Hi there,
I am facing a problem with my Juniper SRX220 on the DHCP function.
I have about 100 clients connected to the network with DHCP enabled.
My DHCP pool is from 10.196.24.51 to 10.196.24.210.
Since 11th May my clients are complaining that they cannot connect to the network, then when an IT analyst go to check it the client is with APIPA address and cannot get an IP from DHCP (10.196.24.1),
I scanned my network to see if anyone installed a rogue router which could conflicts to my DHCP but I didn't find anything.
If we put fixed IP to them it works perfectly.
It's totally random, sometimes it works, sometimes it does not.
We use this SRX220 as VPN device too, to connect to our server in Korea.
Please find below the CLI conf of the issued device.
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
port 80;
}
https {
system-generated-certificate;
}
}
dhcp {
name-server {
10.196.24.31;
}
router {
10.196.24.1;
}
pool 10.196.24.0/24 {
address-range low 10.196.24.51 high 10.196.24.210;
exclude-address {
10.196.24.177;
10.196.24.178;
10.196.24.74;
}
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 187.72.138.193/28;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.196.25.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-1/0/0 {
description "##Backbone##";
gigether-options {
auto-negotiation;
}
unit 0 {
description "##Backbone##";
family inet {
address 10.196.24.1/24 {
primary;
}
}
}
}
st0 {
unit 0 {
family inet;
family inet6;
}
}
vlan {
unit 0;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 187.72.138.206;
route 10.0.0.0/8 next-hop st0.0;
route 58.87.44.105/32 next-hop st0.0;
route 58.87.44.106/32 next-hop st0.0;
route 58.87.44.107/32 next-hop st0.0;
route 58.87.44.93/32 next-hop st0.0;
}
}
protocols {
stp;
}
security {
ike {
proposal pre-g2-3des-sha {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy XXX {
mode aggressive;
proposals pre-g2-3des-sha;
pre-shared-key ascii-text "XXX";
}
gateway XXX {
ike-policy Rotem;
address 58.87.57.67;
local-identity hostname XXX;
external-interface ge-0/0/0;
}
}
ipsec {
proposal esp-3des-sha {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy XXX {
proposals esp-3des-sha;
}
vpn XXX {
bind-interface st0.0;
ike {
gateway XXX;
no-anti-replay;
ipsec-policy XXX;
}
establish-tunnels immediately;
}
}
utm {
feature-profile {
web-filtering {
type surf-control-integrated;
surf-control-integrated {
server;
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy catia-alc-license {
description catia-alc-license;
match {
source-address trust;
destination-address [ catia catia2 catia3 ];
application any;
}
then {
deny;
}
}
}
from-zone untrust to-zone trust {
policy RotemVPN {
match {
source-address 10.0.0.0/8;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
}
}
}
}
zones {
security-zone trust {
address-book {
address trust 10.196.24.0/32;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
ge-1/0/0.0;
}
}
security-zone untrust {
address-book {
address 10.0.0.0/8 10.0.0.0/8;
address catia 10.196.34.46/32;
address catia2 10.196.34.47/32;
address catia3 10.196.34.48/32;
}
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
ike;
all;
}
}
}
st0.0;
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}