topic Re: DHCP Failover for Anyconnect users in Network Security

DHCP Failover for Anyconnect users

abhijith891 — Fri, 21 Feb 2020 16:06:55 GMT

Hi All,

We recently had a network down outage and none of our users could login via Anyconnect. Upon RCA, we found out that this was due to one of our DHCP servers going down. On checking the firewall, I found the following configs:

tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
authentication-server-group AD
authorization-server-group AD
default-group-policy NO-ACCESS
dhcp-server 10.5.11.23
dhcp-server 10.8.21.31
password-management

tunnel-group SSLVPN webvpn-attributes
customization Client-WebPortal
group-alias Client enable
tunnel-group Client_AlwaysOn type remote-access
tunnel-group Client_AlwaysOn general-attributes
authentication-server-group AD_Cert
authorization-server-group AD_Cert
default-group-policy NO-ACCESS
dhcp-server 10.5.11.23
dhcp-server 10.8.21.31
authorization-required
username-from-certificate CN

Now my doubts are:

1) Why werent the Anyconnect users unable to connect to the 2nd DHCP server when the first one went down?

2) What could be possibly done to ensure that DHCP server failovers to the second; incase one goes down?

I do have a proposal for failover; but I am not sure whether this works:

tunnel-group SSLVPN type remote-access

tunnel-group SSLVPN general-attributes

dhcp-server 10.5.11.23 10.8.21.31

tunnel-group Client_AlwaysOn type remote-access

tunnel-group Client_AlwaysOn general-attributes

dhcp-server 10.5.11.23 10.8.21.31

Can someone please help me on this?

Re: DHCP Failover for Anyconnect users

balaji.bandi — Thu, 16 Aug 2018 20:03:16 GMT

Have have checked below steps :

1. Is the both the DHCP Server reachable to ASA

2. Do you have any FW rules required, compare working vs not working.

3. Did you split DHCP Scope with 2 DHCP Servers ( If you using MS DHCP Server best practice).

Re: DHCP Failover for Anyconnect users

abhijith891 — Sun, 19 Aug 2018 14:21:27 GMT

Hi Balaji,

Thanks for your suggestions.

To answer your questions:

1. Is the both the DHCP Server reachable to ASA - Yes they are.

2. Do you have any FW rules required, compare working vs not working -

Not very clear about what you mean, but all the relevant configs have been mentioned in the first post. I just need to know how to failover from one DHCP server to another.

Configuring DHCP servers in the following way didnt work:

"dhcp-server 10.5.11.23
dhcp-server 10.8.21.31"

So I want to know whether the following method would work:

"dhcp-server 10.5.11.23 10.8.21.31"

If not, can you please suggest some other method?

3. Did you split DHCP Scope with 2 DHCP Servers ( If you using MS DHCP Server best practice). - Can you please suggest how this can be done?

Looking forward for your responses.

Regards,

Abhijit

Re: DHCP Failover for Anyconnect users

balaji.bandi — Mon, 20 Aug 2018 20:38:28 GMT

You need debug and capture the logs, is the request sending to other DHCP Server if the 1st one not reachable ?

Do some wire capture and log capture see where it is dropping.