topic Re: FTD RA VPN - DHCP Server configuration not working in Network Security

FTD RA VPN - DHCP Server configuration not working

Elpakko — Fri, 21 Feb 2020 17:49:00 GMT

Hi.

I have a problem with RA VPN DHCP configuration. VPN users get IP address from the local pool just fine, but when I try to use my Windows Server 2012 R2 DHCP server, i get the following errors and it always falls back to local pool:

IPAA: Session=0x0000e000, DHCP request attempt 1 failed

IPAA: Session=0x0000e000, DHCP configured, request failed for tunnel-group 'DefaultWEBVPNGroup'

IPAA: Session=0x0000e000, Client assigned 172.16.10.13 from local pool VPN_user

IPAA: Session=0x0000e000, Local pool request succeeded for tunnel-group 'DefaultWEBVPNGroup'

In the Windows Server side I cannot see any logs pointing to this, so I guess the request never reaches the server.

Now, what I have done as per following the documentations I could find:

- Defined DHCP -server address (172.16.0.20) in the Connection Profile

- Defined the Address Pools (172.16.10.10-172.16.10.150) in Connection Profile and Group Policy

- Defined a DHCP Network Scope (172.16.10.0) in Group Policy and in the Windows Server

It seems like the FTD cannot find the DHCP server, but my DHCP Relay settings are working just fine for the same server. Any advice? Thanks.

Re: FTD RA VPN - DHCP Server configuration not working

Rob Ingram — Tue, 07 Jan 2020 22:20:45 GMT

Hi,
I recently setup FTD RAVPN (v6.4.5) with DHCP and it worked first time without issue, so special configuration that I can recall. Which FTD version are you running?

To troubleshoot run a packet capture on the server end and see if the DHCP server receives the DHCP "discover" packet from the FTD. Enable DHCP debugging on the FTD (debug dhcprelay error|event|packet) - and check to see if the DHCP request was even made. Upload the debug output for review if necessary.

Re: FTD RA VPN - DHCP Server configuration not working

Elpakko — Wed, 08 Jan 2020 07:19:11 GMT

Hi.

I'm running the latest version 6.5.0.2.

I enabled debugging for error, event and packet but connecting the VPN client does not produce any debug log entries. I can see other dhcp relay debug logs just fine. Again I just get the same error in the logs:

IPAA: Session=0x00020000, DHCP request attempt 1 failed

IPAA: Session=0x00020000, DHCP configured, request failed for tunnel-group 'DefaultWEBVPNGroup'

Re: FTD RA VPN - DHCP Server configuration not working

Elpakko — Wed, 15 Jan 2020 10:19:25 GMT

Any advice on what to do next? It seems like the FTD is not making the dhcp request at all for the RA VPN. Although in the log I can find "DHCP Configured".

Re: FTD RA VPN - DHCP Server configuration not working

Rob Ingram — Mon, 20 Jan 2020 21:36:59 GMT

Do you have a route on your core switch for the RAVPN subnet pointing to the FTD?
Did you run a packet capture on the DHCP server? Did you see any DHCP Discover packets from the FTD IP address?

Re: FTD RA VPN - DHCP Server configuration not working

Elpakko — Tue, 21 Jan 2020 07:11:53 GMT

Hi.

All the routing is done in the FTD device, I only have layer 2 switches. On the FTD I only have the default route atm.

Packet capture on the DHCP server doesn't show any traffic originating from the FTD IP.

Re: FTD RA VPN - DHCP Server configuration not working

mhidde — Mon, 02 Mar 2020 18:43:10 GMT

Where you ever able to solve this? I have the same problem.

Re: FTD RA VPN - DHCP Server configuration not working

Cristian Matei — Mon, 02 Mar 2020 21:00:59 GMT

Hi,

Following the correct steps and running a stable version, will make it work. Here'a document to guide you:

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200475-Configure-DHCP-Server-Relay-on-FTD-Using.html

Regards,

Cristian Matei.

Re: FTD RA VPN - DHCP Server configuration not working

Elpakko — Tue, 03 Mar 2020 05:47:47 GMT

Hi.

Unfortunately I couldn't make it work. I have followed every step in the configuration guides, both DHCP and Remote Access VPN. DHCP relay works for my interfaces just fine, but for the RA VPN it will not work no matter what I do.

Re: FTD RA VPN - DHCP Server configuration not working

Cristian Matei — Tue, 03 Mar 2020 22:24:43 GMT

Hi,

See if you're hitting this bug: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo12057/?rfs=iqvred

Do you have the hot fix applied? Or try using 6.5.0.4

Regards,

Cristian Matei.

Re: FTD RA VPN - DHCP Server configuration not working

Elpakko — Wed, 04 Mar 2020 05:27:45 GMT

Hi.

Thanks. I'm not sure if it's this bug or not, as my DHCP relay debug did not output anything. But I'll try installing 6.5.0.4 some time soon and investigate further after that. I'm currently running 6.5.0.2.

Re: FTD RA VPN - DHCP Server configuration not working

Cristian Matei — Wed, 04 Mar 2020 09:52:08 GMT

Hi,

If you have to postpone the upgrade, open a TAC case. Looking forward to know what your problem is, as it clearly looks like the FTD does not even initiate sending the DHCP packet to the DHCP server, so the relay function seem to be dead in this case.

Regards,

Cristian Matei.

Re: FTD RA VPN - DHCP Server configuration not working

doukkalli — Mon, 27 Apr 2020 20:39:00 GMT

Hi,

In Firepower 2130 with FTD 6.6.0 I got the same issue. Same issue with DHCP server:

1 0.000000 10.45.30.2 10.52.10.8 DHCP 590 DHCP Discover - Transaction ID 0x8c9cf9a
2 0.000565 10.52.10.8 10.44.96.20 DHCP 342 DHCP Offer - Transaction ID 0x8c9cf9a
3 2.988343 10.45.30.2 10.52.10.8 DHCP 590 DHCP Discover - Transaction ID 0x8c9cf9a
4 2.988740 10.52.10.8 10.44.96.20 DHCP 342 DHCP Offer - Transaction ID 0x8c9cf9a
5 6.988328 10.45.30.2 10.52.10.8 DHCP 590 DHCP Discover - Transaction ID 0x8c9cf9a
6 6.988770 10.52.10.8 10.44.96.20 DHCP 342 DHCP Offer - Transaction ID 0x8c9cf9a
7 11.990678 10.45.30.2 10.52.10.8 DHCP 590 DHCP Discover - Transaction ID 0x8c9cf9a
8 11.991105 10.52.10.8 10.44.96.20 DHCP 342 DHCP Offer - Transaction ID 0x8c9cf9a
9 17.988328 10.45.30.2 10.52.10.8 DHCP 590 DHCP Discover - Transaction ID 0x8c9cf9a
10 17.988679 10.52.10.8 10.44.96.20 DHCP 342 DHCP Offer - Transaction ID 0x8c9cf9a

Re: FTD RA VPN - DHCP Server configuration not working

Elpakko — Tue, 28 Apr 2020 05:19:11 GMT

Hi.

I recently upgraded to 6.5.0.4 and it did not solve the problem. I suppose I'll have to open a TAC case.

Re: FTD RA VPN - DHCP Server configuration not working

doukkalli — Tue, 28 Apr 2020 06:28:02 GMT

Based on my capture I noted that FTD send DHCP request to DHCP server using the IP address assigned to the VPN as configured in the DHCP Scope.

In this case I will check if my DHCP server has the correct route to the IP address configured in the DHCP scope.

I will try this way. I hope we can solve the issue.

Re: FTD RA VPN - DHCP Server configuration not working

Alfredo_1 — Mon, 09 Jun 2025 16:27:26 GMT

In our case, it turns out the Microsoft DHCP server requires the VPN appliance to be authorized. Otherwise the Microsoft DHCP server will consider the FTD appliance a rogue relay and ignore requests.

More info at https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-subnet-options