topic Re: Cisco ASA - DHCP and static routes on WAN interfaces in Network Security

Cisco ASA - DHCP and static routes on WAN interfaces

JaseNL — Fri, 17 Nov 2023 12:32:26 GMT

I have a Cisco ASA 5506-X version 9.9(2)85, perpetual basic license with two WAN links - Primary (PPPoE to VDSL bridge) and Secondary (4G LTE modem/bridge).

Although the 4G LTE modem/bridge is a L2 device, it has a mangement IP address which is reachable via a separate static route.

Both WAN interfaces receive their IP addresses via DHCP and their static routes are established automatically. The management static route is also established using the DHCP-supplied WAN next hop. All three pass traffic correctly. The secondary interface is set up as a backup using sla monitoring and route tracking and failover between the two is also working correctly.

There are two problems with the secondary interface which I expect are probably connected:

It seems that the ISP (Odido, until recently T-Mobile Netherlands) is changing the IP address before the DHCP lease has expired, and the ASA is not picking it up. So WAN connectivity is lost until the ASA again requests an IP address. Clicking Renew DHCP Lease from ASDM interface edit page (Configuration/Device Setup/Interface Settings/Interfaces) updates the IP configuration and restores WAN connectivity.
When the DHCP lease finally expires and the ASA retrieves it's IP address, the static route to the WAN is correctly replaced. A new management static route is also added, although the previous one(s) is/are left in place resulting in a loss of management connectivity. So using show route I get:

S 10.1.10.1 255.255.255.255 [254/0] via 178.228.204.1, WAN-SEC
[254/0] via 178.224.28.1, WAN-SEC

Using clear route all from the command line removes the stale route(s) and re-establishes management connectivity.

This is happening daily, at intervals of between 12 and 24 hours.

I would like to find a way to configure the ASA to pick up IP address changes before the DHCP lease expires, and also to purge stale static routes automatically.

Relevant config:

interface GigabitEthernet1/3
nameif WAN-SEC
security-level 0
dhcp client route distance 254
ip address dhcp setroute

dhcp-client broadcast-flag
dhcp-client client-id interface WAN-SEC

The configuration doesn't define any static routes - primary, secondary and management static routes are all set up automatically based on the DHCP responses received by the primary and secondary WAN interfaces.

The dhcp-client broadcast-flag and client-id lines make no difference to the issues. The ASA behaves the same with or without them so they can probably be removed.

Thanks in advance ...

Re: Cisco ASA - DHCP and static routes on WAN interfaces

MHM Cisco World — Sat, 18 Nov 2023 11:14:28 GMT

Check below

MHM

Re: Cisco ASA - DHCP and static routes on WAN interfaces

balaji.bandi — Fri, 17 Nov 2023 13:57:51 GMT

Looks totally different Use case, why not try some EEM Script to check the IP address as expected may be Interface shut and no shut to get DHCP IP address or issue dhcp renew command to get IP address at the same time clear the route if required.

Re: Cisco ASA - DHCP and static routes on WAN interfaces

JaseNL — Fri, 17 Nov 2023 15:00:49 GMT

Thanks for your reply. I don't think this is the issue - AD of 254 as configured for the interface is being applied correctly on the secondary WAN static route (and its associated management route too). It's more an issue of 1) picking up IP address changes before the DHCP lease has expired and 2) removing stale static routes for the management route when the next hop is updated.

Thanks.

Re: Cisco ASA - DHCP and static routes on WAN interfaces

JaseNL — Fri, 17 Nov 2023 15:15:21 GMT

Thanks for your suggestion. I was really hoping to do this with standard configuration commands or at least actions based on sla monitoring since these must be fairly common problems. But I guess I'm out of luck 😉

So I think doing this with an EEM script looks to be the most promising option at this point.

Thanks.

Re: Cisco ASA - DHCP and static routes on WAN interfaces

balaji.bandi — Sat, 18 Nov 2023 10:21:54 GMT

Sure that should fix the issue, please try and let us know how it goes, still issue report back what you have tried so we can help you.

Re: Cisco ASA - DHCP and static routes on WAN interfaces

MHM Cisco World — Sat, 18 Nov 2023 11:13:22 GMT

Hi friend again

I check and I think I found solution.

Use

Dhcp client route track x

Then config sla to track 8.8.8.8.

Check this way.

MHM

Re: Cisco ASA - DHCP and static routes on WAN interfaces

JaseNL — Sat, 18 Nov 2023 19:02:38 GMT

Hi,

I've set this up. I'll wait 24-48 hours to see if it has any effect and post the results here.

One thing I noticed when I set up this sla monitor, there was a long period (maybe 30 minutes) where show sla mon operational-state was returning Latest RTT (milisecond): NoConnection/Busy/Timeout and Return Code: Timeout even though PINGs sent through the interface were successful. I don't remember this happening when I set up the sla monitor on the primary WAN link.

Thanks

Re: Cisco ASA - DHCP and static routes on WAN interfaces

JaseNL — Sat, 18 Nov 2023 19:03:49 GMT

Hi,

Sure, I'll post updates as I make progress.

Thanks for your help

Re: Cisco ASA - DHCP and static routes on WAN interfaces

JaseNL — Sat, 18 Nov 2023 19:53:44 GMT

More strange things happening with DHCP on the seconary WAN interface. I tried to retrieve a DHCP IP address using ASDM and got the message below:

When I checked the ASA configuration for the interface, the line which should read

ip address dhcp setroute

now reads

ip address

If I try and re-enter the correct line in the interface configuration I get

nlarcfw01p(config-if)# no ip address
nlarcfw01p(config-if)# ip address dhcp setroute
Error : IP and subnetmask form invalid pair indicating broadcast or network address

The configuration for the secondary WAN interface has been corrected now and the interface has its DHCP IP configuration, so I will wait a day or so and see how it goes with sla monitoring on this interface

Re: Cisco ASA - DHCP and static routes on WAN interfaces

balaji.bandi — Sat, 18 Nov 2023 22:45:54 GMT

sure keep us posted how it goes?

Re: Cisco ASA - DHCP and static routes on WAN interfaces

JaseNL — Mon, 20 Nov 2023 00:22:51 GMT

I set up the config sla and dhcp client route track until the ASA again tried to retrieve an IP address via DHCP. There was no difference in behaviour. Seems like the DHCP for the interface is stuck on an endless loop of renewing:

nlarcfw01p# sh ip address Gi1/3 dhcp lease

Temp IP addr: 178.224.26.90 for peer on Interface: WAN-SEC
Temp subnet mask: 255.255.255.0
DHCP Lease server: 178.224.26.1, state: 5 Renewing
DHCP transaction id: 0x302C9A5E
Lease: 43200 secs, Renewal: 19740 secs, Rebind: 35940 secs
Temp default-gateway addr: 178.224.26.1
Temp ip static route0: dest 10.1.10.1 router 178.224.26.1
Next timer fires after: 2613 seconds
Retry count: 4 Client-ID: cisco-683b.78ab.9e15-WAN-SEC-nlarcfw01p
Proxy: FALSE
Hostname: nlarcfw01p

Clicking Renew DHCP Lease via ASDM brings it out of the loop:

nlarcfw01p# sh ip address Gi1/3 dhcp lease

Temp IP addr: 178.224.26.90 for peer on Interface: WAN-SEC
Temp subnet mask: 255.255.255.0
DHCP Lease server: 178.224.26.1, state: 9 Purging
DHCP transaction id: 0x302C9A5E
Lease: 43200 secs, Renewal: 19740 secs, Rebind: 35940 secs
Temp default-gateway addr: 178.224.26.1
Temp ip static route0: dest 10.1.10.1 router 178.224.26.1
Next timer fires after: 15 seconds
Retry count: 0 Client-ID:
Proxy: FALSE
Hostname: nlarcfw01p

Temp IP addr: 178.228.29.212 for peer on Interface: WAN-SEC
Temp subnet mask: 255.255.255.0
DHCP Lease server: 178.228.29.1, state: 3 Bound
DHCP transaction id: 0x302CF676
Lease: 43200 secs, Renewal: 21600 secs, Rebind: 37800 secs
Temp default-gateway addr: 178.228.29.1
Temp ip static route0: dest 10.1.10.1 router 178.228.29.1
Next timer fires after: 21588 seconds
Retry count: 0 Client-ID: cisco-683b.78ab.9e15-WAN-SEC-nlarcfw01p
Proxy: FALSE
Hostname: nlarcfw01p

and finally:

nlarcfw01p# sh ip address Gi1/3 dhcp lease

Temp IP addr: 178.228.29.212 for peer on Interface: WAN-SEC
Temp subnet mask: 255.255.255.0
DHCP Lease server: 178.228.29.1, state: 3 Bound
DHCP transaction id: 0x302CF676
Lease: 43200 secs, Renewal: 21600 secs, Rebind: 37800 secs
Temp default-gateway addr: 178.228.29.1
Temp ip static route0: dest 10.1.10.1 router 178.228.29.1
Next timer fires after: 21565 seconds
Retry count: 0 Client-ID: cisco-683b.78ab.9e15-WAN-SEC-nlarcfw01p
Proxy: FALSE
Hostname: nlarcfw01p

Thanks.

Re: Cisco ASA - DHCP and static routes on WAN interfaces

MHM Cisco World — Mon, 20 Nov 2023 06:02:31 GMT

Temp ip static route0: dest 10.1.10.1 router 178.224.26.1

The dhcp server send defualt not specific static route!!

Can I see show ip route

Re: Cisco ASA - DHCP and static routes on WAN interfaces

JaseNL — Mon, 20 Nov 2023 09:11:18 GMT

10.1.10.1 is the management IP address. WAN and management are established automatically when the DHCP update process is successful, ie when it is started manually from ASDM. The issues are:

the process fails when the DHCP request occurs automatically (endless renewing state).
once the DHCP request process has run successfully, the management route (10.1.10.1) is added instead of replacing the previous one (clear route all removes the stale one - again a manual process)

Route information is below. This represents a state of full connectivity:

nlarcfw01p# sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 195.190.228.18 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 195.190.228.18, WAN-PRI
C 10.0.1.0 255.255.255.0 is directly connected, V100-WHITE-NETWORK
L 10.0.1.1 255.255.255.255 is directly connected, V100-WHITE-NETWORK
C 10.0.2.0 255.255.255.0 is directly connected, V200-BLUE-SERVERS
L 10.0.2.1 255.255.255.255 is directly connected, V200-BLUE-SERVERS
C 10.0.3.0 255.255.255.0 is directly connected, V300-GREEN-USERS
L 10.0.3.1 255.255.255.255 is directly connected, V300-GREEN-USERS
C 10.0.4.0 255.255.255.0 is directly connected, V400-RED-GUESTS
L 10.0.4.1 255.255.255.255 is directly connected, V400-RED-GUESTS
S 10.1.10.1 255.255.255.255 [254/0] via 178.228.130.1, WAN-SEC
C 77.161.235.149 255.255.255.255 is directly connected, WAN-PRI
C 178.228.130.0 255.255.255.0 is directly connected, WAN-SEC
L 178.228.130.66 255.255.255.255 is directly connected, WAN-SEC

nlarcfw01p# ping WAN-SEC google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.58.208.110, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/74/190 ms
nlarcfw01p# ping 10.1.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Thanks