SRX

Hello,

After unsuccessfully trying to get the SRX100 and AX411-US to work, I decided to post on the forums for some help. The SRX100 is currently loaded with the 11.2R7.4 of JunOS. The AX411 is updated to version 10.1.3.16. Based on the configuration I assembled by looking at various posts on the internet, I was able to make the AP obtain an IP address from DHCP pool via L2 vlan setup. I also was able to use L3 setup on the "fe" interface to make AP get the address. The problem now is, when the AP obtains the IP the radios won't come up, and the AP spills some errors via console port, and then reboots. It does it constanly in the loop. I was little confused to see radios come up with OS 10.4R11.4. The radios came up after AP's 5th reboot loop. According to the juniper KB, the only supported OS for SRX100 and AX411 is 11.2 to 11.4. So, I am not sure why 10.4 kinda worked. I've spent 2 weeks already on this and now have no idea what else to do.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB25060&smlogin=true

Would anybody be kind and help me with this setup, so the radios would came up?

Thanks.

Here is the config from the SRX100 and scrape from boot of AX411. This is test setup.

version 11.2R7.4;
system {
    host-name <omitted>;
    time-zone PST8PDT;
    location postal-code 11111;
    root-authentication {
        encrypted-password <omitted>; ## SECRET-DATA
    }
    name-server {
        x.x.x.x;
        x.x.x.x;
    }
    login {
        user <omitted> {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password <omitted>; ## SECRET-DATA
            }
        }
    }

    services {
        ssh {
            protocol-version v2;
            client-alive-interval 3600;
        }
        netconf {
            ssh;
        }
        web-management {
            http {
                interface [ fe-0/0/0.0 vlan.0 ];
            }
            https {
                system-generated-certificate;
                interface [ fe-0/0/0.0 vlan.0 ];
            }
        }
        dhcp {
            name-server {
                x.x.x.x;
            }
            router {
                192.168.6.1;
            }
            pool 192.168.6.0/24 {
                address-range low 192.168.6.100 high 192.168.6.254;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https:<omitted>
        }
    }
    ntp {
        peer x.x.x.x;
    }
}
interfaces {
    interface-range TestNode {
        member fe-0/0/7;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members v2;
                }
            }
        }
    }
    fe-0/0/0 {
        unit 0 {
            description HOME_LAN
        family inet {
                address 192.168.10.10/24;
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            description ISP;
            family inet {
                dhcp {
                    update-server;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
        description NOT USED            
        family inet {
                address 192.168.1.1/24;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.6.1/24;
            }
        }
        unit 1 {
            family inet {
                address 192.168.3.1/24;
            }
        }
    }
}
routing-options {
    static {
    route 0.0.0.0/0 next-hop 192.168.10.1;
    }
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000; ## Warning: 'queue-size' is deprecated
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set Internet-Access {
                from zone trust;
                to zone untrust;
                rule nat-all {
                    match {
                        source-address 0.0.0.0/0;
            }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
    }
        from-zone untrust to-zone trust {
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            http;
                            https;
                            ssh;
                            telnet;
                            dhcp;
                            all;
                        }
                    }
                }
                vlan.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;

                            ping;
                            all;
                        }
                    }
                }
                vlan.1 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            screen untrust-screen;
        }
    }
}
wlan {
    access-point TestNode {
        description Tester;
        mac-address <omitted>;
        location US;
        external {
            system {
                ports {
                    ethernet {
                        management-vlan 3;
                        untagged-vlan 1;
                        static {
                            address 192.168.6.10/32;
                            default-gateway 192.168.6.1;
                        }
                    name-server [ x.x.x.x y.y.y.y ];
                    }
                }
                services {
                    ssh;
                }
            }
            dot1x-supplicant {
                username <omitted>;
                password <omitted>; ## SECRET-DATA
            }
        }
        access-point-options {
            country {
                US;
            }
        }
        logging-options {
            enable-persistent;
            log-level 7;
        }
        radio 2 {
            radio-options {
                mode bgn;
                channel {
                    number auto;
                    bandwidth 40;
                }
                beacon-interval 100;
                dtim-period 2;
                rts-threshold 2347;
                fragmentation-threshold 2346;
                maximum-stations 20;
                transmit-power 100;
        fixed-multicast-rate auto;
                transmit-rate-sets {
                    supported-rates 1;
                    supported-rates 2;
                    supported-rates 5.5;
                    supported-rates 6;
                    supported-rates 9;
                    supported-rates 11;
                    supported-rates 12;
                    supported-rates 18;
                    supported-rates 24;
                    supported-rates 36;
                    supported-rates 48;
                    supported-rates 54;
                    supported-basic-rates 1;
                    supported-basic-rates 2;
                    supported-basic-rates 5.5;
                    supported-basic-rates 6;
                    supported-basic-rates 9;
                    supported-basic-rates 11;
                    supported-basic-rates 12;
                    supported-basic-rates 18;
                    supported-basic-rates 24;
                    supported-basic-rates 36;
                    supported-basic-rates 48;
                    supported-basic-rates 54;
                }
            }
            virtual-access-point 0 {
                ssid TEST;
                vlan 1;
                security {
                    mac-authentication-type disabled;
                    wpa-personal {
                    wpa-version {
                            both;
                        }
                        cipher-suites {
                            both;
                        }
                        key <omitted>; ## SECRET-DATA
                        broadcast-key-refresh-rate 60;
                    }
                }
            }
        }
        radio 1 {
            radio-options {
                mode an;
                channel {
                    number auto;
                    bandwidth 40;
                }
                beacon-interval 100;
                dtim-period 2;
                rts-threshold 2347;
                fragmentation-threshold 2346;
                maximum-stations 20;
                transmit-power 100;
                fixed-multicast-rate auto;
                transmit-rate-sets {
                    supported-rates 6;
                    supported-rates 9;
                    supported-rates 12;
                    supported-rates 18;
                    supported-rates 24;
                    supported-rates 36;
                    supported-rates 48;
            supported-rates 54;
                    supported-basic-rates 6;
                    supported-basic-rates 9;
                    supported-basic-rates 12;
                    supported-basic-rates 18;
                    supported-basic-rates 24;
                    supported-basic-rates 36;
                    supported-basic-rates 48;
                    supported-basic-rates 54;
                }
            }
            virtual-access-point 0 {
                ssid TEST-5Ghz;
                vlan 1;
                security {
                    mac-authentication-type disabled;
                    wpa-personal {
                        wpa-version {
                            both;
                        }
                        cipher-suites {
                            both;
                        }
                        key <omitted>; ## SECRET-DATA
                        broadcast-key-refresh-rate 60;
                    }
                }
            }
        }
    }
}
vlans {
    traceoptions {
        flag all;

    }
    v2 {
        vlan-id 2;
        l3-interface vlan.0;
    }
    v3 {
        vlan-id 3;
        l3-interface vlan.1;
    }
}

=======================================================================================
 


Juniper-AP login: VPD information being applied to the configuration
dman: Restarting DHCP client
AP Band Plan: FCC - Config Changed: 1
AP Country Code: us - Config Changed: 1
AP User Config Country Code: 1 - Config Changed: 1
AP MAC: <omitted> - Config Changed: 1
AP Serial number: <omitted> - Config Changed: 1
AP hardware_version: R01 - Config Changed: 1
AP Product ID: AX411 - Config Changed: 1
AP Model ID: REV 01 - Config Changed: 1
AP Manufacture Date: 02-24-2011 - Config Changed: 1
dman: Restarting DHCP client
DFS Supported: no - Config Changed: 1
Perform board specific changes


VPD Changed. Saving Configuration.....

dman: hostapd-all api connection failed.
dman: Restarting DHCP client
dman: dhcp-client: Interface brtrunk obtained lease on 192.168.6.100.
dman: radio_stat_refresh: hostapd-wlan0 api connection failed.
dman: radio_stat_refresh: hostapd-wlan0 api connection failed.
dman: radio_stat_refresh: hostapd-wlan1 api connection failed.
dman: radio_stat_refresh: hostapd-wlan1 api connection failed.
dman: radio_stat_refresh: hostapd-wlan0 api connection failed.
dman: radio_stat_refresh: hostapd-wlan0 api connection failed.
dman: radio_stat_refresh: hostapd-wlan1 api connection failed.
dman: radio_stat_refresh: hostapd-wlan1 api connection failed.
dman: Restarting DHCP client
sendto: Network is unreachable

I have a SRX210 with a AX411 (GB) model.  However apart form the country code the config below should work.  I assign a static IP address to my AX411.

wlan {
    admin-authentication {
        encrypted-password "xxxxxxxxxxxxxxxxxxxxx";
    }
    access-point AX111 {
        description "Home AP";
        mac-address 88:e0:f3:0a:10:80;
##############The line above must match the MAC address of the AX411
        location Office;
        external {
            system {
                ports {
                    ethernet {
                        static {
                            address 192.168.253.251/24;
                            default-gateway 192.168.253.254;
                        }
                        name-server 192.168.253.230;
                    }
                }
############ you can set a static IP address for the AX411.  

                console {
                    baud-rate 9600;
                }
                services {
                    ssh;
                }
            }
        }
        access-point-options {
            country {
                GB;
            }
########## This must match the firmware/country code of the AX411

        }
        logging-options {
            enable-remote;
            log-server-address 192.169.253.219;
            log-server-port 514;
        }
        radio 1 {
            radio-options {
                mode 5GHz;
                channel {
                    number auto;
                    bandwidth 20;
                }
            }
            virtual-access-point 0 {
                ssid "John WiFi 300 5G";
                security {
                    mac-authentication-type disabled;
                    wpa-personal {
                        wpa-version {
                            v2;
                        }
                        cipher-suites {
                            ccmp;
                        }
                        key "xxxxxxxxxxxxxxxxxxxxxxxxxxxx";
                    }
                }
            }
        }
        radio 2 {
            radio-options {
                mode 2.4GHz;
                channel {
                    number 11;
                    bandwidth 20;
                }
                space-time-block-coding;
                transmit-power 100;
            }
            virtual-access-point 0 {
                ssid "John Wifi 300";
                security {
                    mac-authentication-type disabled;
                    wpa-personal {
                        wpa-version {
                            v2;
                        }
                        cipher-suites {
                            ccmp;
                        }
                        key "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
                    }
                }
            }
        }
    }
}

You also might want to check your unit against the juniper articel: Some AX411-E and AX411-W are programmed with the incorrect country code

http://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2010-04-726&viewMode=view

Check the build date (on bottom of unit) If you have a date in January, February, March, April, May, June and July of 2010 they you have a problem.

After playing with vlan id and security zones i was able to stop AX411 from rebooting and displaing radio errors after obtaing an IP address. How ever the issue still exists and radios will not turn on.

The version of the AX411 is US, at least what the sticker says on the back. The unit was manufactured in January 2010.

The config on SRX100 shows correct country code:

set wlan access-point TestNode access-point-options country US

Is there anything else to check?

I think I may know what the issue is, but not completely sure. I think AX411 needs management vlan working or authentication set up to authorize itself on the SRX. This is what I see on SRX

Active access point information

Access Point        : TestNode
Type                : External
Access Interface    : vlan.0
IPv4 Address        : 192.168.6.100
Management Status   : Unmanaged [Authentication failed]
Packet Capture      : Off

I tried to use different ways to create untagged and tagged vlans on the same interface, but it didn't work. If I setup physical interface as trunk AX will not even get IP from DHCP pool. The only way I see to make vlan interface tagged is to make port a trunk. But  then both vlan units become tagged. Should I convert to L3 type link? 

VLAN: default, Created at: Sat Oct 13 18:34:42 2012
802.1Q Tag: 1, Internal index: 2, Admin State: Enabled, Origin: Static
Layer 3 interface: vlan.0 (UP)
 IPV4 addresses:
                192.168.6.1/24(Primary)
Protocol: Port Mode, Mac aging time: 300 seconds
Number of interfaces: Tagged 0 (Active = 0), Untagged  1 (Active = 1)
      fe-0/0/7.0*, untagged, access

VLAN: vl3, Created at: Mon Oct 15 16:17:19 2012
802.1Q Tag: 3, Internal index: 5, Admin State: Enabled, Origin: Static
Layer 3 interface: vlan.1 (DOWN)
 IPV4 addresses:
                192.168.3.1/30(Primary)
Protocol: Port Mode, Mac aging time: 300 seconds
Number of interfaces: Tagged 0 (Active = 0), Untagged  0 (Active = 0)

interface-range TestNode {
    member fe-0/0/7;
    unit 0 {
        family ethernet-switching {
            vlan {
                members default;

vlan {
    unit 0 {
        family inet {
            address 192.168.6.1/24;
        }
    }
    unit 1 {
        family inet {
            address 192.168.3.1/30;
        }
    }
}

default {
    vlan-id 1;
    interface {
        fe-0/0/7.0;
    }
    l3-interface vlan.0;
}
vl3 {
    vlan-id 3;
    l3-interface vlan.1;
}

For those who are concerned if SRX100 works with AX411, the answer is YES it works with no problem. The SRX100 has to be set up as L3 with the AP. Vlans don't work. Possibly good option is to have OS ver 11.4 loaded.

Thanks to those who replied and did not reply.

Hi,

After reviewing the KBs Juniper has on these devices, I'm feeling a bit duped.  The documentation is TERRIBLE - it has typos, it's inconsistent, and I'm over it. 

I'm trying to test this in my lab on an SRX100 with two AX411s before putting them into production on an SRX240 cluster and I'm about to throw them out the window.  I've been trying to setup management (default), a CorpNet (vlan 2), and a GuestNet (vlan 3).  I've configured 802.1x on the CorpNet and it works great (probably because I'm passing a vlan tag in the access-accept packet) but I can't, for the life of me get the GuestNet to work.  DHCP requests are NOT tagged with vlan 3 even though I have designated untagged-vlans as 3.  Traceoptions on DHCP show the DHCP requests coming in on vlan.1 and it tries to assign an address from the vlan.1 pool.

Has anyone setup more than one virtual accesss point with multiple vlans and gotten it to work?  I'm running 11.4R6.6 and I've updated the firmware to .16 on the access points.  Any help would be appreciated.  I'm thinking right now that I should setup dot1x authentication on the GuestNet as well and create a policy where if it doesn't match anything, allow it and pass the GuestNet vlan tag just to see what happens.

Here's the interesting parts of the config:

WLAN

mac-address 08:81:f4:11:cc:80;
external {
    system {
        ports {
            ethernet {
                management-vlan 1;
                untagged-vlan 3;
                static {
                    address 192.168.1.2/24;
                    default-gateway 192.168.1.1;
                }
                name-server 10.0.2.2;
            }
        }
    }
}
access-point-options {
    country {
        US;
    }
}
radio 1 {
    virtual-access-point 0 {
        ssid "STC CorpNet 5Ghz";
        vlan 2;
        security {
            dot1x {
                radius-server 10.0.2.2;
                radius-key "$9$0kaeBcrvML-bYn/MLXxsY2goZGiPfTQn/mfIhcSKv-VwYaGmPQ39pTzORclLXHk.PfQz3/ApBZUPQn6tphSrK7dbs4JDHApRcrl8LqmfQ/A1IcvWXIE7dVb4o369CAuyrKx7VCt1EyKx7oaZjiq.PTQ39Lxdbw2UDzFn6t0O1heKMREclK8N-5QFntO"; ## SECRET-DATA
                session-key-refresh-rate 86400;
            }
        }
    }
}
radio 2 {
    virtual-access-point 0 {
        ssid "STC CorpNet 2.4Ghz";
        vlan 2;
        security {
            dot1x {
                radius-server 10.0.2.2;
                radius-key "$9$1ZQRrK8L7bY49AL7N-g4oaZDjqTQF39A5QhyrlW8bs24Gj5T3/tOFnIcrv7N.mfTQ3n/AuORDiT39C0OylKWdwYgJUH.uOcrKvx7P5Q3AuEhr8XNhSdwsYJZ/CtpuBeKW-dsp0ESeW-dZGDkqPfTF3/t7-wY2oiHn69C01IEyMWLcSrvWxVbz3690I"; ## SECRET-DATA
                session-key-refresh-rate 86400;
            }
        }
    }
    virtual-access-point 1 {
        ssid "STC GuestNet";
        vlan 3;
        security {
            mac-authentication-type disabled;
            wpa-personal {
                wpa-version {
                    both;
                }
                cipher-suites {
                    both;
                }
                key "$9$AzHGpuBSyKx7VuORSylXx24aGi.F39BIhApLNbwaJQFn/tOhclMLN"; ## SECRET-DATA
            }
        }
    }
}

DHCP

name-server {
    4.2.2.2;
}
traceoptions {
    file dhcp_debug;
    level all;
    flag all;
}
pool 10.0.2.0/24 {
    address-range low 10.0.2.25 high 10.0.2.254;
    maximum-lease-time 28800;
    domain-name liminal.com;
    name-server {
        10.0.2.2;
    }
    domain-search {
        liminal.com;
    }
    wins-server {
        10.0.2.2;
    }
    router {
        10.0.2.1;
    }
    propagate-settings vlan.2;
}
pool 192.168.3.0/24 {
    address-range low 192.168.3.2 high 192.168.3.254;
    maximum-lease-time 28800;
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    router {
        192.168.3.1;
    }
    propagate-settings vlan.3;
}
pool 192.168.1.0/24 {
    address-range low 192.168.1.5 high 192.168.1.254;
    domain-name liminal.com;
    name-server {
        10.0.2.2;
    }
    router {
        192.168.1.1;
    }
    propagate-settings vlan.1;
}

INTERFACES

interface-range WAPs {
    member fe-0/0/6;
    member fe-0/0/7;
    unit 0 {
        family ethernet-switching {
            port-mode trunk;
            vlan {
                members [ vlan-GuestNet vlan-Trust ];
            }
            native-vlan-id default;
        }
    }
}
fe-0/0/0 {
    unit 0 {
        family inet {
            address 192.168.10.99/24;
        }
    }
}
fe-0/0/1 {
    unit 0 {
        family ethernet-switching {
            port-mode trunk;
        }
    }
}
fe-0/0/2 {
    unit 0 {
        family ethernet-switching {
            vlan {
                members vlan-Trust;
            }
        }
    }
}
fe-0/0/3 {
    unit 0 {
        family ethernet-switching {
            vlan {
                members vlan-Trust;
            }
        }
    }
}
lo0 {
    unit 0 {
        family inet {
            address 10.10.10.1/28;
        }
    }
}
vlan {
    unit 0;
    unit 1 {
        family inet {
            address 192.168.1.1/24;
        }
    }
    unit 2 {
        family inet {
            address 10.0.2.1/24;
        }
    }
    unit 3 {
        family inet {
            address 192.168.3.1/24;
        }
    }
}

VLANS

default {
    vlan-id 1;
    l3-interface vlan.1;
}
vlan-GuestNet {
    vlan-id 3;
    l3-interface vlan.3;
}
vlan-Trust {
    vlan-id 2;
    l3-interface vlan.2;
}

Thanks!