ASA 5508 DHCP not working for guest network

Hindin O · ‎10-25-2020

Hello I'm running a ASA 5508 and I want to implement a guest network on that ASA.

The guest network is on VLAN 6 and on the switches VLAN 6 is defined but there are no IP addresses assigned.

The only device is the ASA with a static ip on an interface.

There is also a DHCP Server defined for that interface.

Problem is that no device is getting a IP address from the ASA. not via a cabel not via Wi-Fi.

I have no idea why this is not working.

interface GigabitEthernet1/5
 nameif Guestnetwork
 security-level 60
 ip address 192.168.20.254 255.255.255.0

access-list guest-in extended permit udp any4 any4
access-list guest-in extended permit ip any4 any4
access-list guest-in extended permit icmp any any
access-list guest-in extended deny ip any6 any6

object network O_N_Guestnetwork
 nat (Guestnetwork,outside) dynamic interface

object network O_N_Guestnetwork
 subnet 192.168.20.0 255.255.255.0

access-group guest-in in interface Guestnetwork

dhcpd address 192.168.20.50-192.168.20.200 Guestnetwork
dhcpd dns 9.9.9.9 149.112.112.112 interface Guestnetwork
dhcpd lease 86400 interface Guestnetwork
dhcpd domain test.priv interface Guestnetwork
dhcpd option 3 ip 192.168.20.254 interface Guestnetwork
dhcpd enable Guestnetwork

I have run DHCP debug and the device is my iPhone.

ciscoasa# debug dhcpd packet
debug dhcpd packet enabled at level 1
ciscoasa# debug dhcp eventDHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPDISCOVER received from client 0186.1577.ac17.db on interface Guestnetwork.
DHCPD: send ping pkt to 192.168.20.110
DHCPD: ping got no response for ip: 192.168.20.110
DHCPD: Add binding 192.168.20.110 to radix tree
DHCPD/RA: Binding successfully added to hash table
DHCPD: Sending DHCPOFFER to client 0186.1577.ac17.db (192.168.20.110).
DHCPD: client requests option 3.
DHCPD: copy option 3 (length = 4) to outgoing message.

DHCPD: Total # of raw options copied to outgoing DHCP message is 1.
DHCPD/RA: creating ARP entry (192.168.20.110, 8615.77ac.17db).
DHCPD: unicasting BOOTREPLY to client 8615.77ac.17db(192.168.20.110).

ERROR: % Ambiguous command: "debug dhcp event"
ciscoasa# DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPREQUEST received from client 0186.1577.ac17.db.
DHCPD: Extracting client address from the message
DHCPD: State = DHCPS_REBOOTING
DHCPD: State = DHCPS_REQUESTING
DHCPD: Client 0186.1577.ac17.db specified it's address 192.168.20.110
DHCPD: Client is on the correct network
DHCPD: Client accepted our offer
DHCPD: Client and server agree on address 192.168.20.110
DHCPD: Renewing client 0186.1577.ac17.db lease
DHCPD: Client lease can be renewed
DHCPD: Sending DHCPACK to client 0186.1577.ac17.db (192.168.20.110).
DHCPD: client requests option 3.
DHCPD: copy option 3 (length = 4) to outgoing message.

DHCPD: Total # of raw options copied to outgoing DHCP message is 1.
DHCPD/RA: creating ARP entry (192.168.20.110, 8615.77ac.17db).
DHCPD: unicasting BOOTREPLY to client 8615.77ac.17db(192.168.20.110).
DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPDECLINE received from client 0186.1577.ac17.db.
DHCPD/RA: Binding successfully deactivated
dhcpd_destroy_binding() removing NP rule for client 192.168.20.110
DHCPD/RA: free ddns info and binding
DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPDISCOVER received from client 0186.1577.ac17.db on interface Guestnetwork.
DHCPD: send ping pkt to 192.168.20.111
DHCPD: ping got no response for ip: 192.168.20.111
DHCPD: Add binding 192.168.20.111 to radix tree
DHCPD/RA: Binding successfully added to hash table
DHCPD: Sending DHCPOFFER to client 0186.1577.ac17.db (192.168.20.111).
DHCPD: client requests option 3.
DHCPD: copy option 3 (length = 4) to outgoing message.

DHCPD: Total # of raw options copied to outgoing DHCP message is 1.
DHCPD/RA: creating ARP entry (192.168.20.111, 8615.77ac.17db).
DHCPD: unicasting BOOTREPLY to client 8615.77ac.17db(192.168.20.111).
DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPREQUEST received from client 0186.1577.ac17.db.
DHCPD: Extracting client address from the message
DHCPD: State = DHCPS_REBOOTING
DHCPD: State = DHCPS_REQUESTING
DHCPD: Client 0186.1577.ac17.db specified it's address 192.168.20.111
DHCPD: Client is on the correct network
DHCPD: Client accepted our offer
DHCPD: Client and server agree on address 192.168.20.111
DHCPD: Renewing client 0186.1577.ac17.db lease
DHCPD: Client lease can be renewed
DHCPD: Sending DHCPACK to client 0186.1577.ac17.db (192.168.20.111).
DHCPD: client requests option 3.
DHCPD: copy option 3 (length = 4) to outgoing message.

DHCPD: Total # of raw options copied to outgoing DHCP message is 1.
DHCPD/RA: creating ARP entry (192.168.20.111, 8615.77ac.17db).
DHCPD: unicasting BOOTREPLY to client 8615.77ac.17db(192.168.20.111).
DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPDECLINE received from client 0186.1577.ac17.db.
DHCPD/RA: Binding successfully deactivated
dhcpd_destroy_binding() removing NP rule for client 192.168.20.111
DHCPD/RA: free ddns info and binding

It is getting no connection. He is running trough the ip addreses and count +1 all the time to the ip addresses.

I'm no expert but please can someone help me.

balaji.bandi · ‎10-25-2020

Problem is that no device is getting a IP address from the ASA. not via a cabel not via Wi-Fi.

how is ASA connected ? switch ? if switch

Try below the setting on the switch.

the port connected to switch, make it as trunk port with - switchport trunk native vlan 9

I have not read your complete debug logs, if still issue post the debug after the above changes.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hindin O · ‎10-25-2020

I have switched now to your statement on the uplink switch to the asa.

But nothing changed.

The diagram is as followed.

Internet <--> ASA <--> WS-C2960X-48TS-L <--> WS-C3560CX-12PC-S <--> 5 Access Points from UBNT

The Problem is still there.

I can also connect a laptop to the WS-C2960X-48TS-L and i get the same problem.

Aref Alsouqi · ‎10-25-2020

From the output I see the ASA and the client exchanged all the DORA messages successfully, and the ASA can allocate the IP addresses to the client. However, for some reason, it seems that when the client sends the Gratuitous ARP it receives a duplicate IP address from the ASA, this is not shown on your output, but the behaviour of keep repeating same DORA process again and the received DHCPD: DHCPDECLINE received from client suggests it. How did you configure the proxy ARP on the ASA Guestnetwork interface? post the output of show run all sysopt | i proxy please.

MHM Cisco World · ‎10-25-2020

disable proxy arp on Guest interface.
this is solution for your issue.
good luck

Hindin O · ‎10-25-2020

This is the output:

ciscoasa# show run all sysopt | i proxy
no sysopt noproxyarp outside
no sysopt noproxyarp inside
no sysopt noproxyarp DMZ
no sysopt noproxyarp Camera
no sysopt noproxyarp Guestnetwork

MHM Cisco World · ‎10-25-2020

no sysopt noproxyarp Guestnetwork

its must be sysopt noproxyarp guest network

Aref Alsouqi · ‎10-25-2020

Proxy ARP is enabled on the Guestnetwork interface. Because of this, when the endpoints send the Gratuitous ARP the ASA might response with a duplicate IP message back to the endpoints. Accordingly the endpoints would not assign the allocated IP address, and they would send the DHCP decline message back to the ASA that you see on the output you posted above. After that, the endpoints will start the DORA process again. Try please to disable the proxy ARP on the Guestnetwork interface with the command sysopt noproxyarp Guestnetwork and try again.

Hindin O · ‎10-25-2020

now it is configured like here:

ciscoasa# show run all sysopt | i proxy
no sysopt noproxyarp outside
no sysopt noproxyarp inside
no sysopt noproxyarp DMZ
no sysopt noproxyarp Camera
sysopt noproxyarp Guestnetwork

But still no success.

Aref Alsouqi · ‎10-25-2020

Do you still see the same output as the one you posted earlier? did you try from one or more clients?, if you tried from multiple clients, I would try to disable the DHCP server and re-enable it on the ASA.

MHM Cisco World · ‎10-25-2020

these is any NAT config for this interface beside the dynamic NAT?
any static NAT contain the guest interface end it with no-proxy-arp.

Hindin O · ‎10-25-2020

I don't see any other:

nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.5.0_25 NETWORK_OBJ_172.16.5.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static All-Inside-Networks All-Inside-Networks destination static NETWORK_OBJ_172.16.6.0_25 NETWORK_OBJ_172.16.6.0_25 no-proxy-arp route-lookup
nat (outside,inside) source static O_N_Anyconnect_SSL O_N_Anyconnect_SSL
nat (outside,inside) source static O_N_VPN_IPSEC O_N_VPN_IPSEC
nat (any,any) source static All-Inside-Networks All-Inside-Networks destination static All-Inside-Networks All-Inside-Networks net-to-net
!
object network obj_any
 nat (inside,outside) dynamic interface
object network O_N_Internal
 nat (inside,outside) dynamic interface
object network O_N_Camera
 nat (inside,outside) dynamic interface
object network O_H_Rreverseproxy-Port-80
 nat (DMZ,outside) static interface service tcp www www
object network O_H_Reverseproxy-Port-443
 nat (DMZ,outside) static interface service tcp https https
object network O_N_VPN_IPSEC
 nat (outside,outside) dynamic interface
object network O_N_DMZ
 nat (DMZ,outside) dynamic interface
object network O_N_Anyconnect_SSL
 nat (outside,outside) dynamic interface
object network O_H_Unifi-Controller
 nat (DMZ,outside) static interface service tcp 8080 8080
object network O_N_Guestnetwork
 nat (Guestnetwork,outside) dynamic interface
object network O_N_WiFi
 nat (inside,outside) dynamic interface
object network O_H_N_Unifi-Controller-STUN
 nat (DMZ,outside) static interface service udp 3478 3478
object network O_N_Backbone
 nat (inside,outside) dynamic interface

MHM Cisco World · ‎10-25-2020

NAT(any,any) static end it with no-proxy-arp try and send me result.
Good Luck

Hindin O · ‎10-25-2020

Still not working:

Nat is now configured like this:

ciscoasa# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any  destination static NETWORK_OBJ_172.16.5.0_25 NETWORK_OBJ_172.16.5.0_25 no-proxy-arp route-lookup
    translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source static All-Inside-Networks All-Inside-Networks  destination static NETWORK_OBJ_172.16.6.0_25 NETWORK_OBJ_172.16.6.0_25 no-proxy-arp route-lookup
    translate_hits = 0, untranslate_hits = 0
3 (outside) to (inside) source static O_N_Anyconnect_SSL O_N_Anyconnect_SSL
    translate_hits = 0, untranslate_hits = 0
4 (outside) to (inside) source static O_N_VPN_IPSEC O_N_VPN_IPSEC
    translate_hits = 0, untranslate_hits = 0
5 (any) to (any) source static All-Inside-Networks All-Inside-Networks  destination static All-Inside-Networks All-Inside-Networks net-to-net no-proxy-arp
    translate_hits = 127, untranslate_hits = 337

Auto NAT Policies (Section 2)
1 (nlp_int_tap) to (inside) source static nlp_server_0_snmp_intf3 interface  service udp snmp snmp
    translate_hits = 0, untranslate_hits = 17742
2 (DMZ) to (outside) source static O_H_Reverseproxy-Port-443 interface  service tcp https https
    translate_hits = 0, untranslate_hits = 780
3 (DMZ) to (outside) source static O_H_Rreverseproxy-Port-80 interface  service tcp www www
    translate_hits = 0, untranslate_hits = 3830
4 (DMZ) to (outside) source static O_H_N_Unifi-Controller-STUN interface  service udp 3478 3478
    translate_hits = 0, untranslate_hits = 2
5 (DMZ) to (outside) source static O_H_Unifi-Controller interface  service tcp 8080 8080
    translate_hits = 0, untranslate_hits = 5204
6 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf3 interface
    translate_hits = 8, untranslate_hits = 0
7 (inside) to (outside) source dynamic O_N_Internal interface
    translate_hits = 69310, untranslate_hits = 4523
8 (outside) to (outside) source dynamic O_N_VPN_IPSEC interface
    translate_hits = 0, untranslate_hits = 0
9 (outside) to (outside) source dynamic O_N_Anyconnect_SSL interface
    translate_hits = 0, untranslate_hits = 0
10 (DMZ) to (outside) source dynamic O_N_DMZ interface
    translate_hits = 400, untranslate_hits = 0
11 (inside) to (outside) source dynamic O_N_Backbone interface
    translate_hits = 713, untranslate_hits = 9
12 (inside) to (outside) source dynamic O_N_Camera interface
    translate_hits = 0, untranslate_hits = 0
13 (inside) to (outside) source dynamic O_N_WiFi interface
    translate_hits = 0, untranslate_hits = 0
14 (Guestnetwork) to (outside) source dynamic O_N_Guestnetwork interface
    translate_hits = 787, untranslate_hits = 15
15 (inside) to (outside) source dynamic obj_any interface
    translate_hits = 0, untranslate_hits = 0

Debug DHCP

ciscoasa# debug dhcpd packet
debug dhcpd packet enabled at level 1
ciscoasa# DHCPD/RA:  Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPRELEASE message received from client 016c.e85c.ce7f.20 (192.168.20.70).
DHCPD/RA: Binding successfully deactivated
dhcpd_destroy_binding() removing NP rule for client 192.168.20.70
DHCPD/RA: free ddns info and binding
DHCPD/RA:  Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPDISCOVER received from client 016c.e85c.ce7f.20 on interface Guestnetwork.
DHCPD: send ping pkt to 192.168.20.71
DHCPD: ping got no response for ip: 192.168.20.71
DHCPD: Add binding 192.168.20.71 to radix tree
DHCPD/RA: Binding successfully added to hash table
DHCPD: Sending DHCPOFFER to client 016c.e85c.ce7f.20 (192.168.20.71).
DHCPD: client requests option 3.
DHCPD: copy option 3 (length = 4) to outgoing message.

DHCPD: Total # of raw options copied to outgoing DHCP message is 1.
DHCPD/RA: creating ARP entry (192.168.20.71, 6ce8.5cce.7f20).
DHCPD: unicasting BOOTREPLY to client 6ce8.5cce.7f20(192.168.20.71).

ciscoasa# DHCPD/RA:  Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPDISCOVER received from client 016c.e85c.ce7f.20 on interface Guestnetwork.
DHCPD: Sending DHCPOFFER to client 016c.e85c.ce7f.20 (192.168.20.71).
DHCPD: client requests option 3.
DHCPD: copy option 3 (length = 4) to outgoing message.

DHCPD: Total # of raw options copied to outgoing DHCP message is 1.
DHCPD/RA: creating ARP entry (192.168.20.71, 6ce8.5cce.7f20).
DHCPD: unicasting BOOTREPLY to client 6ce8.5cce.7f20(192.168.20.71).
DHCPD/RA:  Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPREQUEST received from client 016c.e85c.ce7f.20.
DHCPD: Extracting client address from the message
DHCPD: State = DHCPS_REBOOTING
DHCPD: State = DHCPS_REQUESTING
DHCPD: Client 016c.e85c.ce7f.20 specified it's address 192.168.20.71
DHCPD: Client is on the correct network
DHCPD: Client accepted our offer
DHCPD: Client and server agree on address 192.168.20.71
DHCPD: Renewing client 016c.e85c.ce7f.20 lease
DHCPD: Client lease can be renewed
DHCPD: Sending DHCPACK to client 016c.e85c.ce7f.20 (192.168.20.71).
DHCPD: client requests option 3.
DHCPD: copy option 3 (length = 4) to outgoing message.

DHCPD: Total # of raw options copied to outgoing DHCP message is 1.
DHCPD/RA: creating ARP entry (192.168.20.71, 6ce8.5cce.7f20).
DHCPD: unicasting BOOTREPLY to client 6ce8.5cce.7f20(192.168.20.71).
DHCPD/RA:  Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPDISCOVER received from client 70ee.5004.8328 on interface Guestnetwork.
DHCPD: send ping pkt to 192.168.20.72
DHCPD: ping got no response for ip: 192.168.20.72
DHCPD: Add binding 192.168.20.72 to radix tree
DHCPD/RA: Binding successfully added to hash table
DHCPD: Sending DHCPOFFER to client 70ee.5004.8328 (192.168.20.72).
DHCPD: client requests option 3.
DHCPD: copy option 3 (length = 4) to outgoing message.

DHCPD: Total # of raw options copied to outgoing DHCP message is 1.
DHCPD/RA: creating ARP entry (192.168.20.72, 70ee.5004.8328).
DHCPD: unicasting BOOTREPLY to client 70ee.5004.8328(192.168.20.72).
DHCPD/RA:  Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPREQUEST received from client 70ee.5004.8328.
DHCPD: Extracting client address from the message
DHCPD: State = DHCPS_REBOOTING
DHCPD: State = DHCPS_REQUESTING
DHCPD: Client 70ee.5004.8328 specified it's address 192.168.20.72
DHCPD: Client is on the correct network
DHCPD: Client accepted our offer
DHCPD: Client and server agree on address 192.168.20.72
DHCPD: Renewing client 70ee.5004.8328 lease
DHCPD: Client lease can be renewed
DHCPD: Sending DHCPACK to client 70ee.5004.8328 (192.168.20.72).
DHCPD: client requests option 3.
DHCPD: copy option 3 (length = 4) to outgoing message.

DHCPD: Total # of raw options copied to outgoing DHCP message is 1.
DHCPD/RA: creating ARP entry (192.168.20.72, 70ee.5004.8328).
DHCPD: unicasting BOOTREPLY to client 70ee.5004.8328(192.168.20.72).
DHCPD/RA:  Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPRELEASE message received from client 70ee.5004.8328 (192.168.20.72).
DHCPD/RA: Binding successfully deactivated
dhcpd_destroy_binding() removing NP rule for client 192.168.20.72
DHCPD/RA: free ddns info and binding

MHM Cisco World · ‎10-25-2020

dhcpd enable Guestnetwork

no dhcpd enable and then enable it again.