SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX110 cannot get IP via DHCP

    Posted 10-15-2014 12:01

    SRX110 Junos version 11.4 that has been running smoothly for about an year. Then suddently, it's not getting an IP address via DHCP from the ISP. Device acts as a DHCP client to ISP and DHCP server to LAN.

     

    During troubleshooting following has been made:

    • Upgraded to 12.1X44
    • Changed DHCP config to new "set access address-assignment" style config

    Relevant config:

    version 12.1X44-D40.2;
system {
    services {
        dhcp-local-server {
            group lan {
                interface vlan.100;
            }
        }
    }
}
fe-0/0/7 {
    unit 0 {
        family inet {
            dhcp-client;
        }
    }
}
security {
    zones {
        security-zone untrust {
            interfaces {
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                        }
                    }
                }
            }
        }
    }
}
access {
    address-assignment {
        pool lan {
        family inet {
            network 10.254.212.0/24;
            range lan-range {
                low 10.254.212.100;
                high 10.254.212.199;
            }
            dhcp-attributes {
                name-server {
                    8.8.8.8;
                    8.8.4.4;
                }
                router {
                    10.254.212.1;
                }
            }
        }
    }
}

     

    DHCP client says the following:

    por@rt-fw1> show dhcp client statistics 
Packets dropped:
    Total                      1
    Send error                 1

Messages received:
    BOOTREPLY                  14
    DHCPOFFER                  14
    DHCPACK                    0
    DHCPNAK                    0
    DHCPFORCERENEW             0

Messages sent:
    BOOTREQUEST                0
    DHCPDECLINE                0
    DHCPDISCOVER               15
    DHCPREQUEST                68
    DHCPINFORM                 0
    DHCPRELEASE                0
    DHCPRENEW                  0
    DHCPREBIND                 0

por@rt-fw1> show dhcp client binding       

IP address        Hardware address   Expires     State      Interface
87.100.164.244    40:b4:f0:57:e9:47  0           REQUESTING fe-0/0/7.0

     The interface seems to stick in requesting state even though the server responds with an address:

    Oct 15 21:19:01 21:19:01.747972:CID-0:RT:<87.100.128.1/67->255.255.255.255/68;17> matched filter f2:
Oct 15 21:19:01 21:19:01.747972:CID-0:RT:packet [318] ipid = 51035, @0x423ffc1a
Oct 15 21:19:01 21:19:01.747972:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x423ffa00, rtbl_idx = 0
Oct 15 21:19:01 21:19:01.747972:CID-0:RT: flow process pak fast ifl 77 in_ifp fe-0/0/7.0
Oct 15 21:19:01 21:19:01.747972:CID-0:RT: find flow: table 0x47cb0f18, hash 47739(0xffff), sa 87.100.128.1, da 255.255.255.255, sp 67, dp 68, proto 17, tok 7
Oct 15 21:19:01 21:19:01.747972:CID-0:RT:check self-traffic on fe-0/0/7.0, in_tunnel 0x0
Oct 15 21:19:01 21:19:01.747972:CID-0:RT:retcode: 0x802
Oct 15 21:19:01 21:19:01.747972:CID-0:RT:pak_for_self : proto 17, dst port 68, action 0x2
Oct 15 21:19:01 21:19:01.747972:CID-0:RT:  flow bypass session.
Oct 15 21:19:01 21:19:01.747972:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
 
Oct 15 21:19:01 21:19:01.778241:CID-0:RT:<87.100.128.1/67->87.100.164.244/68;17> matched filter f2:
Oct 15 21:19:01 21:19:01.778241:CID-0:RT:packet [318] ipid = 51037, @0x423f8d9a
Oct 15 21:19:01 21:19:01.778241:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x423f8b80, rtbl_idx = 0
Oct 15 21:19:01 21:19:01.778241:CID-0:RT: flow process pak fast ifl 77 in_ifp fe-0/0/7.0
Oct 15 21:19:01 21:19:01.778241:CID-0:RT: find flow: table 0x47cb0f18, hash 38652(0xffff), sa 87.100.128.1, da 87.100.164.244, sp 67, dp 68, proto 17, tok 7
Oct 15 21:19:01 21:19:01.778241:CID-0:RT:  flow_first_create_session
Oct 15 21:19:01 21:19:01.778241:CID-0:RT:  flow_first_in_dst_nat: in <fe-0/0/7.0>, out <N/A> dst_adr 87.100.164.244, sp 67, dp 68
Oct 15 21:19:01 21:19:01.778241:CID-0:RT:  chose interface fe-0/0/7.0 as incoming nat if.
Oct 15 21:19:01 21:19:01.778241:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 87.100.164.244(68)
Oct 15 21:19:01 21:19:01.778241:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 87.100.128.1, x_dst_ip 87.100.164.244, in ifp fe-0/0/7.0, out ifp N/A sp 67, dp 68, ip_proto 17, tos c0
Oct 15 21:19:01 21:19:01.778241:CID-0:RT:Doing DESTINATION addr route-lookup
Oct 15 21:19:01 21:19:01.778241:CID-0:RT:  packet dropped, no route to dest
Oct 15 21:19:01 21:19:01.778241:CID-0:RT:flow_first_routing: DEST route-lookup failed, dropping pkt and not creating session nh: 4294967295
Oct 15 21:19:01 21:19:01.778241:CID-0:RT:  packet dropped, ROUTE_REJECT_GEN_ICMP.
Oct 15 21:19:01 21:19:01.778241:CID-0:RT:  flow didn't create session, code=-1.
Oct 15 21:19:01 21:19:01.778241:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
Oct 15 21:19:03 21:19:03.148227:CID-0:RT:jsf sess close notify
Oct 15 21:19:03 21:19:03.148227:CID-0:RT:flow_ipv4_del_flow: sess 372, in hash 32

    Is the server acting strangely and sending the response to the allocated address 87.100.164.244 even though at that point the client hasn't accepted that address? Or is the client acting strangely and not configuring the interface with the proper address?

     



  • 2.  RE: SRX110 cannot get IP via DHCP

    Posted 10-15-2014 12:28

    And here's traffic monitor output:

    por@rt-fw1> ...or traffic interface fe-0/0/7 size 1500 detail no-resolve    
Address resolution is OFF.
Listening on fe-0/0/7, capture size 1500 bytes

22:11:20.117617 Out IP (tos 0x0, ttl   1, id 17287, offset 0, flags [none], proto: UDP (17), length: 279) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 40:b4:f0:57:e9:47, length 251, xid 0x38a9997a, Flags [Broadcast]
	  Client-Ethernet-Address 40:b4:f0:57:e9:47
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Discover
	    Lease-Time Option 51, length 4: 86400
22:11:20.145938  In IP (tos 0xc0, ttl   1, id 19443, offset 0, flags [none], proto: UDP (17), length: 318) 87.100.128.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 290, xid 0x38a9997a, Flags [Broadcast]
	  Your-IP 87.100.164.244
	  Gateway-IP 87.100.128.1
	  Client-Ethernet-Address 40:b4:f0:57:e9:47
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message Option 53, length 1: Offer
	    Lease-Time Option 51, length 4: 18000
	    RN Option 58, length 4: 9000
	    RB Option 59, length 4: 15750
	    Server-ID Option 54, length 4: 87.100.128.1
22:11:20.147160 Out IP (tos 0x0, ttl   1, id 17290, offset 0, flags [none], proto: UDP (17), length: 302) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 40:b4:f0:57:e9:47, length 274, xid 0x38a9997a, Flags [Broadcast]
	  Client-Ethernet-Address 40:b4:f0:57:e9:47
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    Server-ID Option 54, length 4: 87.100.128.1
	    Parameter-Request Option 55, length 9: 
	      Default-Gateway, Lease-Time, Subnet-Mask, Domain-Name
	      Domain-Name-Server, TFTP, BF, Option 120
	      Netbios-Name-Server
	    Requested-IP Option 50, length 4: 87.100.164.244
	    DHCP-Message Option 53, length 1: Request
	    Lease-Time Option 51, length 4: 86400
22:11:24.148684 Out IP (tos 0x0, ttl   1, id 17311, offset 0, flags [none], proto: UDP (17), length: 302) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 40:b4:f0:57:e9:47, length 274, xid 0x38a9997a, Flags [Broadcast]
	  Client-Ethernet-Address 40:b4:f0:57:e9:47
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    Server-ID Option 54, length 4: 87.100.128.1
	    Parameter-Request Option 55, length 9: 
	      Default-Gateway, Lease-Time, Subnet-Mask, Domain-Name
	      Domain-Name-Server, TFTP, BF, Option 120
	      Netbios-Name-Server
	    Requested-IP Option 50, length 4: 87.100.164.244
	    DHCP-Message Option 53, length 1: Request
	    Lease-Time Option 51, length 4: 86400
22:11:32.150387 Out IP (tos 0x0, ttl   1, id 17333, offset 0, flags [none], proto: UDP (17), length: 302) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 40:b4:f0:57:e9:47, length 274, xid 0x38a9997a, Flags [Broadcast]
	  Client-Ethernet-Address 40:b4:f0:57:e9:47
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    Server-ID Option 54, length 4: 87.100.128.1
	    Parameter-Request Option 55, length 9: 
	      Default-Gateway, Lease-Time, Subnet-Mask, Domain-Name
	      Domain-Name-Server, TFTP, BF, Option 120
	      Netbios-Name-Server
	    Requested-IP Option 50, length 4: 87.100.164.244
	    DHCP-Message Option 53, length 1: Request
	    Lease-Time Option 51, length 4: 86400
22:11:48.152282 Out IP (tos 0x0, ttl   1, id 17389, offset 0, flags [none], proto: UDP (17), length: 302) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 40:b4:f0:57:e9:47, length 274, xid 0x38a9997a, Flags [Broadcast]
	  Client-Ethernet-Address 40:b4:f0:57:e9:47
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    Server-ID Option 54, length 4: 87.100.128.1
	    Parameter-Request Option 55, length 9: 
	      Default-Gateway, Lease-Time, Subnet-Mask, Domain-Name
	      Domain-Name-Server, TFTP, BF, Option 120
	      Netbios-Name-Server
	    Requested-IP Option 50, length 4: 87.100.164.244
	    DHCP-Message Option 53, length 1: Request
	    Lease-Time Option 51, length 4: 86400
22:12:20.154359 Out IP (tos 0x0, ttl   1, id 17483, offset 0, flags [none], proto: UDP (17), length: 302) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 40:b4:f0:57:e9:47, length 274, xid 0x38a9997a, Flags [Broadcast]
	  Client-Ethernet-Address 40:b4:f0:57:e9:47
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    Server-ID Option 54, length 4: 87.100.128.1
	    Parameter-Request Option 55, length 9: 
	      Default-Gateway, Lease-Time, Subnet-Mask, Domain-Name
	      Domain-Name-Server, TFTP, BF, Option 120
	      Netbios-Name-Server
	    Requested-IP Option 50, length 4: 87.100.164.244
	    DHCP-Message Option 53, length 1: Request
	    Lease-Time Option 51, length 4: 86400

     Which seems as if the DHCP server would never acknowledge the request for an address, but at least two other devices in the same network get the address without a problem. Which makes me think that maybe SRX doesn't see the ack for some reason that beats me.



  • 3.  RE: SRX110 cannot get IP via DHCP
    Best Answer

    Posted 10-16-2014 05:41

    Hi

     

    Server sending DHCP Offer to SRX: Timestamp: 22:11:20.145938 IN

    SRX sending DHCP Request to Server : Timestamp:22:11:20.147160 Out

    SRX sending DHCP Request to Server : Timestamp:22:11:24.148684 Out
    SRX sending DHCP Request to Server : Timestamp:22:11:32.150387 Out
    SRX sending DHCP Request to Server : Timestamp:22:11:48.152282 Out


    From these outputs , it looks like Server is not sending the DHCP ACK packet so that SRX can start using the Ip address.

    or DHCP request from SRX is not reaching the remote DHCP server.

    Try cloning the mac address of the Device that is able to receive the ipaddress on to SRX interface and check the dhcp .

    set interfaces ge-0/0/7 mac

     

    Regards
    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too



  • 4.  RE: SRX110 cannot get IP via DHCP

    Posted 10-16-2014 08:43

     

    That was an awesome tip. I cloned the mac address of my macbook laptop, and it started working immediately. I guess the DHCPACK gets filtered somewhere in ISPs network. Will notify them.