When the IC sends the VLAN info to the switch, the switch dynamically moves that port to the VLAN. If the port is not an edge/port-fast port, then it will take 30-40 seconds before getting an IP. Make the ports in 802.1x edge ports and see if that improves the time to get an IP.

Hi Mnarine,

regarding this thread http://forums.juniper.net/t5/SRX-Services-Gateway/DHCP-drop-packet-on-srx/td-p/32195

i already open a ticket to jtac.

thanks for your help.

Few questions---

1) How fast you get IP when port is not dot1x ?

2) What is the OAC Status under Connection information ?

3) If its open and authenticated then try ipconfig/release and ipconfig/renew. Does it get you IP address immediately ?

Hi IPSec,

1) How fast you get IP when port is not dot1x ?

-> it fast, because if not dot1x all port is default vlan, and dhcp server are on default vlan also

2) What is the OAC Status under Connection information ?

-> always open and authenticate, and sometime user get 169.x.x.x. ip address

3) If its open and authenticated then try ipconfig/release and ipconfig/renew. Does it get you IP address immediately ?

-> sometime user will get ip address soon, but sometime we must do it 2 times.

if user didn't get any ip address, at SRX have dhcp relay drop statistic

[email protected]> show system services dhcp relay-statistics

Received packets: 49

Forwarded packets: 40

Dropped packets: 9

Due to missing interface in relay database: 0

Due to missing matching routing instance: 0

Due to an error during packet read: 0

Due to an error during packet send: 0

Due to invalid server address: 0

Due to missing valid local address: 0

Due to missing route to server/client: 0

[email protected]> show system services dhcp relay-statistics

Received packets: 64

Forwarded packets: 52

Dropped packets: 12

Due to missing interface in relay database: 0

Due to missing matching routing instance: 0

Due to an error during packet read: 0

Due to an error during packet send: 0

Due to invalid server address: 0

Due to missing valid local address: 0

Due to missing route to server/client: 0

[email protected]> show system services dhcp relay-statistics

Received packets: 84

Forwarded packets: 67

Dropped packets: 17

Due to missing interface in relay database: 0

Due to missing matching routing instance: 0

Due to an error during packet read: 0

Due to an error during packet send: 0

Due to invalid server address: 0

Due to missing valid local address: 0

Due to missing route to server/client: 0

so this issue it maybe came from SRX, because when i change srx650 with ssg550M.

I never facing DHCP issue again.

NDCool,

Since the SRX is dropping the DHCP relay packet, check the following:

1) under security zones containing the interface where the DHCP relay is coming from to make sure "bootp" is enabled under the hosted services.

2) make sure you have a policy to allow the return DHCP messages back from the DHCP server.

If you can post your config, please do.

-Mike

hi mnarine,

1. i just allow ping and dhcp service for host-inbound-service, so the bootp must be allow also?

2. yes, all traffic allowed.

thx

hi mnarine,

i just enable bootp on host-inbound service, i think it better, but there still have drop packet on dhcp-relay

thx

NDCool,

Yeah, you have to use bootp, not dhcp. DHCP is if the SRX is the DHCP server, not relay agent.

What about the forwarding-options setting? Do you have the interface set under bootp?

-Mike

hi mnarine,

yes interface set already there

helpers {

bootp {

relay-agent-option;

server 128.21.33.50;

minimum-wait-time 360;

client-response-ttl 200;

interface {

ge-0/0/0.10;

ge-0/0/0.20;

ge-0/0/0.30;

ge-0/0/0.40;

ge-0/0/0.50;

ge-0/0/0.60;

}

}

}

ehm...so what packet is being dropped ?

[email protected]> show system services dhcp relay-statistics

Received packets: 13

Forwarded packets: 10

Dropped packets: 3

Due to missing interface in relay database: 0

Due to missing matching routing instance: 0

Due to an error during packet read: 0

Due to an error during packet send: 0

Due to invalid server address: 0

Due to missing valid local address: 0

Due to missing route to server/client: 0

[email protected]> show system services dhcp relay-statistics

Received packets: 14

Forwarded packets: 10

Dropped packets: 4

Due to missing interface in relay database: 0

Due to missing matching routing instance: 0

Due to an error during packet read: 0

Due to an error during packet send: 0

Due to invalid server address: 0

Due to missing valid local address: 0

Due to missing route to server/client: 0

[email protected]> show system services dhcp relay-statistics

Received packets: 21

Forwarded packets: 16

Dropped packets: 5

Due to missing interface in relay database: 0

Due to missing matching routing instance: 0

Due to an error during packet read: 0

Due to an error during packet send: 0

Due to invalid server address: 0

Due to missing valid local address: 0

Due to missing route to server/client: 0