Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] The DHCP relay is not working when the firewall is configured with multiple VRs

0

0
Article ID: KB10761 KB Last Updated: 25 Feb 2013Version: 3.0 Summary:
This article describes the issue of the DHCP relay not working, when the firewall is configured with multiple VRs.
Symptoms:
  • The client sends the DHCP request.
  • The firewall receives it and as the firewall is configured for DHCP relay, it will treat it as self traffic, which is different from flow traffic in terms of the firewall handling process.
  • As it is self traffic, the firewall will use the default VR to perform the route lookup to reach the DHCP server. Then the route associates the interface IP address as thesource IP address for the DHCP relay packet and replays this packet with the new source IP address to DHCP server.
  • The DHCP Server replies with a DHCP response packet to the relay source IP and the firewall sends it to the client. For example, if the DHCP server IP address is 1.1.1.1 and the eth2/1 firewall interface is enabled with DHCP relay, the configuration is as follows:
        set zone trust vr trust-vr
    set interface ethernet2/1 zone trust
    set interface ethernet2/1 ip 172.19.50.2/24
    set interface ethernet2/1 dhcp relay server-name "1.1.1.1"
    set interface ethernet2/1 dhcp relay service
    set interface ethernet1/1 zone untrust
    set zone untrust vr untrust-vr
    set interface ethernet1/1 ip 1.1.1.2/24

But, if in the default VR, the route to reach 1.1.1.1 uses the eth2/1 interface, then the firewall will build the DHCP request by using the 172.19.50.2 source IP address.  However, the desired behavior is that the DHCP request should be built with the source IP address of 1.1.1.2 and then relayed to the 1.1.1.1 DHCP server. 

Again, the default behavior is for the firewall to use the default VR to perform the route lookup to reach the DHCP server and select the related interface as the source interface in this default VR.

Cause:

Solution:

To resolve this issue, use either of the following methods:

In the default VR, add a specific route to the DHCP Relay server that points to the correct VR. As per the above example, set the following command:

set vr trust route 1.1.1.1/32 vr untrust-vr

Or

Set the following command:

set int <int-name> dhcp relay vpn

The command works for both VPN and non-VPN cases. With this command, the firewall will use the interface that is associated with the VR to perform the route look to reach the DHCP server, instead of using the default VR and selecting the source interface.

Related Links

 Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search