10-25-2020 02:48 AM
Hello I'm running a ASA 5508 and I want to implement a guest network on that ASA.
The guest network is on VLAN 6 and on the switches VLAN 6 is defined but there are no IP addresses assigned.
The only device is the ASA with a static ip on an interface.
There is also a DHCP Server defined for that interface.
Problem is that no device is getting a IP address from the ASA. not via a cabel not via Wi-Fi.
I have no idea why this is not working.
interface GigabitEthernet1/5 nameif Guestnetwork security-level 60 ip address 192.168.20.254 255.255.255.0
access-list guest-in extended permit udp any4 any4 access-list guest-in extended permit ip any4 any4 access-list guest-in extended permit icmp any any access-list guest-in extended deny ip any6 any6
object network O_N_Guestnetwork nat (Guestnetwork,outside) dynamic interface
object network O_N_Guestnetwork subnet 192.168.20.0 255.255.255.0
access-group guest-in in interface Guestnetwork
dhcpd address 192.168.20.50-192.168.20.200 Guestnetwork dhcpd dns 9.9.9.9 149.112.112.112 interface Guestnetwork dhcpd lease 86400 interface Guestnetwork dhcpd domain test.priv interface Guestnetwork dhcpd option 3 ip 192.168.20.254 interface Guestnetwork dhcpd enable Guestnetwork
I have run DHCP debug and the device is my iPhone.
ciscoasa# debug dhcpd packet debug dhcpd packet enabled at level 1 ciscoasa# debug dhcp eventDHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface DHCPD: DHCPDISCOVER received from client 0186.1577.ac17.db on interface Guestnetwork. DHCPD: send ping pkt to 192.168.20.110 DHCPD: ping got no response for ip: 192.168.20.110 DHCPD: Add binding 192.168.20.110 to radix tree DHCPD/RA: Binding successfully added to hash table DHCPD: Sending DHCPOFFER to client 0186.1577.ac17.db (192.168.20.110). DHCPD: client requests option 3. DHCPD: copy option 3 (length = 4) to outgoing message. DHCPD: Total # of raw options copied to outgoing DHCP message is 1. DHCPD/RA: creating ARP entry (192.168.20.110, 8615.77ac.17db). DHCPD: unicasting BOOTREPLY to client 8615.77ac.17db(192.168.20.110). ERROR: % Ambiguous command: "debug dhcp event" ciscoasa# DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface DHCPD: DHCPREQUEST received from client 0186.1577.ac17.db. DHCPD: Extracting client address from the message DHCPD: State = DHCPS_REBOOTING DHCPD: State = DHCPS_REQUESTING DHCPD: Client 0186.1577.ac17.db specified it's address 192.168.20.110 DHCPD: Client is on the correct network DHCPD: Client accepted our offer DHCPD: Client and server agree on address 192.168.20.110 DHCPD: Renewing client 0186.1577.ac17.db lease DHCPD: Client lease can be renewed DHCPD: Sending DHCPACK to client 0186.1577.ac17.db (192.168.20.110). DHCPD: client requests option 3. DHCPD: copy option 3 (length = 4) to outgoing message. DHCPD: Total # of raw options copied to outgoing DHCP message is 1. DHCPD/RA: creating ARP entry (192.168.20.110, 8615.77ac.17db). DHCPD: unicasting BOOTREPLY to client 8615.77ac.17db(192.168.20.110). DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface DHCPD: DHCPDECLINE received from client 0186.1577.ac17.db. DHCPD/RA: Binding successfully deactivated dhcpd_destroy_binding() removing NP rule for client 192.168.20.110 DHCPD/RA: free ddns info and binding DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface DHCPD: DHCPDISCOVER received from client 0186.1577.ac17.db on interface Guestnetwork. DHCPD: send ping pkt to 192.168.20.111 DHCPD: ping got no response for ip: 192.168.20.111 DHCPD: Add binding 192.168.20.111 to radix tree DHCPD/RA: Binding successfully added to hash table DHCPD: Sending DHCPOFFER to client 0186.1577.ac17.db (192.168.20.111). DHCPD: client requests option 3. DHCPD: copy option 3 (length = 4) to outgoing message. DHCPD: Total # of raw options copied to outgoing DHCP message is 1. DHCPD/RA: creating ARP entry (192.168.20.111, 8615.77ac.17db). DHCPD: unicasting BOOTREPLY to client 8615.77ac.17db(192.168.20.111). DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface DHCPD: DHCPREQUEST received from client 0186.1577.ac17.db. DHCPD: Extracting client address from the message DHCPD: State = DHCPS_REBOOTING DHCPD: State = DHCPS_REQUESTING DHCPD: Client 0186.1577.ac17.db specified it's address 192.168.20.111 DHCPD: Client is on the correct network DHCPD: Client accepted our offer DHCPD: Client and server agree on address 192.168.20.111 DHCPD: Renewing client 0186.1577.ac17.db lease DHCPD: Client lease can be renewed DHCPD: Sending DHCPACK to client 0186.1577.ac17.db (192.168.20.111). DHCPD: client requests option 3. DHCPD: copy option 3 (length = 4) to outgoing message. DHCPD: Total # of raw options copied to outgoing DHCP message is 1. DHCPD/RA: creating ARP entry (192.168.20.111, 8615.77ac.17db). DHCPD: unicasting BOOTREPLY to client 8615.77ac.17db(192.168.20.111). DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface DHCPD: DHCPDECLINE received from client 0186.1577.ac17.db. DHCPD/RA: Binding successfully deactivated dhcpd_destroy_binding() removing NP rule for client 192.168.20.111 DHCPD/RA: free ddns info and binding
It is getting no connection. He is running trough the ip addreses and count +1 all the time to the ip addresses.
I'm no expert but please can someone help me.
10-25-2020 03:20 AM - edited 10-25-2020 03:22 AM
Problem is that no device is getting a IP address from the ASA. not via a cabel not via Wi-Fi.
how is ASA connected ? switch ? if switch
Try below the setting on the switch.
the port connected to switch, make it as trunk port with - switchport trunk native vlan 9
I have not read your complete debug logs, if still issue post the debug after the above changes.
10-25-2020 03:43 AM
I have switched now to your statement on the uplink switch to the asa.
But nothing changed.
The diagram is as followed.
Internet <--> ASA <--> WS-C2960X-48TS-L <--> WS-C3560CX-12PC-S <--> 5 Access Points from UBNT
The Problem is still there.
I can also connect a laptop to the WS-C2960X-48TS-L and i get the same problem.
10-25-2020 04:55 AM - edited 10-25-2020 05:17 AM
From the output I see the ASA and the client exchanged all the DORA messages successfully, and the ASA can allocate the IP addresses to the client. However, for some reason, it seems that when the client sends the Gratuitous ARP it receives a duplicate IP address from the ASA, this is not shown on your output, but the behaviour of keep repeating same DORA process again and the received DHCPD: DHCPDECLINE received from client suggests it. How did you configure the proxy ARP on the ASA Guestnetwork interface? post the output of show run all sysopt | i proxy please.
10-25-2020 10:05 AM - edited 10-25-2020 10:10 AM
disable proxy arp on Guest interface.
this is solution for your issue.
good luck
10-25-2020 10:23 AM
This is the output:
ciscoasa# show run all sysopt | i proxy no sysopt noproxyarp outside no sysopt noproxyarp inside no sysopt noproxyarp DMZ no sysopt noproxyarp Camera no sysopt noproxyarp Guestnetwork
10-25-2020 10:32 AM - edited 10-25-2020 10:49 AM
no sysopt noproxyarp Guestnetwork
its must be sysopt noproxyarp guest network
10-25-2020 10:43 AM
Proxy ARP is enabled on the Guestnetwork interface. Because of this, when the endpoints send the Gratuitous ARP the ASA might response with a duplicate IP message back to the endpoints. Accordingly the endpoints would not assign the allocated IP address, and they would send the DHCP decline message back to the ASA that you see on the output you posted above. After that, the endpoints will start the DORA process again. Try please to disable the proxy ARP on the Guestnetwork interface with the command sysopt noproxyarp Guestnetwork and try again.
10-25-2020 10:51 AM
now it is configured like here:
ciscoasa# show run all sysopt | i proxy no sysopt noproxyarp outside no sysopt noproxyarp inside no sysopt noproxyarp DMZ no sysopt noproxyarp Camera sysopt noproxyarp Guestnetwork
But still no success.
10-25-2020 11:06 AM - edited 10-25-2020 11:06 AM
Do you still see the same output as the one you posted earlier? did you try from one or more clients?, if you tried from multiple clients, I would try to disable the DHCP server and re-enable it on the ASA.
10-25-2020 10:53 AM - edited 10-25-2020 11:01 AM
these is any NAT config for this interface beside the dynamic NAT?
any static NAT contain the guest interface end it with no-proxy-arp.
10-25-2020 11:03 AM
I don't see any other:
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.5.0_25 NETWORK_OBJ_172.16.5.0_25 no-proxy-arp route-lookup nat (inside,outside) source static All-Inside-Networks All-Inside-Networks destination static NETWORK_OBJ_172.16.6.0_25 NETWORK_OBJ_172.16.6.0_25 no-proxy-arp route-lookup nat (outside,inside) source static O_N_Anyconnect_SSL O_N_Anyconnect_SSL nat (outside,inside) source static O_N_VPN_IPSEC O_N_VPN_IPSEC nat (any,any) source static All-Inside-Networks All-Inside-Networks destination static All-Inside-Networks All-Inside-Networks net-to-net ! object network obj_any nat (inside,outside) dynamic interface object network O_N_Internal nat (inside,outside) dynamic interface object network O_N_Camera nat (inside,outside) dynamic interface object network O_H_Rreverseproxy-Port-80 nat (DMZ,outside) static interface service tcp www www object network O_H_Reverseproxy-Port-443 nat (DMZ,outside) static interface service tcp https https object network O_N_VPN_IPSEC nat (outside,outside) dynamic interface object network O_N_DMZ nat (DMZ,outside) dynamic interface object network O_N_Anyconnect_SSL nat (outside,outside) dynamic interface object network O_H_Unifi-Controller nat (DMZ,outside) static interface service tcp 8080 8080 object network O_N_Guestnetwork nat (Guestnetwork,outside) dynamic interface object network O_N_WiFi nat (inside,outside) dynamic interface object network O_H_N_Unifi-Controller-STUN nat (DMZ,outside) static interface service udp 3478 3478 object network O_N_Backbone nat (inside,outside) dynamic interface
10-25-2020 11:08 AM
NAT(any,any) static end it with no-proxy-arp try and send me result.
Good Luck
10-25-2020 11:17 AM
Still not working:
Nat is now configured like this:
ciscoasa# sh nat Manual NAT Policies (Section 1) 1 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.5.0_25 NETWORK_OBJ_172.16.5.0_25 no-proxy-arp route-lookup translate_hits = 0, untranslate_hits = 0 2 (inside) to (outside) source static All-Inside-Networks All-Inside-Networks destination static NETWORK_OBJ_172.16.6.0_25 NETWORK_OBJ_172.16.6.0_25 no-proxy-arp route-lookup translate_hits = 0, untranslate_hits = 0 3 (outside) to (inside) source static O_N_Anyconnect_SSL O_N_Anyconnect_SSL translate_hits = 0, untranslate_hits = 0 4 (outside) to (inside) source static O_N_VPN_IPSEC O_N_VPN_IPSEC translate_hits = 0, untranslate_hits = 0 5 (any) to (any) source static All-Inside-Networks All-Inside-Networks destination static All-Inside-Networks All-Inside-Networks net-to-net no-proxy-arp translate_hits = 127, untranslate_hits = 337 Auto NAT Policies (Section 2) 1 (nlp_int_tap) to (inside) source static nlp_server_0_snmp_intf3 interface service udp snmp snmp translate_hits = 0, untranslate_hits = 17742 2 (DMZ) to (outside) source static O_H_Reverseproxy-Port-443 interface service tcp https https translate_hits = 0, untranslate_hits = 780 3 (DMZ) to (outside) source static O_H_Rreverseproxy-Port-80 interface service tcp www www translate_hits = 0, untranslate_hits = 3830 4 (DMZ) to (outside) source static O_H_N_Unifi-Controller-STUN interface service udp 3478 3478 translate_hits = 0, untranslate_hits = 2 5 (DMZ) to (outside) source static O_H_Unifi-Controller interface service tcp 8080 8080 translate_hits = 0, untranslate_hits = 5204 6 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf3 interface translate_hits = 8, untranslate_hits = 0 7 (inside) to (outside) source dynamic O_N_Internal interface translate_hits = 69310, untranslate_hits = 4523 8 (outside) to (outside) source dynamic O_N_VPN_IPSEC interface translate_hits = 0, untranslate_hits = 0 9 (outside) to (outside) source dynamic O_N_Anyconnect_SSL interface translate_hits = 0, untranslate_hits = 0 10 (DMZ) to (outside) source dynamic O_N_DMZ interface translate_hits = 400, untranslate_hits = 0 11 (inside) to (outside) source dynamic O_N_Backbone interface translate_hits = 713, untranslate_hits = 9 12 (inside) to (outside) source dynamic O_N_Camera interface translate_hits = 0, untranslate_hits = 0 13 (inside) to (outside) source dynamic O_N_WiFi interface translate_hits = 0, untranslate_hits = 0 14 (Guestnetwork) to (outside) source dynamic O_N_Guestnetwork interface translate_hits = 787, untranslate_hits = 15 15 (inside) to (outside) source dynamic obj_any interface translate_hits = 0, untranslate_hits = 0
Debug DHCP
ciscoasa# debug dhcpd packet debug dhcpd packet enabled at level 1 ciscoasa# DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface DHCPD: DHCPRELEASE message received from client 016c.e85c.ce7f.20 (192.168.20.70). DHCPD/RA: Binding successfully deactivated dhcpd_destroy_binding() removing NP rule for client 192.168.20.70 DHCPD/RA: free ddns info and binding DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface DHCPD: DHCPDISCOVER received from client 016c.e85c.ce7f.20 on interface Guestnetwork. DHCPD: send ping pkt to 192.168.20.71 DHCPD: ping got no response for ip: 192.168.20.71 DHCPD: Add binding 192.168.20.71 to radix tree DHCPD/RA: Binding successfully added to hash table DHCPD: Sending DHCPOFFER to client 016c.e85c.ce7f.20 (192.168.20.71). DHCPD: client requests option 3. DHCPD: copy option 3 (length = 4) to outgoing message. DHCPD: Total # of raw options copied to outgoing DHCP message is 1. DHCPD/RA: creating ARP entry (192.168.20.71, 6ce8.5cce.7f20). DHCPD: unicasting BOOTREPLY to client 6ce8.5cce.7f20(192.168.20.71). ciscoasa# DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface DHCPD: DHCPDISCOVER received from client 016c.e85c.ce7f.20 on interface Guestnetwork. DHCPD: Sending DHCPOFFER to client 016c.e85c.ce7f.20 (192.168.20.71). DHCPD: client requests option 3. DHCPD: copy option 3 (length = 4) to outgoing message. DHCPD: Total # of raw options copied to outgoing DHCP message is 1. DHCPD/RA: creating ARP entry (192.168.20.71, 6ce8.5cce.7f20). DHCPD: unicasting BOOTREPLY to client 6ce8.5cce.7f20(192.168.20.71). DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface DHCPD: DHCPREQUEST received from client 016c.e85c.ce7f.20. DHCPD: Extracting client address from the message DHCPD: State = DHCPS_REBOOTING DHCPD: State = DHCPS_REQUESTING DHCPD: Client 016c.e85c.ce7f.20 specified it's address 192.168.20.71 DHCPD: Client is on the correct network DHCPD: Client accepted our offer DHCPD: Client and server agree on address 192.168.20.71 DHCPD: Renewing client 016c.e85c.ce7f.20 lease DHCPD: Client lease can be renewed DHCPD: Sending DHCPACK to client 016c.e85c.ce7f.20 (192.168.20.71). DHCPD: client requests option 3. DHCPD: copy option 3 (length = 4) to outgoing message. DHCPD: Total # of raw options copied to outgoing DHCP message is 1. DHCPD/RA: creating ARP entry (192.168.20.71, 6ce8.5cce.7f20). DHCPD: unicasting BOOTREPLY to client 6ce8.5cce.7f20(192.168.20.71). DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface DHCPD: DHCPDISCOVER received from client 70ee.5004.8328 on interface Guestnetwork. DHCPD: send ping pkt to 192.168.20.72 DHCPD: ping got no response for ip: 192.168.20.72 DHCPD: Add binding 192.168.20.72 to radix tree DHCPD/RA: Binding successfully added to hash table DHCPD: Sending DHCPOFFER to client 70ee.5004.8328 (192.168.20.72). DHCPD: client requests option 3. DHCPD: copy option 3 (length = 4) to outgoing message. DHCPD: Total # of raw options copied to outgoing DHCP message is 1. DHCPD/RA: creating ARP entry (192.168.20.72, 70ee.5004.8328). DHCPD: unicasting BOOTREPLY to client 70ee.5004.8328(192.168.20.72). DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface DHCPD: DHCPREQUEST received from client 70ee.5004.8328. DHCPD: Extracting client address from the message DHCPD: State = DHCPS_REBOOTING DHCPD: State = DHCPS_REQUESTING DHCPD: Client 70ee.5004.8328 specified it's address 192.168.20.72 DHCPD: Client is on the correct network DHCPD: Client accepted our offer DHCPD: Client and server agree on address 192.168.20.72 DHCPD: Renewing client 70ee.5004.8328 lease DHCPD: Client lease can be renewed DHCPD: Sending DHCPACK to client 70ee.5004.8328 (192.168.20.72). DHCPD: client requests option 3. DHCPD: copy option 3 (length = 4) to outgoing message. DHCPD: Total # of raw options copied to outgoing DHCP message is 1. DHCPD/RA: creating ARP entry (192.168.20.72, 70ee.5004.8328). DHCPD: unicasting BOOTREPLY to client 70ee.5004.8328(192.168.20.72). DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface DHCPD: DHCPRELEASE message received from client 70ee.5004.8328 (192.168.20.72). DHCPD/RA: Binding successfully deactivated dhcpd_destroy_binding() removing NP rule for client 192.168.20.72 DHCPD/RA: free ddns info and binding
10-25-2020 11:30 AM
dhcpd enable Guestnetwork
no dhcpd enable and then enable it again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide