SSL VPN
Reply
Contributor
adaviel
Posts: 21
Registered: ‎05-10-2012
0
Accepted Solution

How to use an external DHCP server with VPN on MAG 6610 ?

I have a working tunnel using Junos Pulse and an IP address pool.

 

I want to use an external DHCP server instead (ISC dhcp-3.0.5 on Linux)

 

I created a pool on the server, and set option 118 per KB23329

The server then issues a DHCP offer of a pool address e.g. 192.168.79.254, which I can see at the internal cluster interface. But the client does not accept the offer, or does not see it.

Moderator
zanyterp
Posts: 2,263
Registered: ‎11-19-2007
0

Re: How to use an external DHCP server with VPN on MAG 6610 ?

what error do you see on the client?

is your network connect range at system>network>network connect (vpn network) set to accept that range?

what does your tcp dump show?

Contributor
adaviel
Posts: 21
Registered: ‎05-10-2012
0

Re: How to use an external DHCP server with VPN on MAG 6610 ?

I don't see an error on the client - Junos Pulse just says "connecting"

This version has system>network>VPN Tunneling (Network Settings) not "network connect"

 - IP filters to apply to VPN IP pools. The filter is "*".

This range works when generated by the IVE itself.

 

tcpdump on the IVE shows DHCP Discover from the internal interface of one cluster member to the DHCP server, and a DHCP Offer coming back

Contributor
RexPGP
Posts: 144
Registered: ‎05-04-2009
0

Re: How to use an external DHCP server with VPN on MAG 6610 ?

I did dhcp once and I had to add DHCP server.

system->network->network connect->network connect server IP address

Moderator
zanyterp
Posts: 2,263
Registered: ‎11-19-2007
0

Re: How to use an external DHCP server with VPN on MAG 6610 ?


adaviel wrote:

I don't see an error on the client - Junos Pulse just says "connecting"

This version has system>network>VPN Tunneling (Network Settings) not "network connect"

 - IP filters to apply to VPN IP pools. The filter is "*".

This range works when generated by the IVE itself.

 

tcpdump on the IVE shows DHCP Discover from the internal interface of one cluster member to the DHCP server, and a DHCP Offer coming back


ok, thank you.

what is the message on the DHCP server? what does your user access log show at the time of failure? does the TCP dump on the client on the Pulse adapter show success or failure?is the dhcp server and internal port of the cluster on the same subnet? if not, does that make a difference?

Contributor
adaviel
Posts: 21
Registered: ‎05-10-2012
0

Re: How to use an external DHCP server with VPN on MAG 6610 ?

(sorry for the delay - long weekend, other tasks)

 

The DHCP server logs

DHCPDISCOVER from 55:4e:32:00:00:00 (mypc) via 192.168.x.y

DHCPOFFER on 192.168.79.254 to 55:4e:32:00:00:00 (mypc) via  192.168.x.y

 

192.168.x.y (sanitized) is the internal address of one MAG cluster member

192.168.79.254 (sanitized) is the client address allocated from the DHCP pool

 

I see the same DHCP packets (discover, offer) in tcpdump on the MAG

 

The MAG logs say

VPN Tunneling: IP address cannot be allocated to user xxx. Solution: Check IP Address Pools / DHCP server state.

 

I can't easily put the MAG and DHCP server on the same subnet; the MAG's internal and external interfaces are on two small VLANs on our router.

We have a similar setup with WiFi access points which works with dhcprelay

 

I just found something else to try relating to failover addresses on the DHCP server; more later if that works.

Contributor
adaviel
Posts: 21
Registered: ‎05-10-2012
0

Re: How to use an external DHCP server with VPN on MAG 6610 ?

Solved.

We have two DHCP servers configured for active/inactive failover. The active one responds to a cluster address but replies come from the server's base address. Since I can SSH to the cluster address I had not realized this could be an issue.
I changed the configuration on the MAG to use the base address of both DHCP servers. It sends DHCP discover and request to both but gets offer and Ack from only the active one and uses that.

Trusted Contributor
stine
Posts: 434
Registered: ‎05-05-2008
0

Re: How to use an external DHCP server with VPN on MAG 6610 ?

If you search the forum, I posted my bind config and SA config for using a pair of linux servers to serve separate network addresses to multple roles and its been working well for quite some time.

Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
Moderator
zanyterp
Posts: 2,263
Registered: ‎11-19-2007
0

Re: How to use an external DHCP server with VPN on MAG 6610 ?

thank you foir sharing

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.