SRX Services Gateway
SRX Services Gateway

11.1R2.3 breaks dhcp server and client

05.16.11   |  
‎05-16-2011 06:47 PM

upgraded from 11.1R1.0 to 11.1R2.3 and my dhcp server for my internal lan and dhcp client for my ISP stop working...rolled back to 11.1R1.0 and all was working again.  Anyone see the same?

41 REPLIES
SRX Services Gateway

Re: 11.1R2.3 breaks dhcp server and client

05.16.11   |  
‎05-16-2011 08:15 PM

When I upgraded from 10.2R3 to 10.4R2, DHCP relay stopped working for me.  They fixed that in 10.4R3.

 

I wonder if some of the goofy DHCP code from 10.4R2 made it into 11.1R2.

 

You should definitely open a JTAC case on this and confirm it as a bug and get a PR issued.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Highlighted
SRX Services Gateway

Re: 11.1R2.3 breaks dhcp server and client

06.07.11   |  
‎06-07-2011 06:21 PM

Yes, this happened to me using Comcast cable internet running 11.1R2.3 for a few weeks and then my internet connection dropped and my SRX100 could no longer receive a dhcp address from Comcast.  Once I rolled back to 11.1R1.10 my SRX was able to receive a dhcp address.  The only problem is once I rolled back to 11.1R1.10 my HE IPv6 tunnel stopped working in flow-based mode :-(

SRX Services Gateway

Re: 11.1R2.3 breaks dhcp server and client

06.09.11   |  
‎06-09-2011 04:38 PM

I have an he.net 6IN4 tunnel as well.  For this you just need to create a firewall filter which instructs the protocol 41 communication to your tunnel broker endpoint to be process in packet-mode.  The decapsulated IPv6 packet will still be processed in flow-mode.   More details in this thread starting on page 2:

 

http://forums.juniper.net/t5/SRX-Services-Gateway/HE-IPv6-tunnel-with-flow-based-IPv6-in-10-4/m-p/69...

SRX Services Gateway

Re: 11.1R2.3 breaks dhcp server and client

06.09.11   |  
‎06-09-2011 05:39 PM

JTAC informed me that engineering is looking into the 11.1R2 DHCP server issue.  For now I'm continuing to run 10.4R4 which has been rock solid.

 

mawr

SRX Services Gateway

Re: 11.1R2.3 breaks dhcp server and client

07.05.11   |  
‎07-05-2011 12:11 PM

Hi,

 

found the same problem. DHCP client is working fine on 11.1R1.10 but after upgrading to 11.1R2.3 or to the newest 11.1R3.5 it stops working. Tested on SRX100.

 

Did anybody got answer from JTAC ?

 

SRX Services Gateway

Re: 11.1R2.3 breaks dhcp server and client

07.05.11   |  
‎07-05-2011 01:03 PM

I noticed last week 11.1R3.5 did the same as well...back to R1.10.

SRX Services Gateway

Re: 11.1R2.3 breaks dhcp server and client

07.06.11   |  
‎07-06-2011 08:07 AM

I'm running both DHCP servers and clients without issue on 11.R2.3.  The key for me was making sure that the security zone allowed DHCP on the interface I was using. I.E. "set security zones security-zone trust interfaces fe-0/0/1.0 host-inbound-traffic system-services dhcp"  Once I added that, I was golden.

SRX Services Gateway

Re: 11.1R2.3 breaks dhcp server and client

07.06.11   |  
‎07-06-2011 08:26 AM

I had host-inbound-traffic system-services all set and it didn't work at all. I had to revert back to 11.1R1 to get DHCP back up and running.

SRX Services Gateway

Re: 11.1R2.3 breaks dhcp server and client

07.06.11   |  
‎07-06-2011 08:39 AM

Exactly, I already have it working in 11.1R1.10 and the host-inbound services are permitted.  After upgrading to either R2.3 or R3.5 it all breaks.  I may try again to upgrade and maybe remove then reapply the host inbound services...wouldn't be the first time something like that resolves it.

SRX Services Gateway

SOLUTION: 11.1R2.3 breaks dhcp server and client

07.13.11   |  
‎07-13-2011 09:34 PM

So I decided to sit down and figure out what was going on here.  Turns out the IDS is breaking DHCP Client/Server communication if the screen enabled on your zone is enforcing 'ip {spoofing}'.  When I cleared the ids statistic counters and had a client renew their lease I saw the ip spoofing counter increment.  There were also SNMPTRAP messages being sent at the same time where the OID was under the IDS MIB.

 

Since my SRX100H is acting as a DHCP Server for my LAN and Client to my ISP, I made these changes:

SRX100H# show | compare
[edit security screen ids-option trust_screen ip]
!      inactive: spoofing;
[edit security screen ids-option untrust-screen ip]
!      inactive: spoofing;


After these change were commited I was able to receive a DHCP IP from my ISP and handout DHCP leases to my devices on the LAN.  I assume I could create a firewall filter to process DHCP/BOOTP packets in packet-mode thus eliminating the IDS from the picture and still allowing me to keep 'ip spoofing' enabled.

 

If anyone else knows another solution please chime in.

SRX Services Gateway

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

07.14.11   |  
‎07-14-2011 06:50 AM

It appears some Screen filters like DDOS and possibly Spoofing are applied outside the Flow Path and therfore a firewall filter to process in packet-mode is not a viable solution/workaround.  If anyone knows different, please chime in.

SRX Services Gateway

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

07.14.11   |  
‎07-14-2011 09:02 AM

Yes I got the same issue and what I do is same thing.

Disable spoofing screen.

 

SRX Services Gateway

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

07.16.11   |  
‎07-16-2011 04:29 AM

Thanks techniq. I have opened TAC regarding this issue, but no response till now and your workaround works!

SRX Services Gateway

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

08.18.11   |  
‎08-18-2011 05:54 PM
HI All We are looking into this issue and there are several PRs opened for this 675523 and 681998 as well. Will update with more info later on. FYI, 11.2R1 release works fine with ip spoofing.
****pls click the button " Accept as Solution" if my post helped to solve your problem****
SRX Services Gateway

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

08.19.11   |  
‎08-19-2011 02:09 AM

Goodday,

 

Had the same (on an interface with VLAN's)...

Try  'run restart ethernet-switching' on the console.

 

Did the trick with us!

 

Brgds,

 

Maarten van der Hoek

SRX Services Gateway

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

08.19.11   |  
‎08-19-2011 06:06 AM

WL, I'm still seeing the same problem on 11.2R1.10...even after activating IP Spoofing (previously deavtivated) and reboot the SRX.  My ISP interface still could not get a DHCP lease and my clients on the trust zone could not obtains alease either.  I disabled 'ip spoofing' on both zones and both start working again.

SRX Services Gateway

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

08.21.11   |  
‎08-21-2011 09:50 AM

WL wrote:
HI All We are looking into this issue and there are several PRs opened for this 675523 and 681998 as well. Will update with more info later on. FYI, 11.2R1 release works fine with ip spoofing.

Is there an ETA for a bug fix in 11.1?

 

Thanks

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
SRX Services Gateway

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

08.24.11   |  
‎08-24-2011 11:48 PM
Hi folks Sorry my mistake, the issue also exists from 11.2R1 onwards. The short-term workaround is that if you have DHCP client configured, ip spoofing should not be configured on the zone that the interface resides in. This is due to a change we had in behavior which is checked in from 11.1R2 11.3R1 11.2R1 The rationale behind this is that during the detection of ip spoofing, route lookup has to be done for the source address. After route lookup has been done it will compare the input interfaces with the result of the route lookup. In the case for DHCP clients, since it picks up the default route as discard and drops the packet as spoofed packet. In previous releases, if default route is matched, we allow the traffic to pass without matching the input interface. So the spoofing check was incorrect in older releases. We are still in discussion for this issue at the moment as we understand that an exception has to be made for dhcp, will update more when more info is available.
****pls click the button " Accept as Solution" if my post helped to solve your problem****
SRX Services Gateway

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

[ Edited ]
08.24.11   |  
‎08-24-2011 11:53 PM

Well firewall filter does not work in this case, it does not bypass flow processing.

The other way to workaround this is to apply stateless filter to bypass flow. An example is as follows:

 

 

root# show interfaces fe-0/0/5
unit 0 {
    family inet {
        filter {
            input test;
        }
        dhcp;
    }
}

[edit]
root# shw
      ^
unknown command.
root# show firewall
family inet {
    filter test {
        term 1 {
            from {
                destination-address {
                    255.255.255.255/32;
                }
            }
            then {
                packet-mode;
                accept;
            }
        }
    }
}

 

This enables the dhcp response packet to bypass flow and srx will be able to get an ip address:

 

[edit] root# run show interfaces terse | match fe-0/0/5

fe-0/0/5 up up fe-0/0/5.0 up up inet 192.168.78.2/24

[edit] root# run show version

Model: srx210he-poe JUNOS Software Release [11.1R3.5] That way you can still have ip spoof

****pls click the button " Accept as Solution" if my post helped to solve your problem****