Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] How to troubleshoot DHCP relay through VPN

0

0

Article ID: KB7287 KB Last Updated: 27 Dec 2012Version: 5.0
Summary:
This article provides information on how to troubleshoot DHCP relay via VPN.
Symptoms:
Environment:

  • ScreenOS 3.0.0r4.0

  • Site-to-Site VPN works fine

  • Unchecked "Use Trust Interface as Source IP for VPN" option

  • DHCP Server is Microsoft Windows 2000 Server

Symptoms and errors:
  • Unable to relay the DHCP message: Set trust interface to route mode.
Cause:

Solution:

The NetScreen-5/5XP/25/50/100/204/208 support DHCP relay agent, which receives DHCP information from a DHCP server and relays that information to hosts on the trusted network.

Example:

PC ---NS-5XP_A(DHCP relay)------INTERNET------NS-5XP_B---DHCP server

  • PC: DHCP enabled
  • NS-5XP_A(DHCP relay)

Trust IP address: 20.1.1.1/24
Untrust IP address: 1.1.1.1/24
Untrust Gateway: 1.1.1.2

  • NS-5XP_B

Trust IP address: 30.1.1.1/24
Untrust IP address: 1.1.1.2/24
Untrust Gateway: 1.1.1.1

  • DHCP server: 30.1.1.2/24
IP range: 20.1.1.10 ~ 20.1.1.254
subnet mask: 255.255.255.0
Router(default gateway): 20.1.1.1
DNS: 164.124.101.2
Domain: YourDomain.com

Step 1) Make sure that Site-to-Site VPN works fine.

Step 2) Enable DHCP relay and configure DHCP relay options on NS-5XP_A

On the CLI:

set dhcp relay service (enable DHCP relay)
set dhcp relay server-name "30.1.1.2"

ns5xp-> get dhcp relay
DHCP relay agent is enabled
DHCP Server is: "30.1.1.2"
VPN encryption is disabled

On the WebUI:

Configure > DHCP tab > DHCP Relay Agent > Put DHCP server IP address (30.1.1.2)

Step 3) Enable DHCP relay debug

On the CLI:

debug dhcp relay 1

Step 4) Verify the contents of debug buffer

On the CLI:

ns5xp-> get dbuf stream
##2002-03-06 19:30:45 system-debugging: DHCP: read unrecognized option 251
##2002-03-06 19:30:45 system-debugging: (length 1)
##2002-03-06 19:30:45 system-debugging: DHCP: received discover msg from MAC 0004
e22ed291: request IP 0.0.0.0
##2002-03-06 19:30:45 system-debugging: Unbale to relay DHCP message: Set trust
interface to route mode

NOTE: To make DHCP relay through VPN, please use  "Use Trust Interface as Source IP for VPN" option.

Step 5) To enable "Use Trust Interface as Source IP for VPN" option

On the CLI:

set dhcp relay vpn

ns5xp-> get dhcp relay
DHCP relay agent is enabled
DHCP Server is: "30.1.1.2"
VPN encryption is enabled

On the WebUI:

Configure > DHCP tab > DHCP Relay Agent > check "Use Trust Interface as Source IP for VPN"

Step 6) After that, verify the contents of debug buffer

ns5xp-> get db str
##2002-03-06 20:05:58 system-debugging: DHCP: read unrecognized option 251
##2002-03-06 20:05:58 system-debugging: (length 1)
##2002-03-06 20:05:58 system-debugging: DHCP: received discover msg from MAC 0004e22ed291: request IP 0.0.0.0
##2002-03-06 20:05:58 system-debugging: Send request to 30.1.1.2 by DHCP relay (VPN enable)
##2002-03-06 20:05:58 system-debugging: Receive response for DHCP relay
##2002-03-06 20:05:58 system-debugging: Relay response to DHCP client: 20.1.1.10 (0004e22ed291)

Step 7) Unset DHCP relay debug

On the CLI:

debug dhcp relay 0

NOTE: Currently "undebug dhcp relay 1" is NOT working, use "debug dhcp relay 0" to disable DHCP relay debug.

Step 8) Check IP configuration on PC

On the command prompt, type ipconfig /all

Ethernet adapter SMC:

Connection-specific DNS Suffix  . : YourDomain.com
Description . . . . . . . . . . . : SMC EZ CardBus-
Physical Address. . . . . . . . . : 00-04-E2-2E-D2-
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 20.1.1.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 20.1.1.1
DHCP Server . . . . . . . . . . . : 30.1.1.2
DNS Servers . . . . . . . . . . . : 164.124.101.2

For more information, refer to the following articles:

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search