Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1090
Views
0
Helpful
3
Replies

DHCP Failover for Anyconnect users

abhijith891
Level 1
Level 1

‎08-16-2018 06:09 AM - edited ‎02-21-2020 08:06 AM

Hi All,

We recently had a network down outage and none of our users could login via Anyconnect. Upon RCA, we found out that this was due to one of our DHCP servers going down. On checking the firewall, I found the following configs:

 

tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
authentication-server-group AD
authorization-server-group AD
default-group-policy NO-ACCESS
dhcp-server 10.5.11.23
dhcp-server 10.8.21.31
password-management


tunnel-group SSLVPN webvpn-attributes
customization Client-WebPortal
group-alias Client enable
tunnel-group Client_AlwaysOn type remote-access
tunnel-group Client_AlwaysOn general-attributes
authentication-server-group AD_Cert
authorization-server-group AD_Cert
default-group-policy NO-ACCESS
dhcp-server 10.5.11.23
dhcp-server 10.8.21.31
authorization-required
username-from-certificate CN 

 

 

Now my doubts are:

 

1) Why werent the Anyconnect users unable to connect to the 2nd DHCP server when the first one went down?

 

2) What could be possibly done to ensure that DHCP server failovers to the second;  incase one goes down? 

 

I do have a proposal for failover; but I am not sure whether this works:

 

tunnel-group SSLVPN type remote-access

tunnel-group SSLVPN general-attributes

dhcp-server 10.5.11.23 10.8.21.31

 

tunnel-group Client_AlwaysOn type remote-access

tunnel-group Client_AlwaysOn general-attributes

dhcp-server 10.5.11.23 10.8.21.31

 

 

Can someone please help me on this?

 

 

0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎08-16-2018 01:03 PM

Have have checked below steps :

 

1. Is the both the DHCP Server reachable to ASA

2. Do you have any FW rules required, compare working vs not working.

3. Did you split DHCP Scope with 2 DHCP Servers ( If you using MS DHCP Server best practice).

 

 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

abhijith891
Level 1
Level 1
In response to balaji.bandi

‎08-19-2018 07:21 AM

Hi Balaji,

 

Thanks for your suggestions.

 

To answer your questions:

 

1. Is the both the DHCP Server reachable to ASA - Yes they are.

 

2. Do you have any FW rules required, compare working vs not working -

 

Not very clear about what you mean, but all the relevant configs have been mentioned in the first post. I just need to know how to failover from one DHCP server to another.

 

Configuring DHCP servers in the following way didnt work:

 

"dhcp-server 10.5.11.23
dhcp-server 10.8.21.31"

 

So I want to know whether the following method would work:

 

"dhcp-server 10.5.11.23 10.8.21.31"

 

If not, can you please suggest some other method?

 

3. Did you split DHCP Scope with 2 DHCP Servers ( If you using MS DHCP Server best practice). - Can you please suggest how this can be done?

 

Looking forward for your responses.

 

Regards,

Abhijit

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to abhijith891

‎08-20-2018 01:38 PM

You need debug and capture the logs, is the request sending to other DHCP Server if the 1st one not reachable ?

Do some wire capture and log capture see where it is dropping.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card