DHCP issue

Isaac — Fri, 21 Feb 2020 17:19:41 GMT

ASA 5515 ver 9.4(4)36 is not handing out DHCP leases, only one interface is setup for DHCP

dhcpd address 192.168.45.129-192.168.45.252 Guest
dhcpd dns 8.8.8.8 8.8.4.4 interface Guest
dhcpd lease 3000 interface Guest
dhcpd enable Guest

I have done no dhcpd enable Guest and then re-enabled it. I have tried debug dhcpd packet and debug dhcpd event but no output when user tried to connect, setup a packet capture:

Access-list dhcp permit udp any any eq 67
access-list dhcp permit udp any eq 67 any
access-list dhcp permit udp any any eq 68
access-list dhcp permit udp any eq 68 any
cap dhcp access-list dhcp interface Guest

capture did not show any packets, but when I do:

packet-tracer input Guest udp 0.0.0.0 68 255.255.255.255 67 detailed

I get this:

packet-tracer input Guest udp 0.0.0.0 68 255.255.255.255 67 detailed

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffe2d2ce30, priority=13, domain=capture, deny=false
hits=7, user_data=0x7fffe1448bd0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=Guest, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffe1b8feb0, priority=1, domain=permit, deny=false
hits=9867, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Guest, output_ifc=any

Phase: 3
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map rmap-1 permit 10
match ip address pbr-acl
set ip next-hop 1.2.3.4
Additional Information:
Matched route-map rmap-1, sequence 10, permit
Found next-hop 1.2.3.5 using egress ifc guest_mediacom

Result:
input-interface: Guest
input-status: up
input-line-status: up
output-interface: guest_mediacom
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

I have verified the dhcp daemon is running:

show processes | i dhcp
Mwe 0x000000000075bdac 0x00007fffcb8b0d78 0x0000000006b50960 19233 0x00007fffcb8a9030 30088/32768 dhcp_daemon 202

Re: DHCP issue

itsupport — Tue, 23 Jul 2019 03:36:41 GMT

I assume that here is a switch between the ASA and DHCP clients? If so, and it is managed device, check that DHCP snooping is correctly configured.

More here, for some Cisco switches.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_2_se/configuration/guide/3750x_cg/swdhcp82.html#24258

topic DHCP issue in Network Security

DHCP issue

Re: DHCP issue