SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  IPv6 on SRX1500 not working

    Posted 20 days ago

    Hi,

    I'm testing IPv6 and I find that the DHCPv6 client is stuck at Selecting. What am I doing wrong? Does it work for 1 interface with both inet and inet6 families?

    I configured dhcpv6-client on my WAN interface, then added system service dhcpv6 to the WAN interface in security-zone untrust's host-inbound-traffic. Same behavior if rapid-commit and update-router-advertisement are not configured.

    set interfaces xe-0/0/19 description WAN
    set interfaces xe-0/0/19 unit 0 family inet dhcp update-server
    set interfaces xe-0/0/19 unit 0 family inet6 dhcpv6-client client-type stateful
    set interfaces xe-0/0/19 unit 0 family inet6 dhcpv6-client client-ia-type ia-pd
    set interfaces xe-0/0/19 unit 0 family inet6 dhcpv6-client rapid-commit
    set interfaces xe-0/0/19 unit 0 family inet6 dhcpv6-client client-identifier duid-type duid-ll
    set interfaces xe-0/0/19 unit 0 family inet6 dhcpv6-client req-option dns-server
    set interfaces xe-0/0/19 unit 0 family inet6 dhcpv6-client retransmission-attempt 9
    set interfaces xe-0/0/19 unit 0 family inet6 dhcpv6-client update-router-advertisement interface xe-0/0/19.0
    set interfaces xe-0/0/19 unit 0 family inet6 dhcpv6-client update-server
    
    set security zones security-zone untrust interfaces xe-0/0/19.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces xe-0/0/19.0 host-inbound-traffic system-services ping
    set security zones security-zone untrust interfaces xe-0/0/19.0 host-inbound-traffic system-services ntp
    set security zones security-zone untrust interfaces xe-0/0/19.0 host-inbound-traffic system-services dhcpv6
    

    I tried to produce a capture but the file was not created. I have the following configuration but even though it commits, no file is created after I renew the DHCPv6 lease.

    set forwarding-options packet-capture file filename mypcap
    set forwarding-options packet-capture file files 2
    set forwarding-options packet-capture file size 2m
    set forwarding-options packet-capture maximum-capture-size 1500
    
    set firewall family inet6 filter DHCPv6 term 1 from source-port 546
    set firewall family inet6 filter DHCPv6 term 1 from source-port 547
    set firewall family inet6 filter DHCPv6 term 1 from destination-port 546
    set firewall family inet6 filter DHCPv6 term 1 from destination-port 547
    set firewall family inet6 filter DHCPv6 term 1 then sample
    set firewall family inet6 filter DHCPv6 term 1 then accept
    set firewall family inet6 filter DHCPv6 term allow-all-else then accept
    
    set interfaces xe-0/0/19 unit 0 family inet6 filter input DHCPv6
    set interfaces xe-0/0/19 unit 0 family inet6 filter output DHCPv6

    Finally I just used monitor traffic to perform the capture. and it appears the DHCPv6 server from my ISP responds but the binding is never set to Bound. The transactions just repeats.

    > monitor traffic interface xe-0/0/19 matching "ip6" size 9999
    
    16:34:09.559416 Out IP6 fe80::xxxx:xxxx:xxxx:xxxx > ff02::1:2: HBH ICMP6, multicast listener report max resp delay: 0 addr: ff02::1:2, length 24
    16:34:09.564079 Out IP6 fe80::xxxx:xxxx:xxxx:xxxx > ff05::1:3: HBH ICMP6, multicast listener report max resp delay: 0 addr: ff05::1:3, length 24
    16:34:09.566460 Out IP6 fe80::xxxx:xxxx:xxxx:xxxx.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
    16:34:11.423360 Out IP6 fe80::xxxx:xxxx:xxxx:xxxx > ff02::1:2: HBH ICMP6, multicast listener report max resp delay: 0 addr: ff02::1:2, length 24
    16:34:11.568321 Out IP6 fe80::xxxx:xxxx:xxxx:xxxx.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
    16:34:15.569682 Out IP6 fe80::xxxx:xxxx:xxxx:xxxx.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
    16:34:19.333639 Out IP6 fe80::xxxx:xxxx:xxxx:xxxx > ff05::1:3: HBH ICMP6, multicast listener report max resp delay: 0 addr: ff05::1:3, length 24
    16:34:21.645516  In IP6 fe80::yyyy:yyyy:yyyy:yyyy.dhcpv6-server > fe80::xxxx:xxxx:xxxx:xxxx.dhcpv6-client: dhcp6 reply
    

    Thanks!



  • 2.  RE: IPv6 on SRX1500 not working

    Posted 20 days ago
    1. Put a device behind the srx.
    2. Ignore ipv6 on the srx for a while.
    3. Yes set it to be ready however.
    4. On the device behind the srx start using ipv6 filters.
    5. Slowly get the ipv6 services flowing.
    6. Exercise traffic.

    Better know which prefixes your isp provides.



    ------------------------------
    Adrian Aguinaga
    B.S.C.M. I.T.T. Tech
    (Construction Management)
    A.A.S. I.T.T. Tech
    (Drafting & Design)
    ------------------------------



  • 3.  RE: IPv6 on SRX1500 not working

    Posted 20 days ago

    Are you suggesting I need to have a system with a routable IPv6 address before my WAN interface will accept the acknowledge from the DHCPv6 server? Or how to trigger a packet capture? I just asked the SRX to renew the lease on the WAN interface.




  • 4.  RE: IPv6 on SRX1500 not working

    Posted 20 days ago

    If you do not select to have an already set router factory set, like an asus wifi router, then you can

    choose to use filtering on the srx to filter all the popular ipv6 prefixes. Also, I'd start with ge-0 or fe-, but not xe-. ge- for sure.



    ------------------------------
    Adrian Aguinaga
    B.S.C.M. I.T.T. Tech
    (Construction Management)
    A.A.S. I.T.T. Tech
    (Drafting & Design)
    ------------------------------



  • 5.  RE: IPv6 on SRX1500 not working

    Posted 20 days ago

    I made some insignificant changes (client duid to llt instead of ll), left the configuration as is for a couple of hours and when I checked just now saw a Bound state. That's not what I expect. Does it take that long to get an IPv6 reply? During this period I created a tcpdump in the shell with -X to display hex/ASCII payload and sent it to my ISP's support mailbox. They have not answered my email but will most likely say it's fine and working.

    The tcpdump response had the embedded message "No prefixes have been assigned." I could tell the DHCPv6 server is a Juniper device due to the response also include the MAC address from the DHCPv6 server.

    Unfortunately I didn't know DHCP/DHCPv6 events are not normally logged but have enabled them through setting system processes dhcp-service log session....




  • 6.  RE: IPv6 on SRX1500 not working

    Posted 20 days ago

    If I include client-ia-type ia-na (which according to my ISP is not supported for prefix delegation--meaning I would get a /128 but I won't be able to receive a /56) The IP/prefix column does show a 2001..../128 value but its state remains in Selecting as well. The /56 request remains "::/0".