6

OK, this one may technically be off-topic since I'm actually doing this at home, but I could easily see the exact same scenario arises in a small enterprise type of setup...

Using an SRX210 to be a router for a Time Warner Cable connection (using a DOCSIS mini-pim on the SRX, but I don't think that's actually relevant to this). Running 12.1X46-D10.2. Trying to get IPv6 working on the cable setup (confirmed that TWC is providing IPv6 via DHCPv6 in our area).

Here's what I've got in relevant config sections (if you want to see any other parts of the config, feel free to ask, but I think I've gotten everything relevant):

interfaces {
    cm-1/0/0 {                          
        unit 0 {                        
            family inet {               
                dhcp-client;            
            }                           
            family inet6 {              
                dad-disable;            
                dhcpv6-client {         
                    client-type statefull;
                    client-ia-type ia-na;
                    client-ia-type ia-pd;
                    rapid-commit;       
                    client-identifier duid-type duid-llt;
                    req-option dns-server;
                    req-option fqdn;    
                    retransmission-attempt 9;
                }                       
            }                           
        }                               
    }
}

security {                              
    forwarding-options {                
        family {                        
            inet6 {                     
                mode flow-based;        
            }                           
        }                               
    }
    zones {                                                           
        security-zone untrust {         
            interfaces {                
                cm-1/0/0.0 {            
                    host-inbound-traffic {
                        system-services {
                            dhcp;       
                            dns;        
                            ntp;        
                            ping;       
                            ssh;        
                            traceroute; 
                            dhcpv6;     
                            bootp;      
                        }               
                        protocols {     
                            router-discovery;
                        }               
                    }                   
                }                       
            }                           
        }                               
    }                                   
}

"show dhcpv6 client statistics" shows DHCPV6_SOLICIT messages being sent, but absolutely nothing else.

I know dhcpv6 client support in the SRXen is very new, but does anyone else have any experience troubleshooting this?

One hypothesis that I'm trying to check is that it apparently is sending the DHCP request with an IAID (whether for the IA-NA or IA-PD) of 0x00000000. Perhaps TWCs DHCPv6 server doesn't like that value?

Anyone have any ideas?

Jeff McAdams
  • 2,486
  • 20
  • 28

4 Answers4

4

OK, so I have revisited this issue several times, and now have working IPv6 with TWC via my SRX. I wish I could mark several answers and comments as correct as several of you gave me parts of the overall solution. Thank you all, for that. I've upvoted the answers that contributed to give as much as I could to contributors.

As it turns out, the DOCSIS cable modem mini-pim was part of the problem.

It seems that TWC will not send IPv6 RA messages to you if you have an "unsupported" modem.

So the solution to my problem was to go by a TWC supported modem (I got a Motorola SB6141), and connect it to one of the gigabit ports on my SRX. My interface config now looks like:

    unit 0 {                        
        family inet {               
            dhcp-client;            
        }                           
        family inet6 {              
            dad-disable;            
            dhcpv6-client {         
                client-type statefull;
                client-ia-type ia-pd;
                client-ia-type ia-na;
                inactive: update-router-advertisement {
                    interface ge-0/0/0.0;
                }                   
                client-identifier duid-type duid-ll;
            }                       
        }                           
    }

As one of the answers and comments alluded to, apparently you can't send a IA-PD prefix hint with the SRX, and TWC gives a /64 when it doesn't get a hint. The SRX then tries to subdivide the /64 65,536 ways and picks the first resultant network to delegate...which means it was trying to put a /80 on ge-0/0/0, which kinda doesn't help much as SLAAC doesn't work. :/

I went with the work around, to see what /64 I get, then manually configured protocol router-advertisement on the inside interface with the block I was delegated (which should be stable as long as they system's DUID remains the same). Kinda lame, but it's where we are right now.

I will continue to keep an eye on this entry to see if anyone has other ideas on making this a better setup. If you have questions on parts of it that I didn't go into enough detail on, please let me know and I'll edit.

Jeff McAdams
  • 2,486
  • 20
  • 28
3

Not related to your specific problem, but you'll need to permit ICMPv6 to come back to you (Echo Reply, Echo Request and Packet too big at least) because IPv6 doesn't support fragmentation and Packet Too Big messages is the only way you (your SRX, PC etc) will know to send smaller packet.

Remi Letourneau
  • 2,174
  • 12
  • 13
  • Yeah, I'm pretty familiar with PMTU issues.. I'm just trying to get the basics up and running to begin with here. Thanks for the reminder, always good to put advice like this out there so it's more generally seen. ICMP, isn't just ping (and occasionally traceroute)...it does serve legitimate purposes in network operations and indiscriminantly blocking all of it at your border is only shooting yourself in the foot. – Jeff McAdams Mar 15 '14 at 14:00
2

Make sure that you do not have the dhcpd deamon running (set system services dhcp). When running dual stack you'll need to be running your internal dhcp through the jdhcpd deamon (system services dhcp-local-server). Its a bit odd, but the dhcpd deamon stomps on the jdhcpd deamon.

Mike
  • 21
  • 1
  • I'll have to go back and double-check my config as I haven't dinked around with this in a while, but I'm pretty sure that's the way I have it. – Jeff McAdams Dec 12 '14 at 15:12
2

Came across this, and not sure if you ever got this working, but I was just working on the same thing, trying to get TWC working with an SRX. After some debugging, I found this in the traces:

Jun 17 20:50:41 [DEBUG][default:default][N/A][INET6][ge-0/0/0.0] dhcpv6_client_validate_msgs: Server does not have rapid commit.

I had it working on a Cisco where I had to have rapid commit enabled to get anything from TWC, but apparently it doesn't work at all on the SRX. As soon as I removed the rapid-commit line from the config, bam, got an address!

I'm still hitting issues with the fact the SRX doesn't have any support for IA_PD hints, and TWC will not hand out a prefix larger than /64 unless you request it via hint, but at least it works now.

After quite a bit of not very useful searching on the Internet, if anyone else needs to run traces on the dhcpv6 client, you need to enable traceoptions under system processes dhcp-service.

pffs
  • 21
  • 2
  • I posted a couple of months back about this: http://networkengineering.stackexchange.com/questions/18432/juniper-srx-ipv6-pd-update-router-advertisement-issues Seems the Juniper will only hand out a single /64 so I couldn't use DHCPv6-PD to apply subnets to multiple interfaces. Ended up statically configuring. – Firebirdnz Jun 18 '15 at 02:30