Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Can a NetScreen firewall be used as a DHCP server in a DHCP relay environment?

0

0

Article ID: KB3390 KB Last Updated: 25 Sep 2012Version: 5.0
Summary:
This article provides information about the possibility of using a NetScreen firewall as a DHCP server in a DHCP relay environment.
Symptoms:
Environment:

  • ScreenOS is configured as DHCP Server 

  • DHCP Relay Agent is between DHCP client and DHCP server

Symptoms and errors:

  • The NetScreen DHCP server drops the DHCP packets that are received from the DHCP relay agent.

  • The DHCP client never receives the IP address from the DHCP server.

The following scenario describes the issue:




In the above setup, FW1 is acting as the DHCP Relay Agent and FW2 is acting as the server .When the packet reaches FW2, it is dropped.

The following excerpt is the output of snoop detail and debug flow basic on the firewall (FW2) that is acting as the server:
245824.0: ethernet0/0(i) len=346:0017cb402500->0010dbd56200/0800
169.254.79.158 -> 192.168.2.1/17
vhl=45, tos=00, id=7741, frag=0000, ttl=63 tlen=332
udp:ports 67->67, len=312
00 10 db d5 62 00 00 17 cb 40 25 00 08 00 45 00 ....b....@%...E.
01 4c 1e 3d 00 00 3f 11 a0 1e a9 fe 4f 9e c0 a8 .L.=..?.....O...
02 01 00 43 00 43 01 38 d9 c9 01 01 06 01 88 4e ...C.C.8.......N
86 c9 04 00 80 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 a9 fe 4f 9e 00 1f 16 f5 bd 66 00 00 00 00 ....O......f....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 63 82 53 63 35 01 01 74 01 01 ......c.Sc5..t..
3d 07 01 00 1f 16 f5 bd 66 32 04 a9 fe 4f 9e 0c =.......f2...O..
0d 50 55 4e 53 45 5a 31 38 33 37 38 31 44 3c 08 .PUNSEZ183781D<.
4d 53 46 54 20 35 2e 30 37 0b 01 0f 03 06 2c 2e MSFT.5.07.....,.
2f 1f 21 f9 2b 2b 02 dc 00 ff /.!.++....

****** 245824.0: <Untrust/ethernet0/0> packet received [332]******
ipid = 7741(1e3d), @2d41e910
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:169.254.79.158/67->192.168.2.1/67,17<Root>
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
self check, not for us
chose interface ethernet0/0 as incoming nat if.
packet dropped, packet dropped: for self but not interested
Cause:
  • When the DHCP request is generated from the host, the source port is initially 68; but when it crosses FW1 (Relay Agent), the source port is changed to 67.

  • The firewall that is acting as the DHCP server drops the packet, as it sees the packet coming from the 67 source port.
Solution:
Currently, the architecture of ScreenOS does not allow NetScreen to be used as a DHCP server in a DHCP relay environment, as it drops the DHCP request, which is coming from port 67. NetScreen can function as a DHCP relay agent in this type of environment.  
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search