_flow_search_internal::2084 policy_posid -1 potential_match_num 0

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:policy_flow_search_internal::2093 policy_posid -1 potential_match_num 0

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:policy_flow_search_internal::2169 policy_posid -1 potential_match_num 0

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flow_first_policy_search: policy search from zone junos-host-> zone vpn-zone (0x0,0x430043,0x43), result: 0x8cdfb38, pending: 0?, is_http_cached = 0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flow_first_policy_search: dynapp_none_policy: TRUE, uc_none_policy: TRUE, is_final: 0x0, is_explicit: 0x0, policy_meta_data: 0x0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:  app 28, timeout 60s, curr ageout 60s
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:  permitted by policy self-traffic-policy(1)
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:  packet passed, Permitted by policy.
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flow_first_policy_search:policy explicit matched or jdpi final matched, set session with dynamic_appid 0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flow_first_policy_search: Policy final match
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:  flow_conn_track_ent_lookup: zone connection track 0x10
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flow_first_src_xlate:  incoming src port is : 67.
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False, nat_eim: False.
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:  dip id = 0/0, 172.16.2.2/67->172.16.2.2/67 protocol 0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flow_first_get_out_ifp: tunnel out 0x9f15de0, tun id 67109030, tun if ge-0/0/6.2030, tun bind if st0.10
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:  choose interface ge-0/0/6.2030(P2P) as outgoing phy if
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:is_loop_pak: No loop: on ifp: st0.10, addr: 172.16.2.3, rtt_idx:0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:[JSF]Normal interest check. regd plugins 48, enabled impl mask 0x0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flag 0x9
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:get NULL sess plugin info 0xa2f3d40
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 103079240264 type 0

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:get NULL sess plugin info 0xa2f3d40
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 103079240264 type 0

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 103079240264 type 0

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 103079240264 type 0

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 103079240264 type 0

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 103079240264 type 0

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:get NULL sess plugin info 0xa2f3d40
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 103079240264 type 0

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 103079240264 type 2

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:get NULL sess plugin info 0xa2f3d40
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 103079240264 type 2

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 103079240264 type 0

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 103079240264 type 2

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 103079240264 type 1

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:get NULL sess plugin info 0xa2f3d40
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:get NULL sess plugin info 0xa2f3d40
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:get NULL sess plugin info 0xa2f3d40
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:get NULL sess plugin info 0xa2f3d40
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 103079240264 type 1

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:get NULL sess plugin info 0xa2f3d40
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:get NULL sess plugin info 0xa2f3d40
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 103079240264 type 1

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7091 swg svc info not found

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:msvcs_session_id_is_explicit_proxy_session::7094 natp not found for session 103079240264 type 2

Sep 27 08:46:30 08:46:30.852088:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 103079240264, impli mask(0x0), post_nat cnt 0 svc req(0x0)
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:-jsf : no plugin interested for session 103079240264, free sess plugin info
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:jsf pre int check result 0 0 0 0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:  service lookup identified service 28.
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:  flow_first_final_check: in <.local..0>, out <ge-0/0/6.2030>
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:In flow_first_complete_session
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flow_first_complete_session, pak_ptr: 0x2088b10, nsp: 0xa2f3d40, in_tunnel: 0x0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:before copy: nsp vec_list 0x0, nsp2 vec_list 0x0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:after copy: nsp vec_list 0x0, nsp2 vec_list 0x0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:construct v4 vector for nsp2 and nsp
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:  existing vector list 0x0-0x6859b078.
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:vector index for nsp2: 0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:  existing vector list 0x0-0x6859b078.
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:vector index for nsp: 0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:  Session (id:103079240264) created for first pak 0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:first pak processing successful
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:  flow_first_install_session======> 0xa2f3d40
Sep 27 08:46:30 08:46:30.852088:CID-0:RT: nsp 0xa2f3d40, nsp2 0xa2f3de0, local_pak 0x2088b10
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:  make_nsp_ready_no_resolve()
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flow_ipv4_rt_lkup success 172.16.2.2, iifl 0x0, oifl 0x0
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:  route lookup: dest-ip 172.16.2.2 orig ifp .local..0 output_ifp .local..0  orig-zone 2 out-zone 2 need_clear_fto 0 vsd 0, route_flag: 0x8
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:  route to 172.16.2.2
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:Duplicate session (81604437305) is not VALID/PENDING. Install new one
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:no need update ha
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:  flow_conn_track_ent_create: connection track on zone 2 not enabled
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:first path session installation succeeded
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:  flow got session.
Sep 27 08:46:30 08:46:30.852088:CID-0:RT: flow fast tcp/udp session id 103079240264
Sep 27 08:46:30 08:46:30.852088:CID-0:RT: vector bits 0x0 vector 0x6859b078 for session 103079240264
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:mbuf 0x61043d80, exit nh 0x940010
Sep 27 08:46:30 08:46:30.852088:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x2088b10 associated with mbuf 0x61043d80
Sep 27 08:46:30 08:46:30.852088:CID-0:RT: ---- flow_process_pkt rc 0x0 (fp rc 0)
Sep 27 08:46:31 08:46:31.847655:CID-0:RT:jsf sess close notify
Sep 27 08:46:31 08:46:31.847655:CID-0:RT:flow_ipv4_del_flow: sess 154618835726, in hash 32
Sep 27 08:46:31 08:46:31.847655:CID-0:RT:flow_ipv4_del_flow: sess 154618835726, in hash 32
Sep 27 08:46:31 08:46:31.847655:CID-0:RT:jsf sess close notify
Sep 27 08:46:31 08:46:31.847655:CID-0:RT:flow_ipv4_del_flow: sess 81604437305, in hash 32
Sep 27 08:46:33 08:46:33.849441:CID-0:RT:jsf sess close notify
Sep 27 08:46:33 08:46:33.849441:CID-0:RT:flow_ipv4_del_flow: sess 261993012045, in hash 32
Sep 27 08:46:33 08:46:33.849441:CID-0:RT:flow_ipv4_del_flow: sess 261993012045, in hash 32
Sep 27 08:46:33 08:46:33.849441:CID-0:RT:jsf sess close notify
Sep 27 08:46:33 08:46:33.849441:CID-0:RT:flow_ipv4_del_flow: sess 111669171862, in hash 32
Sep 27 08:46:33 08:46:33.849441:CID-0:RT:flow_ipv4_del_flow: sess 111669171862, in hash 32
Sep 27 08:46:34 08:46:34.868766:CID-0:RT:
Sep 27 08:46:34 08:46:34.868766:CID-0:RT:~~~FLOW <172.16.2.3/67->172.16.2.2/67;17,0x0> matched filter DHCP-MONITORING(0) in root-logical-system for iif st0.10 of root-logical-system:
Sep 27 08:46:34 08:46:34.868766:CID-0:RT:   packet [293] ipid = 57743, @0x5df45048
Sep 27 08:46:34 08:46:34.868766:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 1, common flag 0x0, mbuf 0x5df44e00, rtbl_idx = 0
Sep 27 08:46:34 08:46:34.868766:CID-0:RT:flow_process_pkt: COS val at start: fc: 0, dp: 0

Sep 27 08:46:34 08:46:34.868766:CID-0:RT:flow process pak, mbuf 0x5df44e00, ifl 95, ctxt_type 1 inq type 6
Sep 27 08:46:34 08:46:34.868766:CID-0:RT: in_ifp <vpn-zone:st0.10>
Sep 27 08:46:34 08:46:34.868766:CID-0:RT:pkt out of tunnel.Proceed normally
Sep 27 08:46:34 08:46:34.868766:CID-0:RT:  st0.10:172.16.2.3/67->172.16.2.2/67, udp
Sep 27 08:46:34 08:46:34.868766:CID-0:RT: find flow: table 0x6efc350, hash 38344(0xffff), sa 172.16.2.3, da 172.16.2.2, sp 67, dp 67, proto 17, tok 16, conn-tag 0x00000000, vrf-grp-id 0 , conn_tag_type: 0
Sep 27 08:46:34 08:46:34.868766:CID-0:RT:Found: session id 103079240264. sess tok 16
Sep 27 08:46:34 08:46:34.868766:CID-0:RT:  flow got session (id 103079240264).
Sep 27 08:46:34 08:46:34.868766:CID-0:RT:  flow session id 103079240264
Sep 27 08:46:34 08:46:34.868766:CID-0:RT:  refreshing session
Sep 27 08:46:34 08:46:34.868766:CID-0:RT: vector bits 0x0 vector 0x6859b078 for session 103079240264
Sep 27 08:46:34 08:46:34.868766:CID-0:RT:flow_insert_usp_tag insert usp tag for apps, rtt_id =0 usp_tag_ptr =0x5df44eac, mbuf=0x5df44e00

Sep 27 08:46:34 08:46:34.868766:CID-0:RT:mbuf 0x5df44e00, exit nh 0xfffb0006
Sep 27 08:46:34 08:46:34.868766:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x2088cf0 associated with mbuf 0x5df44e00
Sep 27 08:46:34 08:46:34.868766:CID-0:RT: ---- flow_process_pkt rc 0x0 (fp rc 0)
Sep 27 08:46:34 08:46:34.870494:CID-0:RT:
Sep 27 08:46:34 08:46:34.870494:CID-0:RT:~~~FLOW <172.16.2.2/67->172.16.2.3/67;17,0x0> matched filter DHCP-MONITORING(0) in root-logical-system for iif .local..0 of root-logical-system:
Sep 27 08:46:34 08:46:34.870494:CID-0:RT:   packet [307] ipid = 2932, @0x61039dc1
Sep 27 08:46:34 08:46:34.870494:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 0, common flag 0x0, mbuf 0x61039b80, rtbl_idx = 0
Sep 27 08:46:34 08:46:34.870494:CID-0:RT:flow_process_pkt: COS val at start: fc: 3, dp: 0

Sep 27 08:46:34 08:46:34.870494:CID-0:RT:flow process pak, mbuf 0x61039b80, ifl 0, ctxt_type 0 inq type 5
Sep 27 08:46:34 08:46:34.870494:CID-0:RT: in_ifp <junos-host:.local..0>
Sep 27 08:46:34 08:46:34.870494:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x20e3280
Sep 27 08:46:34 08:46:34.870494:CID-0:RT:flow_process_pkt_exception: setting in_vrf_id in lpak to 0, grp 0
Sep 27 08:46:34 08:46:34.870494:CID-0:RT:host inq check inq_type 0x5
Sep 27 08:46:34 08:46:34.870494:CID-0:RT:flow_populate_lpak_from_usptag: usptag magic 0x9110114, vr-id 0, usp_tag=0x61039c6c, mbuf=0x61039b80
Sep 27 08:46:34 08:46:34.870494:CID-0:RT:Using out_ifp from pfe_tag with index 95
Sep 27 08:46:34 08:46:34.870494:CID-0:RT: ipv4 from host, pfe tag vr id set 0
Sep 27 08:46:34 08:46:34.870494:CID-0:RT:Using vr id from pfe_tag with value= 0
Sep 27 08:46:34 08:46:34.870494:CID-0:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0
Sep 27 08:46:34 08:46:34.870494:CID-0:RT:
Sep 27 08:46:34 08:46:34.870494:CID-0:RT:~~~FLOW <172.16.2.2/67->172.16.2.3/67;17,0x0> matched filter DHCP-MONITORING(0) in root-logical-system for iif .local..0 of root-logical-system:
Sep 27 08:46:34 08:46:34.870494:CID-0:RT:   packet [307] ipid = 2932, @0x61039dc1
Sep 27 08:46:34 08:46:34.870494:CID-0:RT:Over-riding lpak->vsys with 0
Sep 27 08:46:34 08:46:34.870494:CID-0:RT:Doing IPSec traffic-selector match for [Proto:17] 172.16.2.2/67 -> 172.16.2.3/67

Sep 27 08:46:34 08:46:34.870494:CID-0:RT: Did not find traffic-selector enabled nsp_tunnel for  st0-ifp st0.10. Finding non-traffic-selector nsp_tunnel
Sep 27 08:46:34 08:46:34.870494:CID-0:RT: Found non-NHTB IPSec nsp_tunnel for ifp st0.10
Sep 27 08:46:34 08:46:34.870494:CID-0:RT: Found IPSec nsp_tunnel 0x9f15de0 for bind-ifp st0.10
Sep 27 08:46:34 08:46:34.870494:CID-0:RT:Using out-tunnel 0x9f15de0
Sep 27 08:46:34 08:46:34.870494:CID-0:RT: find flow: table 0x6efc350, hash 27962(0xffff), sa 172.16.2.2, da 172.16.2.3, sp 67, dp 67, proto 17, tok 2, conn-tag 0x00000000, vrf-grp-id 0 , conn_tag_type: 0
Sep 27 08:46:34 08:46:34.870494:CID-0:RT:  flow got session.
Sep 27 08:46:34 08:46:34.870494:CID-0:RT: flow fast tcp/udp session id 103079240264
Sep 27 08:46:34 08:46:34.870494:CID-0:RT: vector bits 0x0 vector 0x6859b078 for session 103079240264
Sep 27 08:46:34 08:46:34.870494:CID-0:RT:mbuf 0x61039b80, exit nh 0x940010
Sep 27 08:46:34 08:46:34.870494:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x2088b10 associated with mbuf 0x61039b80
Sep 27 08:46:34 08:46:34.870494:CID-0:RT: ---- flow_process_pkt rc 0x0 (fp rc 0)


    Original Message


  • 7.  RE: Ipsec VPN DHCP relay

    Posted 09-27-2024 12:46

    I don't see anything obviously wrong in the flow trace. Do capture the DHCP messages on both SRX1 and SRX2, though.

    I'm also getting confused because you write 172.16.3.x but all the output from the traces and stuff says 172.16.2.x so I don't know if there's just a typo or you have multiple networks, etc., or you've reconfigured something.



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 8.  RE: Ipsec VPN DHCP relay

    Posted 09-30-2024 02:43

    Sorry for the confusion, Nicolay. I did indeed test with another network to see if the dhcp pool was some how misconfigured. I have several networks configured with 172.16.x.2 (SRX1) and 172.16.x.3 (SRX2).

    Capture from SRX2:

    Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 22
	  Device Media Type Extension TLV #3, length 1, value: Ethernet (1)
	  Logical Interface Encapsulation Extension TLV #6, length 1, value: Ethernet (14)
	  Device Interface Index Extension TLV #1, length 2, value: 35328
	  Logical Interface Index Extension TLV #4, length 4, value: 78
	  Logical Unit Number Extension TLV #5, length 4, value: 2203
	-----original packet-----
	PFE proto 2 (ipv4): (tos 0x0, ttl  64, id 37268, offset 0, flags [none], proto: UDP (17), length: 293) 0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 00:cc:34:b5:02:7e, length 265, xid 0x7868d566, Flags [Broadcast] (0x8000)
	  Client-Ethernet-Address 00:cc:34:b5:02:7e
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    Hostname Option 12, length 12: "HW3621150011"
	    Lease-Time Option 51, length 4: 86400

    Capture from SRX1:

    	Juniper PCAP Flags [Ext, no-L2, In], PCAP Extension(s) total length 22
	  Device Media Type Extension TLV #3, length 1, value: Secure-Tunnel (63)
	  Logical Interface Encapsulation Extension TLV #6, length 1, value: Secure Tunnel (69)
	  Device Interface Index Extension TLV #1, length 2, value: 34304
	  Logical Interface Index Extension TLV #4, length 4, value: 95
	  Logical Unit Number Extension TLV #5, length 4, value: 10
	-----original packet-----
	PFE proto 2 (ipv4): (tos 0x0, ttl  64, id 38538, offset 0, flags [none], proto: UDP (17), length: 293) 172.16.2.3.bootps > 172.16.2.2.bootps: [udp sum ok] BOOTP/DHCP, Request from 00:cc:34:b5:02:7e, length 265, hops 1, xid 0x7868d566, Flags [Broadcast] (0x8000)
	  Gateway-IP 172.16.2.3
	  Client-Ethernet-Address 00:cc:34:b5:02:7e
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    Hostname Option 12, length 12: "HW3621150011"
	    Lease-Time Option 51, length 4: 86400


    ------------------------------
    ESPEN AA
    ------------------------------

    Original Message


  • 9.  RE: Ipsec VPN DHCP relay

    Posted 10-02-2024 22:37

    I'm stumped. Not sure where the DHCP OFFER packets are going. Your traffic monitor filter doesn't include an interface, does it?



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 10.  RE: Ipsec VPN DHCP relay

    Posted 10-07-2024 02:41

    No, only matching destination address 172.16.3.3. I don't know what else to try..



    ------------------------------
    ESPEN AA
    ------------------------------

    Original Message


  • 11.  RE: Ipsec VPN DHCP relay

    Posted 10-07-2024 03:22

    Here is an example where i changed the static route "172.16.2.3 next-hop 192.168.102.2" to "172.168.2.3 next-hop <ISP DEFAULT GW>" to check if the offer is sent if a different route is in place, which it indeed was. I highly doubt it, but could there be any limitations to DHCP messages being sent over the VPN tunnel? 

    SRX2 (DHCP Relay)

    	PFE proto 2 (ipv4): (tos 0x0, ttl  64, id 37173, offset 0, flags [none], proto: UDP (17), length: 293) 0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 00:cc:34:b5:02:7e, length 265, xid 0x5a8c0d2b, Flags [Broadcast] (0x8000)
	  Client-Ethernet-Address 00:cc:34:b5:02:7e
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    Hostname Option 12, length 12: "HW3621150011"
	    Lease-Time Option 51, length 4: 86400

    SRX1( DHCP SERVER VPN INTERFACE)

    PFE proto 2 (ipv4): (tos 0x0, ttl  64, id 21376, offset 0, flags [none], proto: UDP (17), length: 293) 172.16.2.3.bootps > 172.16.2.2.bootps: [udp sum ok] BOOTP/DHCP, Request from 00:cc:34:b5:02:7e, length 265, hops 1, xid 0x4ec64aab, Flags [Broadcast] (0x8000)
	  Gateway-IP 172.16.2.3
	  Client-Ethernet-Address 00:cc:34:b5:02:7e
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    Hostname Option 12, length 12: "HW3621150011"
	    Lease-Time Option 51, length 4: 86400

    SRX1( DHCP SERVER PUBLIC FACING INTERFACE)

    	60:c7:8d:41:84:86 > 00:00:5e:00:01:0e, ethertype 802.1Q (0x8100), length 325: vlan 2, p 6, ethertype IPv4, (tos 0x0, ttl  64, id 42922, offset 0, flags [none], proto: UDP (17), length: 307) 172.16.2.2.bootps > 172.16.2.3.bootps: [udp sum ok] BOOTP/DHCP, Reply, length 279, xid 0x4ec64aab, Flags [Broadcast] (0x8000)
	  Your-IP 172.16.2.121
	  Gateway-IP 172.16.2.3
	  Client-Ethernet-Address 00:cc:34:b5:02:7e
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Offer
	    Lease-Time Option 51, length 4: 172800
	    Subnet-Mask Option 1, length 4: 255.255.255.0
	    Server-ID Option 54, length 4: 172.16.2.2
	    Default-Gateway Option 3, length 4: 172.16.2.1
	    Domain-Name-Server Option 6, length 8: dns.google,one.one.one.one


    ------------------------------
    ESPEN AA
    ------------------------------

    Original Message


  • 12.  RE: Ipsec VPN DHCP relay

    Posted 10-07-2024 15:56

    Please show routing table and forwarding table entries for 172.16.2.3 (after fixing the route, of course).



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 13.  RE: Ipsec VPN DHCP relay

    Posted 10-08-2024 03:01

    Here is the routing table and the forwarding table. I also added a simple topology for better understanding. In the ping example attached I have administratively shut down all interfaces on SRX2, except the VPN interface.

    SRX1 - DHCP Server - 172.16.2.2 & 192.168.102.1
SRX2 - DHCP Relay  - 172.16.2.3 & 192.168.102.2 
SW1 - L2 switch
SW2 - switch acting as DHCP Client

Route 1 - R1 - via ge-0/0/0.2203, Is manually shut down between SW1 & SW2 for testing purposes.
Route 2 - R2 - via st0.10
Route 3 - R3 - IF facing dhcp client

        R2      R2
  SRX1 --- VPN --- SRX2
    |               |
    |               |
    |               |
    |R1           R3|
    |               |
    |               |
    |    R1         |
   SW1------X      SW2

    Routing table

    172.16.2.0/24      *[Direct/0] 5d 05:45:45
                    >  via ge-0/0/7.2203
172.16.2.3/32      *[Static/5] 00:01:25
                    >  via st0.10

    Forwarding table

    Destination        Type RtRef Next hop           Type Index    NhRef Netif
172.16.2.3/32      user     0                    ucst     1512     3 st0.10

    Ping example

    PING 172.16.2.3 (172.16.2.3): 56 data bytes
64 bytes from 172.16.2.3: icmp_seq=0 ttl=64 time=30.615 ms


    ------------------------------
    ESAA
    ------------------------------

    Original Message