Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Why aren't DHCP addresses allowed to the Trust side?



Article ID: KB6562 KB Last Updated: 02 Aug 2010Version: 5.0

Why aren't DHCP addresses allowed to the Trust side?



  • Linksys is the DHCP server
  • DHCP relay configured
  • transparent mode

Symptoms & Errors:

  • DHCP request fails
  • PC on trust side does not obtain a DHCP address
  • client receiving src and dst port of 67

Note: This article applies to ScreenOS 4.0 and higher.

If the NetScreen is in transparent mode and configured for DHCP relay, a DHCP broadcast will be directly received by the DHCP client without the NetScreen relay agent's involvement. When this occurs, the client is receiving an src-port of 67 and a dst-port of 67 in the reply. The packet is dropped due to the client expecting src-port 67 and dst-port 68 in a reply packet.

In a typical DHCP relay environment, the DHCP server responds to the DHCP relay agent IP that is sent in the initial boot request, not a broadcast address.

To allow DHCP addresses to pass traffic to the Trust side, use one of the following options:

  • Configure the DHCP server so it is aware that DHCP requests are being relayed from a relay agent. This could be the case if the NetScreen is sitting behind a cable modem or DSL router. Configuring this option may not be possible on all DHCP servers, check with your DHCP server vendor.
  • The DHCP relay option should be disabled to allow the NetScreen to operate at layer two and forward these broadcasts between the DHCP server and client without involvement. There is no need to use DHCP relay when the server is on the same IP subnet and in the same broadcast domain.

note: A DHCP relay agent should not be configured for NetScreen devices that are in transparent mode.

To disable the DHCP relay agent, perform the following steps:

Step one: Open the WebUI. For an example of how to access the WebUI, consult: KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI

From the NetScreen options menu, click Network, and then click DHCP.

Image of step two

From the trust interface, click Edit.

Image of step three

From Interface: trust, click to select None.

Image of step four and five

Click OK.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search