Hi All
A late update to share my findings regarding
this issue.
The firewall filter was missing the "term default accept"
statement:
| term default { |
| then accept; |
| } |
For completeness, please find the full working(tested) config below:
-2 routing instances type forwarding
for each ISP.
-Each instance has a default route via one ISP.
-2 probes to re-route via online ISP in the event one ISP fails(rpm and ip-monitoring).
-Interface monitoring
-Port-channel on LAN side
-NAT(PAT) via interface
Cheers!
-------------------------------------------------------
## Last changed: 2023-08-01 08:48:20 GMT
version 12.1X47-D20.7;
groups {
node0 {
system {
host-name WE-TEST_core-0;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 172.31.255.253/30;
}
}
}
}
}
node1 {
system {
host-name WE-TEST_core-1;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 172.31.255.254/30;
}
}
}
}
}
}
system {
host-name WE-TEST_core;
domain-name example.com;
time-zone GMT;
root-authentication {
encrypted-password "$1$e0lLanRx$/HLzR00Y6FWlgi8l9D10p/"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
user user001 {
uid 2001;
class super-user;
authentication {
encrypted-password "$1$fbgM6jsV$o3UMchWv7gE7rdI9QCKor0"; ## SECRET-DATA
}
}
}
services {
ssh {
protocol-version [ v2 v1 ];
}
telnet;
netconf {
ssh {
port 830;
}
}
dhcp-local-server {
group WW-Floor-7 {
interface reth2.2007;
}
group WW-Floor-8 {
interface reth2.2008;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any warning;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
}
}
processes {
dhcp-service {
traceoptions {
file JDHCPDEBUG size 20m files 5;
flag all;
}
}
}
}
chassis {
aggregated-devices {
ethernet {
device-count 2;
}
}
cluster {
reth-count 4;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
preempt;
gratuitous-arp-count 4;
interface-monitor {
ge-0/0/6 weight 255;
ge-9/0/6 weight 255;
}
}
redundancy-group 2 {
node 0 priority 100;
node 1 priority 1;
preempt;
gratuitous-arp-count 4;
interface-monitor {
ge-0/0/8 weight 128;
ge-9/0/8 weight 128;
ge-0/0/9 weight 128;
ge-9/0/9 weight 128;
}
}
redundancy-group 3 {
node 0 priority 100;
node 1 priority 1;
preempt;
gratuitous-arp-count 4;
interface-monitor {
ge-0/0/7 weight 255;
ge-9/0/7 weight 255;
}
}
}
}
interfaces {
ge-0/0/5 {
unit 0 {
family inet {
address 12.0.0.100/24;
}
}
}
ge-0/0/6 {
gigether-options {
redundant-parent reth1;
}
}
ge-0/0/7 {
gigether-options {
redundant-parent reth3;
}
}
ge-0/0/8 {
gigether-options {
redundant-parent reth2;
}
}
ge-0/0/9 {
gigether-options {
redundant-parent reth2;
}
}
ge-9/0/5 {
unit 0 {
family inet {
address 12.0.0.101/24;
}
}
}
ge-9/0/6 {
gigether-options {
redundant-parent reth1;
}
}
ge-9/0/7 {
gigether-options {
redundant-parent reth3;
}
}
ge-9/0/8 {
gigether-options {
redundant-parent reth2;
}
}
ge-9/0/9 {
gigether-options {
redundant-parent reth2;
}
}
fab0 {
fabric-options {
member-interfaces {
ge-0/0/2;
ge-0/0/3;
}
}
}
fab1 {
fabric-options {
member-interfaces {
ge-9/0/2;
ge-9/0/3;
}
}
}
reth1 {
description ISP1;
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
description ISP1;
family inet {
address 1.1.1.1/30;
}
}
}
reth2 {
description Distro-switch;
vlan-tagging;
mtu 1500;
redundant-ether-options {
redundancy-group 2;
minimum-links 1;
lacp {
active;
periodic slow;
}
}
unit 2007 {
description WW-Floor-7;
vlan-id 2007;
family inet {
filter {
input F_F_ISP_ONE_U2007;
}
address 10.0.7.1/24;
}
}
unit 2008 {
description WW-Floor-8;
vlan-id 2008;
family inet {
filter {
input F_F_ISP_TWO_U2008;
}
address 10.0.8.1/24;
}
}
}
reth3 {
description ISP2;
redundant-ether-options {
redundancy-group 3;
}
unit 0 {
description ISP2;
family inet {
address 2.2.2.1/30;
}
}
}
vlan {
unit 0;
}
}
routing-options {
interface-routes {
rib-group inet RO_IR_RG_I_ISP_Specific;
}
static {
route 3.3.3.3/32 next-hop 1.1.1.2;
route 4.4.4.4/32 next-hop 2.2.2.2;
}
rib-groups {
RO_IR_RG_I_ISP_Specific {
import-rib [ inet.0 RI_ISP_ONE.inet.0 RI_ISP_TWO.inet.0 ];
}
}
}
protocols {
lldp {
interface all;
}
}
security {
flow {
traceoptions {
file DHCPTRACE size 20m files 5;
flag basic-datapath;
flag packet-drops;
packet-filter R1 {
source-port 68;
}
packet-filter R2 {
source-port 67;
}
}
}
nat {
source {
pool voip-reth1 {
address {
1.1.1.1/32;
}
}
pool voip-reth3 {
address {
2.2.2.1/32;
}
}
rule-set S_N_S_RS_ISP_ONE {
from interface reth2.2007;
to interface [ reth1.0 reth3.0 ];
rule U2007 {
match {
source-address 10.0.7.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set S_N_S_RS_ISP_TWO {
from interface reth2.2008;
to interface [ reth1.0 reth3.0 ];
rule U2008 {
match {
source-address 10.0.8.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone internet to-zone internet {
policy allow-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone example to-zone internet {
policy allow-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone example to-zone example {
policy allow-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone internet to-zone example {
policy allow-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone example {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth2.2007 {
host-inbound-traffic {
system-services {
all;
}
}
}
reth2.2008 {
host-inbound-traffic {
system-services {
all;
}
}
}
ge-0/0/5.0;
ge-9/0/5.0;
}
}
security-zone internet {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth1.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
reth3.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
}
firewall {
filter DHCP {
term 1 {
from {
destination-port [ 67 68 ];
}
then accept;
}
}
filter F_F_ISP_ONE_U2007 {
term TM2007 {
from {
source-address {
10.0.7.0/24;
}
}
then {
routing-instance RI_ISP_ONE;
}
}
term default {
then accept;
}
}
filter F_F_ISP_TWO_U2008 {
term TM2008 {
from {
source-address {
10.0.8.0/24;
}
}
then {
routing-instance RI_ISP_TWO;
}
}
term default {
then accept;
}
}
}
access {
address-assignment {
pool WW-Floor-7 {
family inet {
network 10.0.7.0/24;
range range1 {
low 10.0.7.10;
high 10.0.7.254;
}
dhcp-attributes {
maximum-lease-time 3600;
domain-name example.com;
name-server {
208.67.222.222;
208.67.220.220;
}
router {
10.0.7.1;
}
}
}
}
pool WW-Floor-8 {
family inet {
network 10.0.8.0/24;
range range1 {
low 10.0.8.10;
high 10.0.8.254;
}
dhcp-attributes {
maximum-lease-time 3600;
domain-name example.com;
name-server {
208.67.222.222;
208.67.220.220;
}
router {
10.0.8.1;
}
}
}
}
}
}
routing-instances {
RI_ISP_ONE {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.2;
}
}
}
RI_ISP_TWO {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 2.2.2.2;
}
}
}
}
services {
rpm {
probe S_R_P_ISP_ONE {
test test_echo_ping {
probe-type icmp-ping;
target address 3.3.3.3;
probe-count 5;
probe-interval 1;
test-interval 1;
thresholds {
successive-loss 3;
total-loss 3;
}
destination-interface reth1.0;
}
}
probe S_R_P_ISP_TWO {
test test_echo_ping2 {
probe-type icmp-ping;
target address 4.4.4.4;
probe-count 5;
probe-interval 1;
test-interval 1;
thresholds {
successive-loss 3;
total-loss 3;
}
destination-interface reth3.0;
}
}
}
ip-monitoring {
policy S_IM_POL_ISP_ONE {
match {
rpm-probe S_R_P_ISP_ONE;
}
then {
preferred-route {
routing-instances RI_ISP_ONE {
route 0.0.0.0/0 {
next-hop 2.2.2.2;
}
}
}
}
}
policy S_IM_POL_ISP_TWO {
match {
rpm-probe S_R_P_ISP_TWO;
}
then {
preferred-route {
routing-instances RI_ISP_TWO {
route 0.0.0.0/0 {
next-hop 1.1.1.2;
}
}
}
}
}
}
}
-------------------------------------------------------
------------------------------
FRED ELLENA
------------------------------
Original Message:
Sent: 07-04-2023 08:25
From: FRED ELLENA
Subject: No more DHCP offer on my downlink interface
Hi!
I have a DHCP server configured on an SRX500
and it does not send any offer when receiving a request
anymore.
In fact it does not send any data out the downlink interface
(reth2.2007, counter at 0 for Output on reth2 and reth2.2007).
It receives data on this interface though.
I did a capture and the request are properly sent
from the clients
(also the input counter increases on the SRX interface).
I am wondering what could be the cause for this behavior
(I am thinking about some policy prohibiting output
but I cannot find it currently).
I paste the config and the show interface result below for reference:
-------------------------------------------------------
## Last commit: 2023-07-04 09:24:55 GMT by root version 12.1X47-D20.7;
groups {
node0 {
system {
host-name WE-TEST_core-0;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 172.31.255.253/30;
}
}
}
}
}
node1 {
system {
host-name WE-TEST_core-1;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 172.31.255.254/30;
}
}
}
}
}
}
system {
host-name WE-TEST_core;
domain-name example.com;
time-zone GMT;
root-authentication {
encrypted-password "$1$e0lLanRx$/HLzR00Y6FWlgi8l9D10p/"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
user user001 {
uid 2001;
class super-user;
authentication {
encrypted-password "$1$fbgM6jsV$o3UMchWv7gE7rdI9QCKor0"; ## SECRET-DATA
}
}
}
services {
ssh {
protocol-version [ v2 v1 ];
}
telnet;
netconf {
ssh {
port 830;
}
}
dhcp-local-server {
group WW-Floor-7 {
interface reth2.2007;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any warning;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
}
}
processes {
dhcp-service {
traceoptions {
file JDHCPDEBUG size 20m files 5;
flag all;
}
}
}
}
chassis {
aggregated-devices {
ethernet {
device-count 2;
}
}
cluster {
reth-count 4;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
preempt;
gratuitous-arp-count 4;
interface-monitor {
ge-0/0/6 weight 255;
ge-9/0/6 weight 255;
}
}
redundancy-group 2 {
node 0 priority 100;
node 1 priority 1;
preempt;
gratuitous-arp-count 4;
interface-monitor {
ge-0/0/8 weight 128;
ge-9/0/8 weight 128;
ge-0/0/9 weight 128;
ge-9/0/9 weight 128;
}
}
redundancy-group 3 {
node 0 priority 100;
node 1 priority 1;
preempt;
gratuitous-arp-count 4;
interface-monitor {
ge-0/0/7 weight 255;
ge-9/0/7 weight 255;
}
}
}
}
interfaces {
ge-0/0/5 {
unit 0 {
family inet {
address 12.0.0.100/24;
}
}
}
ge-0/0/6 {
gigether-options {
redundant-parent reth1;
}
}
ge-0/0/7 {
gigether-options {
redundant-parent reth3;
}
}
ge-0/0/8 {
gigether-options {
redundant-parent reth2;
}
}
ge-0/0/9 {
gigether-options {
redundant-parent reth2;
}
}
ge-9/0/5 {
unit 0 {
family inet {
address 12.0.0.101/24;
}
}
}
ge-9/0/6 {
gigether-options {
redundant-parent reth1;
}
}
ge-9/0/7 {
gigether-options {
redundant-parent reth3;
}
}
ge-9/0/8 {
gigether-options {
redundant-parent reth2;
}
}
ge-9/0/9 {
gigether-options {
redundant-parent reth2;
}
}
fab0 {
fabric-options {
member-interfaces {
ge-0/0/2;
ge-0/0/3;
}
}
}
fab1 {
fabric-options {
member-interfaces {
ge-9/0/2;
ge-9/0/3;
}
}
}
reth1 {
description ISP1;
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
description ISP1;
family inet {
address 1.1.1.1/30;
}
}
}
reth2 {
description Distro-switch;
vlan-tagging;
mtu 1500;
redundant-ether-options {
redundancy-group 2;
minimum-links 1;
lacp {
active;
periodic slow;
}
}
unit 2007 {
description WW-Floor-7;
vlan-id 2007;
family inet {
filter {
input FW_FL_RIB_ISPONE_U2007;
}
address 10.0.7.1/24;
}
}
}
reth3 {
description ISP2;
redundant-ether-options {
redundancy-group 3;
}
unit 0 {
description ISP2;
family inet {
address 2.2.2.1/30;
}
}
}
vlan {
unit 0;
}
}
routing-options {
interface-routes {
rib-group inet ISP_Specific;
}
rib-groups {
ISP_Specific {
import-rib [ inet.0 ISP_ONE.inet.0 ISP_TWO.inet.0 ];
}
}
}
protocols {
lldp {
interface all;
}
}
security {
flow {
traceoptions {
file DHCPTRACE size 20m files 5;
flag basic-datapath;
flag packet-drops;
packet-filter R1 {
source-port 68;
}
packet-filter R2 {
source-port 67;
}
}
}
nat {
source {
pool voip-reth1 {
address {
1.1.1.1/32;
}
}
pool voip-reth3 {
address {
2.2.2.1/32;
}
}
rule-set to-internet-reth1 {
from zone example;
to interface reth1.0;
rule voip-reth1 {
match {
source-address 10.0.7.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
pool {
voip-reth1;
persistent-nat {
permit any-remote-host;
}
}
}
}
}
}
rule-set to-internet-reth3 {
from zone example;
to interface reth3.0;
rule voip-reth3 {
match {
source-address 10.0.7.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
pool {
voip-reth3;
persistent-nat {
permit any-remote-host;
}
}
}
}
}
}
}
}
policies {
from-zone internet to-zone internet {
policy allow-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone example to-zone internet {
policy allow-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone example to-zone example {
policy allow-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone internet to-zone example {
policy allow-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone example {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth2.2007 {
host-inbound-traffic {
system-services {
all;
dhcp;
rpm;
ping;
}
protocols {
all;
}
}
}
ge-0/0/5.0;
ge-9/0/5.0;
}
}
security-zone internet {
host-inbound-traffic {
system-services {
ike;
ping;
ssh;
snmp;
telnet;
all;
rpm;
}
protocols {
all;
}
}
interfaces {
reth1.0;
reth3.0;
}
}
}
}
firewall {
filter DHCP {
term 1 {
from {
destination-port [ 67 68 ];
}
then accept;
}
}
filter all_in {
term 2 {
from {
protocol icmp;
}
then accept;
}
}
filter FW_FL_RIB_ISPONE_U2007 {
term TM2007 {
from {
source-address {
10.0.7.0/24;
}
}
then {
routing-instance ISP_ONE;
}
}
}
}
access {
address-assignment {
pool WW-Floor-7 {
family inet {
network 10.0.7.0/24;
range range1 {
low 10.0.7.10;
high 10.0.7.254;
}
dhcp-attributes {
maximum-lease-time 3600;
domain-name example.com;
name-server {
208.67.222.222;
208.67.220.220;
}
router {
10.0.7.1;
}
}
}
}
}
}
routing-instances {
ISP_ONE {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.2;
}
}
}
ISP_TWO {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 2.2.2.2;
}
}
}
}
services {
rpm {
probe Probe-Server {
test testsvr {
target address 1.1.1.2;
probe-count 10;
probe-interval 5;
test-interval 10;
thresholds {
successive-loss 10;
total-loss 5;
}
destination-interface reth1.0;
next-hop 1.1.1.2;
}
}
probe Probe-Server1 {
test testsvr {
target address 2.2.2.2;
probe-count 10;
probe-interval 5;
test-interval 10;
thresholds {
successive-loss 10;
total-loss 5;
}
destination-interface reth3.0;
next-hop 2.2.2.2;
}
}
}
ip-monitoring {
policy Server-Tracking {
match {
rpm-probe Probe-Server;
}
then {
preferred-route {
routing-instances ISP_ONE {
route 0.0.0.0/0 {
next-hop 2.2.2.2;
}
}
}
}
}
policy Server-Tracking1 {
match {
rpm-probe Probe-Server1;
}
then {
preferred-route {
routing-instances ISP_TWO {
route 0.0.0.0/0 {
next-hop 1.1.1.2;
}
}
}
}
}
}
}
-------------------------------------------------------
user001@WE-TEST_core# run show interfaces reth2.2007
Logical interface reth2.2007 (Index 103) (SNMP ifIndex 571)
Description: WW-Floor-7
Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.2007 ] Encapsulation: ENET2
Statistics Packets pps Bytes bps
Bundle:
Input : 2001833 0 159714711 528
Output: 0 0 0 0
Security: Zone: example
Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike
netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp
Protocol inet, MTU: 1482
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Preferred Is-Primary
Destination: 10.0.7/24, Local: 10.0.7.1, Broadcast: 10.0.7.255
-------------------------------------------------------
Please do not hesitate to tell me if you need more info.
TIA for any hindsight!
------------------------------
FRED ELLENA
------------------------------