Knowledge Search


×
 

[SRX] Troubleshooting Checklist - DHCP

  [KB26748] Show Article Properties


Summary:

A basic checklist for troubleshooting DHCP on Branch SRX devices. It includes the common mistakes made while configuring DHCP.

Symptoms:

DHCP client, Server, or Relay Agent is not working on SRX:

  • SRX is not getting an IP address from DHCP Server
  • SRX is not assigning an IP address to DHCP client
  • SRX is not passing DHCP packets



Cause:

Solution:

Note:  For DHCP configuration help, refer to the articles here: SRX Getting Started - Configure DHCP


After configuration, if you do not get the desired results, refer to the troubleshooting section applicable to your problem:


DHCP Server Troubleshooting:

  1. Review  Common Issue:

    • An existing Firewall Filter is blocking the DHCP packets.

      Confirm that a Firewall Filter is configured to allow incoming DHCP packets with destination port 67-68.

      Below is an example of how to configure a Firewall Filter for the DHCP service:

      root# set firewall filter DHCP term 1 from destination-port 67
      root# set firewall filter DHCP term 1 from destination-port 68
      root# set firewall filter DHCP term 1 then accept
       

      Apply the filter to the ingress interface of the SRX (the interface facing the DHCP client):

      root# set interfaces <ingress interface> family inet filter input DHCP


  2. Run DHCP Server traceoptions and review traceoptions output.

    If your issue is not one of the common issues, then configure DHCP Server traceoptions to get more information on why the DHCP Server is not working:

    The following DHCP Server traceoptions can be configured:

    root# set system services dhcp traceoptions file dhcp.dbg
    root# set system services dhcp traceoptions flag all
    root# set system services dhcp traceoptions level all

    For help on how to configure traceoptions and view debug output, refer to KB16108 - Configuring Traceoptions for Debugging and Trimming Output.


    Below is a trace output of a successful DHCP server. Use this to compare to yours. Pay attention to the highlighted lines which may indicate where an error is occurring.

    root# run show log dhcp.dbg |no-more

    Jan 16 19:39:09 650-2 clear-log[2505]: logfile cleared
    Jan 16 19:39:33 rtsock ifd message for ge-0/0/0
    Jan 16 19:39:33 changed ifd ge-0/0/0 to down
    Jan 16 19:39:49 rtsock ifd message for ge-0/0/0
    Jan 16 19:39:49 changed ifd ge-0/0/0 to up
    Jan 16 19:39:51 received packet from 0.0.0.0 port 68 interface ge-0/0/0.0 routing instance default
    Jan 16 19:39:51 Link local IP: 0
    Jan 16 19:39:51 -- looking for pool with subnet 192.168.1.1, prefix length 32
    Jan 16 19:39:51 -- [pfxlen 24] Found pool `192.168.1.0/24'
    Jan 16 19:39:51 Decoding packet from 0.0.0.0
    Jan 16 19:39:51 parsing options from packet
    Jan 16 19:39:51 option `dhcp-message-type' code 53 extracted from buffer
    Jan 16 19:39:51 looking for overloaded options
    Jan 16 19:39:51 looking up message type
    Jan 16 19:39:51 Processing DHCP packet
    Jan 16 19:39:51 <== DHCPDISCOVER
    Jan 16 19:39:51 Looking for a lease w/hardware address `b0:c6:9a:8a:0c:00'
    Jan 16 19:39:51 ...and no client identifier
    Jan 16 19:39:51 ...and subnet 192.168.1.0/24
    Jan 16 19:39:51 Found matching lease entry for `b0:c6:9a:8a:0c:00' <- MAC Address of Client
    Jan 16 19:39:51 Lease #1...
    Jan 16 19:39:51 ...correctly has no client identifier
    Jan 16 19:39:51 ...has the correct subnet
    Jan 16 19:39:51 found: 08, satisfies: 0a, exact: 0a
    Jan 16 19:39:51 Exact match
    Jan 16 19:39:51 ==> DHCPOFFER
    Jan 16 19:39:51 -- looking for pool with subnet 192.168.1.2, prefix length 32
    Jan 16 19:39:51 -- [pfxlen 24] Found pool `192.168.1.0/24'
    Jan 16 19:39:51 flushed options on binding
    Jan 16 19:39:51 set next server address to 0.0.0.0
    Jan 16 19:39:51 set client address to 192.168.1.2
    Jan 16 19:39:51 Default lease time 1 day obtained from `Global' scope
    Jan 16 19:39:51 Flag = 4 Expiry = 15722 days, 19 hours, 39 minutes, 51 seconds
    Jan 16 19:39:51 Flag = 4 15722 days, 19 hours, 34 minutes, 19 seconds
    Jan 16 19:39:51 Using default lease time of 1 day
    Jan 16 19:39:51 Maximum lease time infinite obtained from `Global' scope
    Jan 16 19:39:51 adding option `subnet-mask' code 1 to binding
    Jan 16 19:39:51 adding option `broadcast-address' code 28 to binding
    Jan 16 19:39:51 lease with IP address 192.168.1.2 changed state from active to offered
    Jan 16 19:39:51 Packing 27 bytes of options
    Jan 16 19:39:51 packing option `dhcp-message-type' code 53 with 1 bytes of data
    Jan 16 19:39:51 packing option `server-identifier' code 54 with 4 bytes of data
    Jan 16 19:39:51 packing option `dhcp-lease-time' code 51 with 4 bytes of data
    Jan 16 19:39:51 packing option `subnet-mask' code 1 with 4 bytes of data
    Jan 16 19:39:51 packing option `broadcast-address' code 28 with 4 bytes of data
    Jan 16 19:39:51 broadcasting the response
    Jan 16 19:39:51 sent packet from 192.168.1.1 to 255.255.255.255 port 68 out interface ge-0/0/0.0 routing instance default
    Jan 16 19:39:51 ==> DHCPOFFER [done]
    Jan 16 19:39:51 <== DHCPDISCOVER [done]
    Jan 16 19:39:52 received packet from 0.0.0.0 port 68 interface ge-0/0/0.0 routing instance default
    Jan 16 19:39:52 Link local IP: 0
    Jan 16 19:39:52 -- looking for pool with subnet 192.168.1.1, prefix length 32
    Jan 16 19:39:52 -- [pfxlen 24] Found pool `192.168.1.0/24'
    Jan 16 19:39:52 Decoding packet from 0.0.0.0
    Jan 16 19:39:52 parsing options from packet
    Jan 16 19:39:52 option `server-identifier' code 54 extracted from buffer
    Jan 16 19:39:52 option `dhcp-parameter-request-list' code 55 extracted from buffer
    Jan 16 19:39:52 option `dhcp-requested-address' code 50 extracted from buffer
    Jan 16 19:39:52 option `dhcp-message-type' code 53 extracted from buffer
    Jan 16 19:39:52 looking for overloaded options
    Jan 16 19:39:52 looking up message type
    Jan 16 19:39:52 have client IP 192.168.1.2
    Jan 16 19:39:52 have server identifier 192.168.1.1
    Jan 16 19:39:52 Processing DHCP packet
    Jan 16 19:39:52 <== DHCPREQUEST
    Jan 16 19:39:52 requester 0.0.0.0 if ge-0/0/0.0 hw type 1 hw len 6 secs 0 hops 0 ciaddr 0.0.0.0 giaddr 0.0.0.0
    Jan 16 19:39:52 Looking for a lease w/hardware address `b0:c6:9a:8a:0c:00'
    Jan 16 19:39:52 ...and no client identifier
    Jan 16 19:39:52 ...and address 192.168.1.2
    Jan 16 19:39:52 ...and subnet 192.168.1.0/24
    Jan 16 19:39:52 Found matching lease entry for `b0:c6:9a:8a:0c:00'
    Jan 16 19:39:52 Lease #1...
    Jan 16 19:39:52 ...correctly has no client identifier
    Jan 16 19:39:52 ...has the correct address
    Jan 16 19:39:52 ...has the correct subnet
    Jan 16 19:39:52 found: 08, satisfies: 0b, exact: 0b
    Jan 16 19:39:52 Exact match
    Jan 16 19:39:52 Client is in SELECTING state
    Jan 16 19:39:52 lease with IP address 192.168.1.2 changed state from offered to active
    Jan 16 19:39:52 saving lease 0x57c100 to file `/var/db/leases/192.168.1.2-01b0c69a8a0c00.jdl'
    Jan 16 19:39:52 ==>DHCPACK


  3. Create a PCAP (packet capture), and analyze packets. 

    If the root cause cannot be determined from reviewing the traceoptions output, then capture a PCAP on the SRX interface that is assigning the IP address.  Also, a PCAP on the client side may be necessary. 

    For information on how to configure Packet Capture on SRX, refer to [SRX] How to Create a PCAP packet capture on a J-Series or SRX Branch device.




DHCP Client Troubleshooting section:

  1. Review list of common issues:

    • DHCP service is not configured on the interface acting as a DHCP client.

      For more information on how to configure host inbound traffic for the interface acting as the DHCP client, refer to: KB21132-[SRX] Could not find the DHCP as a service in the Security Zones host-inbound-traffic


    • Previously expired IP address is still bound to the MAC address of the client

      To ensure that the client is receiving the static address, as per it's MAC, run the following command to verify:

      root> show system services dhcp binding | match <ip address>


      If the above output shows a previously expired IP address that is bound to the MAC address, then use the following command to clear it manually:

      root> clear system services dhcp binding <dynamic address which is associated with the configured MAC>


    • If the client is not getting an IP address from server, try adjusting the minimum wait time.

      root#set forwarding-options helpers bootp minimum-wait-time <seconds>

      Note: The default minimum wait time value is 0 seconds.  If you set it to any other value, try reducing the value. For an example, refer to http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/example/security-device-bootp-dhcp-relay-agent-configuring.html



  2. Run DHCP Client traceoptions and review traceoptions output.

    If your issue is not one of the common issues, then configure DHCP Client traceoptions to get more information on why the DHCP Client is not working.

    The following DHCP traceoptions can be configured:

    root# set system services dhcp traceoptions file dhcp_client.dbg
    root# set system services dhcp traceoptions flag client
    root# set system services dhcp traceoptions level all

    For help on how to configure traceoptions and view debug output, refer to KB16108 - Configuring Traceoptions for Debugging and Trimming Output.


    Below is a sample of a successful traceoptions output for verification.

    root# run show log dhcp_client.dbg | no-more
    Jan 16 19:49:28 Create Client ifl_name= ge-0/0/0.0 and ifd_name=ge-0/0/0 id 1102520059
    Jan 16 19:49:28 New ifstate 0 Old ifstate 0

    Jan 16 19:49:28 DHCP client config changed for ifl = ge-0/0/0.0 state = 0
    Jan 16 19:49:28 Emptied the name_tree
    Jan 16 19:50:44 Bringing down the client for IFD= ge-0/0/0
    Jan 16 19:50:44 Lease filename to delete /var/db/leases/ge-0_0_0.0
    Jan 16 19:50:46 Opened file for Writing /var/etc/dcd.dhcpd.conf

    Jan 16 19:50:46 Closed file for Writing /var/etc/dcd.dhcpd.conf

    Jan 16 19:50:46 signalled dcd (pid 1226) to overlay
    Jan 16 19:51:04 rtsock notified state change for IFD= ge-0/0/0
    Jan 16 19:51:04 interface = ge-0/0/0.0 mac = b0:c6:9a:8a:0c:00
    Jan 16 19:51:04 construct DHCP CLIENT packet for ifl_index = 68 ifl_name=ge-0/0/0.0 , pkt code = 1
    Jan 16 19:51:04 No lease file send discover for ifl ifl= ge-0/0/0.0
    Jan 16 19:51:04 Send DHCPDISCOVER packet for ifl_index = 68 ifl_name=ge-0/0/0.0
    Jan 16 19:51:04 Packing 3 bytes of options
    Jan 16 19:51:04 dhcp client packet sent successfully bytes sent = 300 dci_ifl_name = ge-0/0/0.0 dest addr = 255.255.255.255 dest port = 67 dci_ifl_index = 68 Client MAC = b0:c6:9a:8a:0c:00
    Jan 16 19:51:08 DCHP Server Identifier Stored 0xc0a80101
    Jan 16 19:51:08 Send DHCPREQUEST packet for ifl_index = 68 ifl_name=ge-0/0/0.0 state=1
    Jan 16 19:51:08 construct DHCP CLIENT packet for ifl_index = 68 ifl_name=ge-0/0/0.0 , pkt code = 2
    Jan 16 19:51:08 Packing 24 bytes of options
    Jan 16 19:51:08 dhcp client packet sent successfully bytes sent = 300 dci_ifl_name = ge-0/0/0.0 dest addr = 255.255.255.255 dest port = 67 dci_ifl_index = 68 Client MAC = b0:c6:9a:8a:0c:00
    Jan 16 19:51:08 dhcpd_client_io_recv_packet:559
    Jan 16 19:51:08 update nameserver from dhcp
    Jan 16 19:51:08 router address is 192.168.1.1 DHCP Server IP
    Jan 16 19:51:08 Client address/Subnet mask is 255.255.255.0/255.255.255.0
    Jan 16 19:51:08 Found BPF device=/dev/bpf4 for ifl=ge-0/0/0.0 sock=15
    Jan 16 19:51:13 DHCP client state timeout: ifl = ge-0/0/0.0
    Jan 16 19:51:13 Written IP address 192.168.1.2 to file /var/db/leases/ge-0_0_0.0 Client Obtained IP Address



  3. Create a PCAP (packet capture), and analyze packets. 

    If the root cause cannot be determined from reviewing the traceoptions output, then capture a PCAP on the SRX interface that is acting as a client.  Also, a PCAP on the server side may be necessary. 

    For information on how to configure Packet Capture on SRX, refer to [SRX] How to Create a PCAP packet capture on a J-Series or SRX Branch device.




DHCP Relay Troubleshooting section


Create a PCAP (packet capture) on the Relay Agent ingress and egress interfaces simultaneously and analyze the DHCP packets.


For information on how to configure Packet Capture on SRX, refer to [SRX] How to Create a PCAP packet capture on a J-Series or SRX Branch device.



Related Links: