Junos OS

I'm new to Juniper firewalls and I'm having an issue, but I'm not sure if I'm missing any settings on the config or if the unit is defective.

This is what I'm trying to accomplish on the physical interfaces on the units:

Port 0: Service from comcast

Port 1: A wireless access point, none Juniper. its actually a Netgear R6300 configured to run as an AP

Port 2: Connected to a switch with 8+ devices computers, game console(s), etc.

Port 3: connected to a file server

I want the whole network to on the 10.10.10.0  subnet. I think its a simple setup. At least it used to be while I had it setup on a Netgear SRX5308, but that unit died and I replaced it with a SRX220H.

The issue I'm having is that DHCP is not working properly. If I connect a computer directly to any of the ports on the SRX220 it does get ip settings correctly, but if I connect the switch with additional devices or the access point non of the devices connected to the switch or access point receive IPs.

I would really appreciate any help. 

This is my current configuration:

version 11.4R7.5;
system {
    host-name srx220;
    time-zone America/Los_Angeles;
    authentication-order password;
    root-authentication {
        encrypted-password "password"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user chesco {
            full-name Chesco;
            uid 100;
            class super-user;
            authentication {
                encrypted-password "password"; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            https {
                system-generated-certificate;
            }
        }
        dhcp {
            router {
                10.10.10.1;
            }
            pool 10.10.10.0/24 {
                address-range low 10.10.10.2 high 10.10.10.250;
                default-lease-time 3600;
                name-server {
                    8.8.8.8;
                }
                router {
                    10.10.10.1;
                }
            }
            propagate-settings ge-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
        file ids {
            any any;
            match RT_IDS;
            archive world-readable;
            structured-data;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 10.10.10.1/24;
            }
        }
    }
}
protocols {
    stp;
}
security {
    log {
        mode event;
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
        }
        from-zone untrust to-zone trust {
        }
    }
    zones {
        security-zone trust {
            
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    https;
                    ssh;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                            https;
                            ssh;
                        }
                    }
                }
            }
        }
        
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

As I mentioned before I'm new at this, any pointers are appreciated

Hi chesco9,

Your config looks fine, could you please add the below config additional to the propagate settings config specified.  "update-server" is used to propagate TCP/IP settings learned from an external DHCP server to the DHCP server running on the switch, router, or device.

set interfaces ge-0/0/0 unit 0 family inet dhcp update-server

commit

If the issue persists please share show system services dhcp statistics"

Hello rsuraj,

Thank you for responding. I went ahead and did what you suggested, but it didn't work. I was able to connect a pc directly to the srx220 and I got an ip, but when I connected the wireless ap on port 2 none of the devices received addresses. I logged into the j-web interface and it showed only one lease on the dhcp client list. These are the dhcp stats you asked to share with you:

chesco@srx220> edit
Entering configuration mode

[edit]
chesco@srx220# ... unit 0 family inet dhcp update-server

[edit]
chesco@srx220# commit
commit complete

[edit]
chesco@srx220# exit
Exiting configuration mode

chesco@srx220> show system services dhcp statistics
Packets dropped:
    Total                      0

Messages received:
    BOOTREQUEST                0
    DHCPDECLINE                0
    DHCPDISCOVER               3
    DHCPINFORM                 0
    DHCPRELEASE                0
    DHCPREQUEST                8

Messages sent:
    BOOTREPLY                  0
    DHCPOFFER                  3
    DHCPACK                    3
    DHCPNAK                    0

chesco@srx220> show system services dhcp statistics
Packets dropped:
    Total                      0

Messages received:
    BOOTREQUEST                0
    DHCPDECLINE                0
    DHCPDISCOVER               7
    DHCPINFORM                 0
    DHCPRELEASE                0
    DHCPREQUEST                11

Messages sent:
    BOOTREPLY                  0
    DHCPOFFER                  7
    DHCPACK                    3
    DHCPNAK                    0

chesco@srx220> show system services dhcp statistics
Packets dropped:
    Total                      0

Messages received:
    BOOTREQUEST                0
    DHCPDECLINE                0
    DHCPDISCOVER               9
    DHCPINFORM                 0
    DHCPRELEASE                0
    DHCPREQUEST                11

Messages sent:
    BOOTREPLY                  0
    DHCPOFFER                  9
    DHCPACK                    3
    DHCPNAK                    0

not an expert also but just my 2 cents:

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }

then on the security zones:

interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                            https;
                            ssh;
                        }
                    }
                }
            }

 the interface:

ge-0/0/0.0

 shoud it be:

ge-0/0/0

 or it doesn't matter.

thank you for the pointer I will try this when I get home.

Hello,

We always configure logical interface under zone or DHCP (ge-0/0/0.0).

Can you clear the DHCP statistics, Enable the DHCP traceoptions as below & then connect machines to the switch or wireless so that they can start DORA process?

root# set system services dhcp traceoptions file dhcp-traces
root# set system services dhcp traceoptions flag all
root# set system services dhcp traceoptions level all

Once done, disable the traceoptions and provide log file dhcp-traces.

Regards,

Rushi

Hello Rushi,

I had one PC connected directly to port 1 and the ap connected port 2, none of the computers got an ip while trying to connect to the wireless network. On the j-web interface I could only see one ip lease. Here are the results I got on the file:

I have attached the file below with the results from the dhcp-trace file

Attachment(s)

dhcp-traces.txt   110 KB 1 version

been trawling the web to learn JunOS

I bumped to this link:

https://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-admin-guide/configuring-the-device-as-a-dhcp-server.html

Try DHCP option 32.

Hi JJJCR,

I read through post you sent me, but I don't think that's going to help with the issue I'm having. I have roughly 15 devices on my network and I need them all to get IP. Some of the devices are wired and some are wireless. I have attached an image with a drawing trying to explain how my network is laid out. 

The computer labeled PC1 on the drawing is the only one receiving an IP address from SRX220. All the other PCs/devices connected through a switch or via wireless connection are not receiving an IP

Hello,

I am assuming the debugs were taken when PC connected to SRX on port 2 (through Netgear AP) was trying to get IP address. Is that correct?

What I see in the debugs is:

1) We receive DHCP Discover Message from client.

2) We send DHCP Offer message to client.

At this stage, we should get DHCP Request from the client but we do not see that in the debugs.

If you compare these debugs with debugs collected when PC1 is trying to get IP (after clearing the lease & releasing IP),

you will see the difference.

You can take wireshark captures on the PC or snopping on Netgear (if it supports) to check if client is getting DHCP Offer from SRX or not.

Regards,

Rushi

Hi Rushi,

I just wanted to clarify. I did get the debuging results from PC1 connected to port 2 on the SRX, but I had the access point connected to port 3. I went into the netgear's interface and there wasn't a way to capture the traffic using wireshark. 

You are right about what you said there aren't any DHCPREQUEST entries on the debug. I ran another debug last night and I noticed the same thing again. This time I had the network connected as the image attached.

Attachment(s)

dhcp-debug.txt   73 KB 1 version

Hello,

Just want to clarify: Who has MAC address d8:1d:72:44:22:96?

Regards,

Rushi

Rushi,

That is an iphone trying to connect via the access point. It's able to get through wifi security, but does not receive an ip.

I'm not sure if this is relevant but I connected PC1 to port 3 and this what I'm getting. I do have another computer connected directly to port 2 and the access pioint to port 4. Is this normal?

chesco@srx220> show ethernet-switching interfaces
Interface    State  VLAN members        Tag   Tagging  Blocking
ge-0/0/1.0   up     vlan-trust          3     untagged blocked by STP
ge-0/0/2.0   up     vlan-trust          3     untagged unblocked
ge-0/0/3.0   up     vlan-trust          3     untagged blocked by STP
ge-0/0/4.0   down   vlan-trust          3     untagged blocked by STP
ge-0/0/5.0   down   vlan-trust          3     untagged blocked by STP
ge-0/0/6.0   down   vlan-trust          3     untagged blocked by STP
ge-0/0/7.0   down   vlan-trust          3     untagged blocked by STP

Hello,

'Blocked by STP' means 'The interface is disabled due to a spanning-tree protocol error.'

Let us disable STP & RSTP on the interfaces on SRX that are part of vlan:

set protocols stp interface <name> disable

set protocols rstp interface <name> disable

commit

However important thing to note is that if the interfaces are blocked it would never process the traffic. In our case we are

receiving DHCP discover & responding back with DHCP Offer.

Anyways you can try this & let us know.

Regards,

Rushi

Rushi,

Thank you for your help, it worked!! I went ahead and disabled STP and right away all the devices started getting IP addresses. Thank you very much.