08-16-2018 06:09 AM - edited 02-21-2020 08:06 AM
Hi All,
We recently had a network down outage and none of our users could login via Anyconnect. Upon RCA, we found out that this was due to one of our DHCP servers going down. On checking the firewall, I found the following configs:
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
authentication-server-group AD
authorization-server-group AD
default-group-policy NO-ACCESS
dhcp-server 10.5.11.23
dhcp-server 10.8.21.31
password-management
tunnel-group SSLVPN webvpn-attributes
customization Client-WebPortal
group-alias Client enable
tunnel-group Client_AlwaysOn type remote-access
tunnel-group Client_AlwaysOn general-attributes
authentication-server-group AD_Cert
authorization-server-group AD_Cert
default-group-policy NO-ACCESS
dhcp-server 10.5.11.23
dhcp-server 10.8.21.31
authorization-required
username-from-certificate CN
Now my doubts are:
1) Why werent the Anyconnect users unable to connect to the 2nd DHCP server when the first one went down?
2) What could be possibly done to ensure that DHCP server failovers to the second; incase one goes down?
I do have a proposal for failover; but I am not sure whether this works:
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
dhcp-server 10.5.11.23 10.8.21.31
tunnel-group Client_AlwaysOn type remote-access
tunnel-group Client_AlwaysOn general-attributes
dhcp-server 10.5.11.23 10.8.21.31
Can someone please help me on this?
08-16-2018 01:03 PM
Have have checked below steps :
1. Is the both the DHCP Server reachable to ASA
2. Do you have any FW rules required, compare working vs not working.
3. Did you split DHCP Scope with 2 DHCP Servers ( If you using MS DHCP Server best practice).
08-19-2018 07:21 AM
Hi Balaji,
Thanks for your suggestions.
To answer your questions:
1. Is the both the DHCP Server reachable to ASA - Yes they are.
2. Do you have any FW rules required, compare working vs not working -
Not very clear about what you mean, but all the relevant configs have been mentioned in the first post. I just need to know how to failover from one DHCP server to another.
Configuring DHCP servers in the following way didnt work:
"dhcp-server 10.5.11.23
dhcp-server 10.8.21.31"
So I want to know whether the following method would work:
"dhcp-server 10.5.11.23 10.8.21.31"
If not, can you please suggest some other method?
3. Did you split DHCP Scope with 2 DHCP Servers ( If you using MS DHCP Server best practice). - Can you please suggest how this can be done?
Looking forward for your responses.
Regards,
Abhijit
08-20-2018 01:38 PM
You need debug and capture the logs, is the request sending to other DHCP Server if the 1st one not reachable ?
Do some wire capture and log capture see where it is dropping.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide