https://community.cisco.com/t5/network-security/bizzare-issue-with-dhcp-relay-asa5510/m-p/746127#M1008988 <P>Hello all,</P><P></P><P>we recently upgraded our DNS/DHCP servers with newer hardware and more up-to-date version of Linux. </P><P>The previous servers were not behind a firewall. The current servers are placed behind our ASA5510 appliance, and we have set up translations and access lists accordingly (please see config).</P><P></P><P>So we switched to the new servers.. and discovered that a number of our ADSL clients can NOT obtain an IP from the DHCP server behind the firewall, UNLESS: we have them assign their IP address to their PC or router statically; then if they switch back to dynamic IP they can obtain that same IP no problem. </P><P>Just to isolate the issue, we put the DHCP server on the outside and the problem went away (of course, we can't leave it on the outside for any extended amounts of time).</P><P></P><P>When I debugged DHCP relay, I can see that the firewall is passing the requests, and the DHCP server is replying, but the client never gets an IP unless we statically assign it first.</P><P>(In other words, "exchange complete" is the part that is missing prior to us having the customer statically assign the IP first).</P><P></P><P>Please help!</P><P></P><P>Thanks in advance!</P><P></P><P> </P><P></P> Mon, 11 Mar 2019 09:52:55 GMT spejic 2019-03-11T09:52:55Z https://community.cisco.com/t5/network-security/bizzare-issue-with-dhcp-relay-asa5510/m-p/746127#M1008988 <P>Hello all,</P><P></P><P>we recently upgraded our DNS/DHCP servers with newer hardware and more up-to-date version of Linux. </P><P>The previous servers were not behind a firewall. The current servers are placed behind our ASA5510 appliance, and we have set up translations and access lists accordingly (please see config).</P><P></P><P>So we switched to the new servers.. and discovered that a number of our ADSL clients can NOT obtain an IP from the DHCP server behind the firewall, UNLESS: we have them assign their IP address to their PC or router statically; then if they switch back to dynamic IP they can obtain that same IP no problem. </P><P>Just to isolate the issue, we put the DHCP server on the outside and the problem went away (of course, we can't leave it on the outside for any extended amounts of time).</P><P></P><P>When I debugged DHCP relay, I can see that the firewall is passing the requests, and the DHCP server is replying, but the client never gets an IP unless we statically assign it first.</P><P>(In other words, "exchange complete" is the part that is missing prior to us having the customer statically assign the IP first).</P><P></P><P>Please help!</P><P></P><P>Thanks in advance!</P><P></P><P> </P><P></P> Mon, 11 Mar 2019 09:52:55 GMT https://community.cisco.com/t5/network-security/bizzare-issue-with-dhcp-relay-asa5510/m-p/746127#M1008988 spejic 2019-03-11T09:52:55Z https://community.cisco.com/t5/network-security/bizzare-issue-with-dhcp-relay-asa5510/m-p/746128#M1008993 <HTML><HEAD></HEAD><BODY><P>hostname ASA5510</P><P>domain-name xxx.com</P><P>enable password xxx</P><P>names</P><P>name 10.185.225.254 NEXTGEN</P><P>name 10.185.225.21 NS1</P><P>name 10.185.225.22 NS2</P><P>name 10.185.225.101 DNS1</P><P>name 10.185.225.110 DNS2</P><P>dns-guard</P><P>interface Ethernet0/0</P><P> nameif outside</P><P> security-level 0</P><P> ip address 123.x.x.150 255.255.255.0</P><P>interface Ethernet0/1</P><P> shutdown</P><P> nameif inside</P><P> security-level 100</P><P> ip address 192.168.110.1 255.255.255.0</P><P>interface Ethernet0/2</P><P> nameif DMZ</P><P> security-level 50</P><P> ip address 10.185.225.1 255.255.255.0</P><P>interface Ethernet0/3</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>interface Management0/0</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P> no ip address</P><P>ftp mode passive</P><P>object-group network WEBFTPSERVERS</P><P> network-object host 123.185.225.140</P><P> network-object host 123.185.225.141</P><P> network-object host 123.185.225.142</P><P> network-object host 123.185.225.143</P><P> network-object host 123.185.225.144</P><P> network-object host 123.185.225.145</P><P> network-object host 123.185.225.151</P><P> network-object host 123.185.225.152</P><P>object-group network DNSSERVERS</P><P> network-object host 123.185.225.21</P><P> network-object host 123.185.225.22</P><P> network-object host 123.185.225.10</P><P> network-object host 123.185.225.1</P><P>object-group service WEB_FTP tcp</P><P> port-object eq www</P><P> port-object eq ftp</P><P> port-object eq ftp-data</P><P>object-group service DNS_DHCP_RADIUS udp</P><P> port-object eq domain</P><P> port-object eq bootpc</P><P> port-object eq radius</P><P> port-object eq radius-acct</P><P> port-object eq bootps</P><P>access-list OUTSIDE-IN extended permit tcp any object-group WEBFTPSERVERS object</P><P>-group WEB_FTP log</P><P>access-list OUTSIDE-IN extended permit udp any object-group DNSSERVERS object-gr</P><P>oup DNS_DHCP_RADIUS</P><P>access-list OUTSIDE-IN extended permit icmp any any</P><P>access-list DMZ-OUT extended permit ip any any</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>mtu DMZ 1500</P><P>ip verify reverse-path interface outside</P><P>ip audit name ProtectUs attack action alarm drop reset</P><P>ip audit interface outside ProtectUs</P><P>no failover</P><P>arp timeout 14400</P><P>global (outside) 1 123.185.225.139</P><P>nat (DMZ) 1 10.185.225.0 255.255.255.0</P><P>static (DMZ,outside) 123.185.225.140 10.185.225.140 netmask 255.255.255.255</P><P>static (DMZ,outside) 123.185.225.141 10.185.225.141 netmask 255.255.255.255</P><P>static (DMZ,outside) 123.185.225.142 10.185.225.142 netmask 255.255.255.255</P><P>static (DMZ,outside) 123.185.225.143 10.185.225.143 netmask 255.255.255.255</P><P>static (DMZ,outside) 123.185.225.144 10.185.225.144 netmask 255.255.255.255</P><P>static (DMZ,outside) 123.185.225.145 10.185.225.145 netmask 255.255.255.255</P><P>static (DMZ,outside) 123.185.225.151 10.185.225.151 netmask 255.255.255.255</P><P>static (DMZ,outside) 123.185.225.152 10.185.225.152 netmask 255.255.255.255</P><P>static (DMZ,outside) 123.185.225.21 NS1 netmask 255.255.255.255</P><P>static (DMZ,outside) 123.185.225.22 NS2 netmask 255.255.255.255</P><P>static (DMZ,outside) 123.185.225.1 DNS1 netmask 255.255.255.255</P><P>static (DMZ,outside) 123.185.225.10 DNS2 netmask 255.255.255.255</P><P>access-group OUTSIDE-IN in interface outside</P><P>access-group DMZ-OUT out interface DMZ</P><P>route outside 0.0.0.0 0.0.0.0 123.185.225.125 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00</P><P>timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00</P><P>no snmp-server enable</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>console timeout 0</P><P>dhcprelay server DNS2 DMZ</P><P>dhcprelay enable outside</P><P>dhcprelay timeout 60</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect dns maximum-length 512</P><P> inspect ftp</P><P> inspect h323 h225</P><P> inspect h323 ras</P><P> inspect netbios</P><P> inspect rsh</P><P> inspect rtsp</P><P> inspect skinny</P><P> inspect esmtp</P><P> inspect sqlnet</P><P> inspect sunrpc</P><P> inspect tftp</P><P> inspect sip</P><P> inspect xdmcp</P><P> inspect http</P><P> inspect icmp</P><P>!</P><P>service-policy global_policy global</P><P>: end</P><P>ASA5510#</P><P></P></BODY></HTML> Wed, 28 Mar 2007 14:47:58 GMT https://community.cisco.com/t5/network-security/bizzare-issue-with-dhcp-relay-asa5510/m-p/746128#M1008993 spejic 2007-03-28T14:47:58Z https://community.cisco.com/t5/network-security/bizzare-issue-with-dhcp-relay-asa5510/m-p/746129#M1008998 <HTML><HEAD></HEAD><BODY><P>This sounds like a bug, but we are not aware of any known issues in this area.</P><P></P><P>I would suggest opening a TAC case so it can be further diagnosed. </P><P></P><P>But you will need to get a capture of the dhcp-relay packets on both interfaces (using the capture feature). And collect both a bad, and good (when users first static the ip) captures.</P><P></P><P>You can also post the capture here and I will try to take a quick look.</P><P></P><P>Sincerely,</P><P></P><P>David.</P></BODY></HTML> Fri, 30 Mar 2007 20:42:21 GMT https://community.cisco.com/t5/network-security/bizzare-issue-with-dhcp-relay-asa5510/m-p/746129#M1008998 David White 2007-03-30T20:42:21Z https://community.cisco.com/t5/network-security/bizzare-issue-with-dhcp-relay-asa5510/m-p/746130#M1009001 <HTML><HEAD></HEAD><BODY><P>Hi David, </P><P></P><P>thank you for your reply!</P><P></P><P>I was hoping the issue was simply a mistake I made configuring the appliance; but if you think it might be a bug, then I will assume there's nothing wrong with the config (everything else works properly behind the firewall).</P><P></P><P>We had no choice but to put our DHCP server on the outside and harden the Linux system.</P><P>We'll have to leave it like this for now, as we can't afford any more customer downtime.</P><P></P><P>Therefore, I won't be able to perform packet capture any time soon..</P><P></P><P>but thanks very much for your offer!!</P><P></P><P>Regards,</P><P></P><P>Sean</P></BODY></HTML> Fri, 30 Mar 2007 21:35:16 GMT https://community.cisco.com/t5/network-security/bizzare-issue-with-dhcp-relay-asa5510/m-p/746130#M1009001 spejic 2007-03-30T21:35:16Z