SRX300 PPPoE static IP setup issues

MikeGreene · ‎08-02-2019

I recently put in service a SRX300 running JunOs 15.1.x49-D160.2

We have CenturyLink DSL service at this location. I have their provided modem in bridge mode, the SRX is doing the PPPoE auth. We have a static IP assignment from Clink.

The issue is that I cannot seem to get the SRX to accept the static IP assignment from Clink. I spoke to one of their network engineers and he gave me a few hints during our discussion... I know they are using Radius for Auth and IP assignment. During the PPPoE auth process the SRX should be accepting the IP network, mask and route from their Radius server but doesn't.

Here is the relevant config from the SRX, this works but I get a dynamic IP assignment each time I disconnect / connect the PPPoE session, if I change the 'negotiate-address' from the 'family inet' section and specify the static IP and remote router it still auth's but no access to the Internet.

PPPoE settings that work, but only gets dynamic IP from ISP.

Text

}
interfaces {
    ge-0/0/0 {
        unit 0 {
            description "CenturyLink Modem";
            encapsulation ppp-over-ether;
        }
    }
    pp0 {
        unit 0 {
            apply-macro Startup_Connection;
            description CenturyLink;
            ppp-options {
                chap {
                    default-chap-secret "password";
                    local-name CTL1080xxxxx;
                    no-rfc2486;
                    passive;
                }
            }
            pppoe-options {
                underlying-interface ge-0/0/0.0;
                idle-timeout 0;
                auto-reconnect 10;
                client;
            }
            family inet {
                mtu 1492;
                negotiate-address;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 {
            qualified-next-hop pp0.0 {
                metric 1;
            }
        }
    }
}

Here is the 'show interfaces pp0.0' for the dynamic IP connection.

Text

mgreene@wtp-srx300> show interfaces pp0.0
  Logical interface pp0.0 (Index 74) (SNMP ifIndex 535)
    Description: CenturyLink
    Flags: Up Point-To-Point SNMP-Traps 0x0 Encapsulation: PPPoE
    PPPoE:
      State: SessionUp, Session ID: 1,
      Session AC name: tukw-dsl-gw71.tukw.qwest.net, Remote MAC address: 00:d0:f6:81:9b:e6,
      Configured AC name: None, Service name: None,
      Auto-reconnect timeout: 10 seconds, Idle timeout: Never,
      Underlying interface: ge-0/0/0.0 (Index 73)
      Ignore End-Of-List tag: Disable
      PPP-Max-Payload tag: 1492
    Input packets : 8024
    Output packets: 7269
  Keepalive settings: Interval 10 seconds, Up-count 1, Down-count 3
  Keepalive: Input: 10 (00:00:58 ago), Output: 159 (00:00:08 ago)
  LCP state: Opened
  NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured, mpls: Not-configured
  CHAP state: Success
  PAP state: Closed
    Security: Zone: Internet
    Protocol inet, MTU: 1492
      Flags: Sendbcast-pkt-to-re, User-MTU, Negotiate-Address
      Addresses, Flags: Kernel Is-Preferred Is-Primary
        Destination: 216.160.93.254, Local: 65.102.118.61

If I change the line from 'negotiate-address' to: address <static ip/32>

I get auth OK, but cannot ping beyond the remote RAS, I tried the following with no change.

address <static ip/32> destination 216.160.93.254

Speaking with the Clink network engineer they use the same remote access router for dynamic and static services, and that 216.160.93.254 is the router doing the PPPoE termination.

Here is the show interfaces pp0.0 with the static IP defined in the pp0.0 configuration.

Text

mgreene@wtp-srx300> show interfaces pp0.0
  Logical interface pp0.0 (Index 74) (SNMP ifIndex 535)
    Description: CenturyLink
    Flags: Up Point-To-Point SNMP-Traps 0x0 Encapsulation: PPPoE
    PPPoE:
      State: SessionUp, Session ID: 1,
      Session AC name: tukw-dsl-gw71.tukw.qwest.net, Remote MAC address: 00:d0:f6:81:9b:e6,
      Configured AC name: None, Service name: None,
      Auto-reconnect timeout: 10 seconds, Idle timeout: Never,
      Underlying interface: ge-0/0/0.0 (Index 73)
      Ignore End-Of-List tag: Disable
      PPP-Max-Payload tag: 1492
    Input packets : 1104
    Output packets: 8164
  Keepalive settings: Interval 10 seconds, Up-count 1, Down-count 3
  Keepalive: Input: 11 (00:06:03 ago), Output: 198 (00:00:09 ago)
  LCP state: Opened
  NCP state: inet: Down, inet6: Not-configured, iso: Not-configured, mpls: Not-configured
  CHAP state: Success
  PAP state: Closed
    Security: Zone: Internet
    Protocol inet, MTU: 1492
      Flags: Sendbcast-pkt-to-re, Protocol-Down, User-MTU
      Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
        Destination: 216.160.93.254, Local: 184.159.xx.xx

What am I missing?

EMTSU · ‎10-02-2019

Hi Mike,

Did you ever get to the bottom of this? If so, what was the answer/solution?

MikeGreene · ‎10-02-2019

Unfortunately I had to move on to other projects, so for now the problem remains.

karand · ‎10-02-2019

Hi,

Share you share the set of VSA that are being returned from AAA/Radius Server?

can you try to remove "no-rfc2486" from ppp-options and check?

/Karan Dhanak

MikeGreene · ‎10-03-2019

I'll have to enable the logging of any VSA info being sent from the RAS. I'll try removing no-rfc2486 and see what happens. I think I tried that, will need to review my notes...

SRX300 PPPoE static IP setup issues

Re: SRX300 PPPoE static IP setup issues

Re: SRX300 PPPoE static IP setup issues

Re: SRX300 PPPoE static IP setup issues

Re: SRX300 PPPoE static IP setup issues