02-08-2018 09:24 AM - edited 02-21-2020 07:18 AM
I have the Anyconnect vpn profile configured to use 2 internal windows DHCP servers as the IP address assignment server. I can VPN in and get IP just fine, the subnet network address is 10.180.160.0/24. However, looks like Cisco ASA is using RFC 1918 to assign the subnet mask as 255.0.0.0 . I need it either assign the correct subnet mask or pull the correct subnet mask from the DHCP server. I'm not going to use a pool on the ASA as I've centralized all DHCP setup to 2 servers.
thanks!
Solved! Go to Solution.
02-19-2018 11:34 AM - edited 02-19-2018 11:37 AM
A quick update on this. ASA IOS software was updated from 9.1.7(6) to 9.1.7(23), to fix a vulnerability in Cisco Anyconnect HTTPS protocol, but it actually fixed this DHCP issue. So old as hills ASA actually works.
02-08-2018 02:46 PM
Not sure why it's working like that in your setup, but that's not general behavior. I use it in a similar way, and I get my 10.a.b.c address with a /25 netmask, as it is configured on the DHCP-server.
What is your config and environment?
02-08-2018 02:50 PM
2 Windows 2012 R2 DHCP servers. Obviously a windows machine inside always gets the 255.255.255.0 subnet mask, but not the case when users connect via VPN. Mask of 255.0.0.0 is always handed out. ASA 5510 is on v9.1(7), relatively new. Unless there is a fix somehow, after v9.1(7), then please let me know.
relevant section of the ASA config here, nothing special....
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
authentication-server-group RADIUS LOCAL
default-group-policy AnyConnect
dhcp-server 10.180.160.61
dhcp-server 10.180.160.62
password-management password-expire-in-days 3
tunnel-group AnyConnect webvpn-attributes
radius-reject-message
group-alias AnyConnect enable
02-08-2018 03:30 PM
Both the ASA and the ASA software is old as the hills ... For the software you should anyhow upgrade to the newest interims-release because of the newest critical vulnerability.
How is the group-policy configured where you select the right DHCP-pool?
02-08-2018 03:33 PM
haha, not my call to upgrade right away or not to the new line of ASA, customer's money is always tight. $35k for a firewall or a company car? hmm...
relevant section of the group policy. I don't think it's relevant, because no DHCP option is specified here.
group-policy AnyConnect attributes
dns-server value 10.180.160.61 10.180.160.62
vpn-idle-timeout 30
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value REMOTE-CISCOVPN_splitTunnelAcl_1
default-domain value royal.local
02-08-2018 03:40 PM
try the following:
group-policy AnyConnect attributes dhcp-network-scope 10.180.160.0
The 10.180.160.0 ist the scope on the DHCP-server that you want to use.
02-08-2018 06:57 PM
I actually already tried that, and vpn connectivity fails during IP assignment, made the problem worse. any other ideas?
02-08-2018 11:04 PM
I would continue troubleshooting on the server why no addresses are assigned when the scope is defined.
02-19-2018 11:34 AM - edited 02-19-2018 11:37 AM
A quick update on this. ASA IOS software was updated from 9.1.7(6) to 9.1.7(23), to fix a vulnerability in Cisco Anyconnect HTTPS protocol, but it actually fixed this DHCP issue. So old as hills ASA actually works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide