SRX Services Gateway
SRX Services Gateway

Re: Branch SRX as a DHCPv6 prefix delegation client?

‎07-20-2013 05:23 AM

Also, try the following under the interface configuration:

 

            family inet6 {
                dhcpv6-client {
                    client-type statefull;
                    client-ia-type ia-pd;
                    rapid-commit;
                    client-identifier duid-type duid-ll;
                }
            }

 

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
SRX Services Gateway

Re: Branch SRX as a DHCPv6 prefix delegation client?

‎07-20-2013 05:30 AM

Hey Ben,

 

Thanks for info.

 

Looks like I am getting a NOADDRS-AVAIL from the internode server *i think*.

 

I'm going to disable and then enable IPv6 on my node account to see if it helps.

SRX Services Gateway

Re: Branch SRX as a DHCPv6 prefix delegation client?

‎07-20-2013 05:45 AM

I don't think you can use ia-pd without ia-na. This is what I get when I remove client-ia-type ia-na from my config:

 

    family inet6 {
        dhcpv6-client {
            client-type statefull;
            ##
            ## Warning: IA-NA identity association is required for ia-pd
            ##
            client-ia-type ia-pd;
            rapid-commit;
            client-identifier duid-type duid-llt;
        }
    }

 

Highlighted
SRX Services Gateway

Re: Branch SRX as a DHCPv6 prefix delegation client?

‎07-20-2013 05:49 AM

Okay thanks to Ben here is a config that seems to pick up the /56 from internode. Still need to work out the rest.

 

## Last commit: 2013-07-20 22:39:03 EST by root
version 12.1X45;
system {
    services {
        dhcp-local-server {
            group trust {
                interface vlan.0;
            }
        }

    }

}
interfaces {
    at-1/0/0 {
        traceoptions;
        encapsulation atm-pvc;
        atm-options {
            vpi 8;
        }
        dsl-options {
            operating-mode annexm-adsl2plus;
        }
        unit 0 {
            description "Internode ADSL";
            encapsulation atm-ppp-vc-mux;
            vci 8.35;
            ppp-options {
                pap {
                    local-name "xxx@internode.on.net";
                    local-password "xxx"; ## SECRET-DATA
                    passive;
                }
            }
            family inet6 {
                dhcpv6-client {
                    client-type statefull;
                    ##
                    ## Warning: IA-NA identity association is required for ia-pd
                    ##
                    client-ia-type ia-pd;
                    rapid-commit;
                    client-identifier duid-type duid-ll;
                }
            }
        }
    }
}

routing-options {
    rib inet6.0 {
        static {
            route ::/0 next-hop at-1/0/0.0;
        }
    }
}

security {
    forwarding-options {
        family {
            inet6 {
                mode flow-based;
            }
        }
    }
    zones {
        security-zone untrust {
            interfaces {
                at-1/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcpv6;
                        }
                    }
                }
            }
        }

    }
}
access {
    address-assignment {
        pool trust {
            family inet {
                network 10.0.0.0/22;
                range pool {
                    low 10.0.1.1;
                    high 10.0.2.254;
                }
                dhcp-attributes {
                    maximum-lease-time 691200;
                    domain-name lttd.net;
                    name-server {
                        10.0.0.254;
                    }
                    router {
                        10.0.0.254;
                    }
                }
                host static-host-1 {
                    hardware-address 00:0c:29:xx:xx:xx;
                    ip-address 10.0.2.7;
                }
            }
        }
    }
}

 

The following warning can be ignored it seems:

 

                    ## Warning: IA-NA identity association is required for ia-pd

 

 

SRX Services Gateway

Re: Branch SRX as a DHCPv6 prefix delegation client?

‎07-20-2013 06:10 AM

Okay,

 

I haven't worked out how to propagate the v6 subnet into my LAN yet, but I got the basics working by:

 

  1. Assign a static IPv6 address from the DHCPv6 subnet assigned from internode (the /56 is static so this should work) to your trust interface.
  2. Set static IP address on workstation and set gateway as above address.
  3. Done (make sure polices are setup too)!

My internode subnet is 2001:44b8:31f4:d800/56

 

So I just used 2001:44b8:31f4:d800::1 on the SRX and 2001:44b8:31f4:d800::2 on the computer.

 

I'll now need to play with DHCPv6 Server for workstations.

 

But IPv6 Works!

 

Michaels-MacBook-Pro-R:~ michaeldale$ ping6 ns3.dalegroup.net
PING6(56=40+8+8 bytes) 2001:44b8:31f4:d800::2 --> 2605:2700:0:5::4713:95f5
16 bytes from 2605:2700:0:5::4713:95f5, icmp_seq=0 hlim=55 time=260.277 ms
16 bytes from 2605:2700:0:5::4713:95f5, icmp_seq=1 hlim=55 time=270.468 ms
16 bytes from 2605:2700:0:5::4713:95f5, icmp_seq=2 hlim=55 time=282.653 ms
16 bytes from 2605:2700:0:5::4713:95f5, icmp_seq=3 hlim=55 time=308.288 ms
^C
--- ns3.dalegroup.net ping6 statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 260.277/280.422/308.288/17.933 ms

 

Thanks everyone for the help (and a special thanks to Ben!).

 

 

SRX Services Gateway

Re: Branch SRX as a DHCPv6 prefix delegation client?

‎07-20-2013 06:11 AM

Yep, after applying that config it seems have the /56! 

 

Thanks Ben and Michael.

SRX Services Gateway

Re: Branch SRX as a DHCPv6 prefix delegation client?

‎07-20-2013 06:20 AM
Awesome - good to see this finally working on SRX Smiley Happy
Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
SRX Services Gateway

Re: Branch SRX as a DHCPv6 prefix delegation client?

‎07-20-2013 06:38 AM

Okay something is very odd with the new DHCP server config.

 

I use a /22 internally. My router is 10.0.0.254/22

 

Everything on 10.0.0.0/24 is fine but 10.0.1.0 and 10.0.2.0 devices can no longer talk to the SRX.

 

I am getting this very odd Access-internal/12 route for all non 10.0.0.0/24 devices.

 

10.0.1.4/32        *[Access-internal/12] 00:09:31
                    > to 10.0.0.254 via vlan.0
10.0.1.5/32        *[Access-internal/12] 00:09:31
                    > to 10.0.0.254 via vlan.0
10.0.1.6/32        *[Access-internal/12] 00:09:31
                    > to 10.0.0.254 via vlan.0
10.0.1.7/32        *[Access-internal/12] 00:09:31
                    > to 10.0.0.254 via vlan.0
10.0.1.11/32       *[Access-internal/12] 00:09:31
                    > to 10.0.0.254 via vlan.0
10.0.1.12/32       *[Access-internal/12] 00:09:31
                    > to 10.0.0.254 via vlan.0
10.0.1.13/32       *[Access-internal/12] 00:09:31
                    > to 10.0.0.254 via vlan.0
10.0.1.14/32       *[Access-internal/12] 00:09:31
                    > to 10.0.0.254 via vlan.0
10.0.1.15/32       *[Access-internal/12] 00:09:31

 

Need to do some research!

 

SRX Services Gateway

Re: Branch SRX as a DHCPv6 prefix delegation client?

‎07-20-2013 06:59 AM

That's odd.  What happens if you break down your pool across multiple "range" statements eg:

range HOSTS1 {
    low 10.0.1.1;
    high 10.0.1.254;
}
range HOSTS2 {
    low 10.0.2.1;
    high 10.0.2.254;
}

 

 

 

 

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
SRX Services Gateway

Re: Branch SRX as a DHCPv6 prefix delegation client?

[ Edited ]
‎07-20-2013 07:11 AM

Thanks, I'll give that a try tomorrow.

 

I think there is a more serious issue. I decided to reboot the box to see if that cleared up the issues but then it never came back up correctly. No IPv4 traffic either.

 

I did a commit with no config changes (via serial console connection) and got this error (note not a warning):

 

root@jbox# commit
[edit interfaces at-1/0/0 unit 0 family inet6 dhcpv6-client client-ia-type]
  'ia-pd'
    IA-NA identity association is required for ia-pd
error: commit failed: (statements constraint check failed)

 I had to disable IPv6 to get the config to commit and once commited IPv4 traffic started working again (including 10.0.1.0 etc subnet).

 

Crazy, seems like a bug. I'll need to create a support request I suspect.

 

EDIT: Or not, seems like I'm still having some traffic issues. I'll need to play with it more tomorrow.

 

Thanks again Ben.

SRX Services Gateway

Re: Branch SRX as a DHCPv6 prefix delegation client?

‎07-20-2013 07:25 AM

Okay it looks like any address assigned via the new DHCP system is being added into the routing table as Access-internal/12 even 10.0.0.x addresses.

 

The reason I was confused is that my mac was still using the assigned address from the old config and hadn't requested a new address yet.

 

Now I wonder what Access-internal/12, google time!

SRX Services Gateway

Re: Branch SRX as a DHCPv6 prefix delegation client?

‎07-20-2013 07:31 AM

I'm seeing something similar on mine - I'm using PPPoEoA (via pp0.0 interface) and it seems to enforce ia-na as well.  

I've also noticed that there's also a bug in the JDHCPD that throws the incredibly unhelpful and completely mis-leading:

 

error: Check-out failed for General authentication process (/usr/sbin/authd) without details
error: configuration check-out failed

 if you try and configure any static-dhcp hosts (eg: MAC to IP-address mapping).

 

I'll log a JTAC case on it next week and try to get that fixed...

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
SRX Services Gateway

Re: Branch SRX as a DHCPv6 prefix delegation client?

‎07-20-2013 07:32 AM

Ahh, I know why that is:

 

Access-Internal routes are what DHCP Subscribers are registered as on the MX when you're doing broadband termination.  Since this daemon code was taken from the MX, I'd say that this "feature" has come across with it.  It shouldn't cause any grief.

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
SRX Services Gateway

Re: Branch SRX as a DHCPv6 prefix delegation client?

[ Edited ]
‎07-20-2013 07:38 AM

Interesting. Anything that gets added as Access-internal/12 I can no longer access to or from the SRX.

 

Is there some extra routing needed for this access-internal thing?

 

I tried a trust-to-trust policy but it doesn't work.

 

EDIT:

 

Looks like these routes aren't getting installed correctly??

 

root@jbox# run show route protocol access-internal extensive 

inet.0: 36 destinations, 37 routes (36 active, 0 holddown, 1 hidden)
10.0.1.1/32 (1 entry, 1 announced)
        *Access-internal Preference: 12
                Next hop type: Router
                Address: 0x15a064c
                Next-hop reference count: 3
                Next hop: 10.0.0.254 via vlan.0, selected
                State: <Active NotInstall Int>
                Age: 28:53 
                Task: RPD Unix Domain Server./var/run/rpd_serv.local
                Announcement bits (1): 2-RT 
                AS path: I
                AS path: Recorded

 

Heh this JunOS release is crazy.

SRX Services Gateway

Re: Branch SRX as a DHCPv6 prefix delegation client?

‎07-20-2013 10:01 PM
It's working fine here - still get the access internal routes, but connectivity between all devices is fine.
Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
SRX Services Gateway

Re: Branch SRX as a DHCPv6 prefix delegation client?

‎07-22-2013 12:45 AM

If you require prefix delegation to your inside interface add the following line

 

set interfaces at-1/0/0 unit 0 family inet6 dhcpv6-client update-router-advertisement interface vlan.0

 

change vlan.0 to your inside interface full at-1/0/0 config looks as follows.

root at IPv6-DEV# show interfaces at-1/0/0
encapsulation atm-pvc;
atm-options {
    vpi 8;
}
dsl-options {
    operating-mode auto;
}
unit 0 {
    encapsulation atm-ppp-vc-mux;
    vci 8.35;
    ppp-options {
        chap {
            default-chap-secret "xxxx"; ## SECRET-DATA
            local-name "dickotest at zetta.net.au";
            passive;
        }
    }
    family inet {
        negotiate-address;
    }
    family inet6 {
        dhcpv6-client {
            client-type statefull;
            ##
            ## Warning: IA-NA identity association is required for ia-pd
            ##
            client-ia-type ia-pd;
            rapid-commit;
            update-router-advertisement {
                interface vlan.0;
            }
            client-identifier duid-type duid-ll;
        }
    }
}

 

 

Just a warning as well after a reboot config may not go active due to the Warning about IA-NA, so if your running this make sure you have a console cable handy.

The fix I have been doing is to add ia-na with

 

set interfaces at-1/0/0 unit 0 family inet6 dhcpv6-client client-ia-type ia-na

 

commiting the config

 

Simon.

SRX Services Gateway

Re: Branch SRX as a DHCPv6 prefix delegation client?

‎07-24-2013 12:53 AM

Has anyone else had any luck getting this config working? I can't get it to complete DHCPv6 negotiations. If I use rapid-commit, I see DHCPv6 requests and replies going back and forth, but the SRX never seems to accept the replies. Looking at the client binding, it stays in "INIT", or sometimes I'll see it "SELECTING". If I don't use rapid-commit, I see solicit/advertise/request/reply, but the same result - it never successfully binds.

 

I also can't get it to commit without adding "client-ia-type ia-na" - I get that warning, and it won't activate the config (this is at any time, not just at reboot).

 

My ISP is assigning me a /48, and I want to be able to get prefix delegation working, to automatically allocate a /64 to internal clients. Documentation on doing this seems to be somewhat lacking. There's vague references, but no complete configs (that I've found). For now, I'm just trying to get the dhcpv6-client to successfully complete, and then I'll work through assigning addresses to internal users.

 

I also can't seem to figure out how to enable tracing for the dhcpv6 client - there doesn't seem to be a traceoptions command for it. Any ideas on how to get more debugs on what's going on with the DHCPv6 client, and why it doesn't complete negotiation? FYI I have allowed inbound dhcpv6 

 

Here's my config:

root@srx01> show configuration interfaces at-1/0/0 unit 0 
encapsulation atm-ppp-llc;
vci 0.100;
ppp-options {
    pap {
        local-name "user@domain";
        local-password "secret squirrel"; ## SECRET-DATA
        passive;
    }
}
family inet {
    filter {
        input internet-input;
    }
    negotiate-address;
}
family inet6 {
    filter {
        input IPv6;
    }
    dhcpv6-client {
        client-type statefull;
        client-ia-type ia-pd;
        client-ia-type ia-na;
        rapid-commit;
        update-router-advertisement {
            interface vlan.0;
        }
        client-identifier duid-type duid-ll;
    }
}

root@srx01> 

 Here's the DHCPv6 Client stats/binding info - note that it's seeing the prefix from my ISP, but it's staying at INIT. I suspect it's not completing because of the "client-ia-type ia-na" - but JunOS won't let me remove that.

root@srx01> show dhcpv6 client binding detail 

Client Interface: at-1/0/0.0
     Hardware Address:             54:e0:32:d0:3d:e0
     State:                        INIT(DHCPV6_CLIENT_STATE_INIT)
     ClientType:                   STATEFULL
     Bind Type:                    IA_NA IA_PD
     Client DUID:                  LL0x1-54:e0:32:d0:3d:e0
     Rapid Commit:                 On
     Server Ip Address:            ::/0
     Client IP Address:            ::/0
     Client IP Prefix:             2406:e000:e3b8::/48

root@srx01> show dhcpv6 client statistics        


=======================================================
Dhcpv6 Packets dropped:
    Total               0

Messages received:
    DHCPV6_ADVERTISE           0 
    DHCPV6_REPLY               9 
    DHCPV6_RECONFIGURE         0 

Messages sent:
    DHCPV6_DECLINE             0 
    DHCPV6_SOLICIT             9 
    DHCPV6_INFORMATION_REQUEST 0 
    DHCPV6_RELEASE             0 
    DHCPV6_REQUEST             0 
    DHCPV6_CONFIRM             0 
    DHCPV6_RENEW               0 
    DHCPV6_REBIND              0 

root@srx01> 

One other thing I've noticed, but I'm not sure if it's related - if I do "tcpdump -s 2000 -ni at-1/0/0.0 ipv6", then Wireshark correctly decodes the outbound DHCPv6 messages, but can't seem to properly decode the inbound responses.

 

Anyone else having any luck with this?

SRX Services Gateway

Re: Branch SRX as a DHCPv6 prefix delegation client?

‎07-27-2013 05:16 PM

Just as an update on this, I've logged a case with JTAC about it. We're working through it - will report back on our findings.

SRX Services Gateway

Re: Branch SRX as a DHCPv6 prefix delegation client?

‎08-03-2013 10:16 PM

So I'm getting a bit further ahead. I've now got it in a position where it can commit without having "client-ia-type ia-na", and the DHCPv6 session completes, and we see PD work successfully. I don't know if it will reboot or not, and I don't have a console cable on me right now, so I'm not about to try. I don't know why it would not commit previously - there must be some order of operations issue.

 

I'm now trying to get the next step working, to have prefixes handed out to internal clients. If I remove all config under "protocols router-advertisement interface vlan.0", and add "set interface at-1/0/0.0 family inet6 dhcpv6-client update-router-advertisement interface vlan.0", it is now advertising prefixes via RA.

 

I'd like to be able to use DHCPv6, but I can't seem to get that working. I feel like I'm missing some configuration here - the documentation just says to set "update-server" under the dhcpv6-client, but obviously all the DHCPv6 server config needs to be in place, and I'm not quite getting it right. My clients are sending DHCPv6 Solicit messages, but they are just dropped by the SRX:

root@srx01> show dhcpv6 server statistics 
Dhcpv6 Packets dropped:
Total 1437
Authentication 1437
Messages received:
DHCPV6_DECLINE 0
DHCPV6_SOLICIT 2606
DHCPV6_INFORMATION_REQUEST 0
DHCPV6_RELEASE 0
DHCPV6_REQUEST 0
DHCPV6_CONFIRM 0
DHCPV6_RENEW 0
DHCPV6_REBIND 0
DHCPV6_RELAY_FORW 0
DHCPV6_RELAY_REPL 0
Messages sent:
DHCPV6_ADVERTISE 0
DHCPV6_REPLY 0
DHCPV6_RECONFIGURE 0
DHCPV6_RELAY_REPL 0
root@srx01> show log dhcp-log | last 10 
\Aug 4 16:44:01 DH_SVC_LOGIN_FAILURE: DHCP pre-authentication failure for DHCPv6 client SDB session 1596 on incoming interface vlan.0
Aug 4 16:44:45 DH_SVC_LOGIN_FAILURE: DHCP pre-authentication failure for DHCPv6 client SDB session 1597 on incoming interface vlan.0
Aug 4 16:45:01 DH_SVC_LOGIN_FAILURE: DHCP pre-authentication failure for DHCPv6 client SDB session 1598 on incoming interface vlan.0
Aug 4 16:45:14 DH_SVC_LOGIN_FAILURE: DHCP pre-authentication failure for DHCPv6 client SDB session 1599 on incoming interface vlan.0
Aug 4 16:45:31 DH_SVC_LOGIN_FAILURE: DHCP pre-authentication failure for DHCPv6 client SDB session 1600 on incoming interface vlan.0
Aug 4 16:46:07 DH_SVC_LOGIN_FAILURE: DHCP pre-authentication failure for DHCPv6 client SDB session 1601 on incoming interface vlan.0
Aug 4 16:46:43 DH_SVC_LOGIN_FAILURE: DHCP pre-authentication failure for DHCPv6 client SDB session 1602 on incoming interface vlan.0
Aug 4 16:47:02 DH_SVC_LOGIN_FAILURE: DHCP pre-authentication failure for DHCPv6 client SDB session 1603 on incoming interface vlan.0
Aug 4 16:47:13 DH_SVC_LOGIN_FAILURE: DHCP pre-authentication failure for DHCPv6 client SDB session 1604 on incoming interface vlan.0
Aug 4 16:47:40 DH_SVC_LOGIN_FAILURE: DHCP pre-authentication failure for DHCPv6 client SDB session 1605 on incoming interface vlan.0

 

Does anyone know what the DHCPv6 server configuration should look like when you are receiving prefixes via PD? This configuration doesn't seem to be correct:

 

root@srx01> show configuration system services dhcp-local-server 
dhcpv6 {
    group IPv6GROUP {
        overrides {
            rapid-commit;
            process-inform;
        }
        interface vlan.0 {
            trace;
        }
    }
}
group IPv4GROUP {
    overrides {
        no-unicast-replies;
    }
    interface vlan.0;
}

root@srx01> show configuration access address-assignment 
pool IPv6-POOL {
    family inet6 {
        prefix ::/0;
        range myrange prefix-length 64;
        dhcp-attributes {
            dns-server {
                2001:4860:4860::8888;
                2001:4860:4860::8844;
            }
            propagate-ppp-settings at-1/0/0.0;
        }
    }
}

 

 

SRX Services Gateway

Re: Branch SRX as a DHCPv6 prefix delegation client?

‎08-03-2013 10:27 PM

What is the difference between system services dhcp and system services dhcp-local-server?  I notice on my system, the dhcp-local-server configuration is blocked, and there seems to be a lot of interdependencies in the configuration depending on which you choose. (and the documentation on juniper.net is not very clear to me)

 

[edit]
user@er1# show system services dhcp-local-server    
##
## Warning: configuration block ignored: unsupported platform (srx220h)
##
traceoptions { ## Warning: 'traceoptions' is deprecated
    file dhcp-server;
    flag all;
}
dhcpv6 {
    group trust {
        interface vlan.0;
    }
}
group inside {
    interface vlan.0;
}