SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 40
Registered: ‎01-14-2009
0 Kudos

11.1R2.3 breaks dhcp server and client

upgraded from 11.1R1.0 to 11.1R2.3 and my dhcp server for my internal lan and dhcp client for my ISP stop working...rolled back to 11.1R1.0 and all was working again.  Anyone see the same?

Distinguished Expert
Posts: 979
Registered: ‎09-10-2009
0 Kudos

Re: 11.1R2.3 breaks dhcp server and client

When I upgraded from 10.2R3 to 10.4R2, DHCP relay stopped working for me.  They fixed that in 10.4R3.

 

I wonder if some of the goofy DHCP code from 10.4R2 made it into 11.1R2.

 

You should definitely open a JTAC case on this and confirm it as a bug and get a PR issued.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Regular Visitor
Posts: 9
Registered: ‎04-10-2009
0 Kudos

Re: 11.1R2.3 breaks dhcp server and client

Yes, this happened to me using Comcast cable internet running 11.1R2.3 for a few weeks and then my internet connection dropped and my SRX100 could no longer receive a dhcp address from Comcast.  Once I rolled back to 11.1R1.10 my SRX was able to receive a dhcp address.  The only problem is once I rolled back to 11.1R1.10 my HE IPv6 tunnel stopped working in flow-based mode :-(

Contributor
Posts: 40
Registered: ‎01-14-2009
0 Kudos

Re: 11.1R2.3 breaks dhcp server and client

I have an he.net 6IN4 tunnel as well.  For this you just need to create a firewall filter which instructs the protocol 41 communication to your tunnel broker endpoint to be process in packet-mode.  The decapsulated IPv6 packet will still be processed in flow-mode.   More details in this thread starting on page 2:

 

http://forums.juniper.net/t5/SRX-Services-Gateway/HE-IPv6-tunnel-with-flow-based-IPv6-in-10-4/m-p/69...

Trusted Contributor
Posts: 236
Registered: ‎06-11-2010
0 Kudos

Re: 11.1R2.3 breaks dhcp server and client

JTAC informed me that engineering is looking into the 11.1R2 DHCP server issue.  For now I'm continuing to run 10.4R4 which has been rock solid.

 

mawr

hvk
Contributor
Posts: 38
Registered: ‎06-03-2008
0 Kudos

Re: 11.1R2.3 breaks dhcp server and client

Hi,

 

found the same problem. DHCP client is working fine on 11.1R1.10 but after upgrading to 11.1R2.3 or to the newest 11.1R3.5 it stops working. Tested on SRX100.

 

Did anybody got answer from JTAC ?

 

Contributor
Posts: 40
Registered: ‎01-14-2009
0 Kudos

Re: 11.1R2.3 breaks dhcp server and client

I noticed last week 11.1R3.5 did the same as well...back to R1.10.

Highlighted
Contributor
Posts: 20
Registered: ‎07-06-2011
0 Kudos

Re: 11.1R2.3 breaks dhcp server and client

I'm running both DHCP servers and clients without issue on 11.R2.3.  The key for me was making sure that the security zone allowed DHCP on the interface I was using. I.E. "set security zones security-zone trust interfaces fe-0/0/1.0 host-inbound-traffic system-services dhcp"  Once I added that, I was golden.

Contributor
Posts: 59
Registered: ‎11-22-2009
0 Kudos

Re: 11.1R2.3 breaks dhcp server and client

I had host-inbound-traffic system-services all set and it didn't work at all. I had to revert back to 11.1R1 to get DHCP back up and running.

Contributor
Posts: 40
Registered: ‎01-14-2009
0 Kudos

Re: 11.1R2.3 breaks dhcp server and client

Exactly, I already have it working in 11.1R1.10 and the host-inbound services are permitted.  After upgrading to either R2.3 or R3.5 it all breaks.  I may try again to upgrade and maybe remove then reapply the host inbound services...wouldn't be the first time something like that resolves it.

Contributor
Posts: 40
Registered: ‎01-14-2009

SOLUTION: 11.1R2.3 breaks dhcp server and client

So I decided to sit down and figure out what was going on here.  Turns out the IDS is breaking DHCP Client/Server communication if the screen enabled on your zone is enforcing 'ip {spoofing}'.  When I cleared the ids statistic counters and had a client renew their lease I saw the ip spoofing counter increment.  There were also SNMPTRAP messages being sent at the same time where the OID was under the IDS MIB.

 

Since my SRX100H is acting as a DHCP Server for my LAN and Client to my ISP, I made these changes:

SRX100H# show | compare
[edit security screen ids-option trust_screen ip]
!      inactive: spoofing;
[edit security screen ids-option untrust-screen ip]
!      inactive: spoofing;


After these change were commited I was able to receive a DHCP IP from my ISP and handout DHCP leases to my devices on the LAN.  I assume I could create a firewall filter to process DHCP/BOOTP packets in packet-mode thus eliminating the IDS from the picture and still allowing me to keep 'ip spoofing' enabled.

 

If anyone else knows another solution please chime in.

Contributor
Posts: 40
Registered: ‎01-14-2009
0 Kudos

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

It appears some Screen filters like DDOS and possibly Spoofing are applied outside the Flow Path and therfore a firewall filter to process in packet-mode is not a viable solution/workaround.  If anyone knows different, please chime in.

Contributor
Posts: 15
Registered: ‎06-02-2011
0 Kudos

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

Yes I got the same issue and what I do is same thing.

Disable spoofing screen.

 

hvk
Contributor
Posts: 38
Registered: ‎06-03-2008
0 Kudos

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

Thanks techniq. I have opened TAC regarding this issue, but no response till now and your workaround works!

Trusted Expert Trusted Expert
Trusted Expert
Posts: 791
Registered: ‎07-26-2008
0 Kudos

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

HI All We are looking into this issue and there are several PRs opened for this 675523 and 681998 as well. Will update with more info later on. FYI, 11.2R1 release works fine with ip spoofing.
****pls click the button " Accept as Solution" if my post helped to solve your problem****
Trusted Contributor
Posts: 29
Registered: ‎06-13-2008

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

Goodday,

 

Had the same (on an interface with VLAN's)...

Try  'run restart ethernet-switching' on the console.

 

Did the trick with us!

 

Brgds,

 

Maarten van der Hoek



Contributor
Posts: 40
Registered: ‎01-14-2009
0 Kudos

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

WL, I'm still seeing the same problem on 11.2R1.10...even after activating IP Spoofing (previously deavtivated) and reboot the SRX.  My ISP interface still could not get a DHCP lease and my clients on the trust zone could not obtains alease either.  I disabled 'ip spoofing' on both zones and both start working again.

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client


WL wrote:
HI All We are looking into this issue and there are several PRs opened for this 675523 and 681998 as well. Will update with more info later on. FYI, 11.2R1 release works fine with ip spoofing.

Is there an ETA for a bug fix in 11.1?

 

Thanks

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Trusted Expert Trusted Expert
Trusted Expert
Posts: 791
Registered: ‎07-26-2008
0 Kudos

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

Hi folks Sorry my mistake, the issue also exists from 11.2R1 onwards. The short-term workaround is that if you have DHCP client configured, ip spoofing should not be configured on the zone that the interface resides in. This is due to a change we had in behavior which is checked in from 11.1R2 11.3R1 11.2R1 The rationale behind this is that during the detection of ip spoofing, route lookup has to be done for the source address. After route lookup has been done it will compare the input interfaces with the result of the route lookup. In the case for DHCP clients, since it picks up the default route as discard and drops the packet as spoofed packet. In previous releases, if default route is matched, we allow the traffic to pass without matching the input interface. So the spoofing check was incorrect in older releases. We are still in discussion for this issue at the moment as we understand that an exception has to be made for dhcp, will update more when more info is available.
****pls click the button " Accept as Solution" if my post helped to solve your problem****
Trusted Expert Trusted Expert
Trusted Expert
Posts: 791
Registered: ‎07-26-2008
0 Kudos

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

[ Edited ]

Well firewall filter does not work in this case, it does not bypass flow processing.

The other way to workaround this is to apply stateless filter to bypass flow. An example is as follows:

 

 

root# show interfaces fe-0/0/5
unit 0 {
    family inet {
        filter {
            input test;
        }
        dhcp;
    }
}

[edit]
root# shw
      ^
unknown command.
root# show firewall
family inet {
    filter test {
        term 1 {
            from {
                destination-address {
                    255.255.255.255/32;
                }
            }
            then {
                packet-mode;
                accept;
            }
        }
    }
}

 

This enables the dhcp response packet to bypass flow and srx will be able to get an ip address:

 

[edit] root# run show interfaces terse | match fe-0/0/5

fe-0/0/5 up up fe-0/0/5.0 up up inet 192.168.78.2/24

[edit] root# run show version

Model: srx210he-poe JUNOS Software Release [11.1R3.5] That way you can still have ip spoof

****pls click the button " Accept as Solution" if my post helped to solve your problem****