ASA 5508 DHCP not working for guest network - Page 2

Hindin O · ‎10-25-2020

Hello I'm running a ASA 5508 and I want to implement a guest network on that ASA.

The guest network is on VLAN 6 and on the switches VLAN 6 is defined but there are no IP addresses assigned.

The only device is the ASA with a static ip on an interface.

There is also a DHCP Server defined for that interface.

Problem is that no device is getting a IP address from the ASA. not via a cabel not via Wi-Fi.

I have no idea why this is not working.

interface GigabitEthernet1/5
 nameif Guestnetwork
 security-level 60
 ip address 192.168.20.254 255.255.255.0

access-list guest-in extended permit udp any4 any4
access-list guest-in extended permit ip any4 any4
access-list guest-in extended permit icmp any any
access-list guest-in extended deny ip any6 any6

object network O_N_Guestnetwork
 nat (Guestnetwork,outside) dynamic interface

object network O_N_Guestnetwork
 subnet 192.168.20.0 255.255.255.0

access-group guest-in in interface Guestnetwork

dhcpd address 192.168.20.50-192.168.20.200 Guestnetwork
dhcpd dns 9.9.9.9 149.112.112.112 interface Guestnetwork
dhcpd lease 86400 interface Guestnetwork
dhcpd domain test.priv interface Guestnetwork
dhcpd option 3 ip 192.168.20.254 interface Guestnetwork
dhcpd enable Guestnetwork

I have run DHCP debug and the device is my iPhone.

ciscoasa# debug dhcpd packet
debug dhcpd packet enabled at level 1
ciscoasa# debug dhcp eventDHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPDISCOVER received from client 0186.1577.ac17.db on interface Guestnetwork.
DHCPD: send ping pkt to 192.168.20.110
DHCPD: ping got no response for ip: 192.168.20.110
DHCPD: Add binding 192.168.20.110 to radix tree
DHCPD/RA: Binding successfully added to hash table
DHCPD: Sending DHCPOFFER to client 0186.1577.ac17.db (192.168.20.110).
DHCPD: client requests option 3.
DHCPD: copy option 3 (length = 4) to outgoing message.

DHCPD: Total # of raw options copied to outgoing DHCP message is 1.
DHCPD/RA: creating ARP entry (192.168.20.110, 8615.77ac.17db).
DHCPD: unicasting BOOTREPLY to client 8615.77ac.17db(192.168.20.110).

ERROR: % Ambiguous command: "debug dhcp event"
ciscoasa# DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPREQUEST received from client 0186.1577.ac17.db.
DHCPD: Extracting client address from the message
DHCPD: State = DHCPS_REBOOTING
DHCPD: State = DHCPS_REQUESTING
DHCPD: Client 0186.1577.ac17.db specified it's address 192.168.20.110
DHCPD: Client is on the correct network
DHCPD: Client accepted our offer
DHCPD: Client and server agree on address 192.168.20.110
DHCPD: Renewing client 0186.1577.ac17.db lease
DHCPD: Client lease can be renewed
DHCPD: Sending DHCPACK to client 0186.1577.ac17.db (192.168.20.110).
DHCPD: client requests option 3.
DHCPD: copy option 3 (length = 4) to outgoing message.

DHCPD: Total # of raw options copied to outgoing DHCP message is 1.
DHCPD/RA: creating ARP entry (192.168.20.110, 8615.77ac.17db).
DHCPD: unicasting BOOTREPLY to client 8615.77ac.17db(192.168.20.110).
DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPDECLINE received from client 0186.1577.ac17.db.
DHCPD/RA: Binding successfully deactivated
dhcpd_destroy_binding() removing NP rule for client 192.168.20.110
DHCPD/RA: free ddns info and binding
DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPDISCOVER received from client 0186.1577.ac17.db on interface Guestnetwork.
DHCPD: send ping pkt to 192.168.20.111
DHCPD: ping got no response for ip: 192.168.20.111
DHCPD: Add binding 192.168.20.111 to radix tree
DHCPD/RA: Binding successfully added to hash table
DHCPD: Sending DHCPOFFER to client 0186.1577.ac17.db (192.168.20.111).
DHCPD: client requests option 3.
DHCPD: copy option 3 (length = 4) to outgoing message.

DHCPD: Total # of raw options copied to outgoing DHCP message is 1.
DHCPD/RA: creating ARP entry (192.168.20.111, 8615.77ac.17db).
DHCPD: unicasting BOOTREPLY to client 8615.77ac.17db(192.168.20.111).
DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPREQUEST received from client 0186.1577.ac17.db.
DHCPD: Extracting client address from the message
DHCPD: State = DHCPS_REBOOTING
DHCPD: State = DHCPS_REQUESTING
DHCPD: Client 0186.1577.ac17.db specified it's address 192.168.20.111
DHCPD: Client is on the correct network
DHCPD: Client accepted our offer
DHCPD: Client and server agree on address 192.168.20.111
DHCPD: Renewing client 0186.1577.ac17.db lease
DHCPD: Client lease can be renewed
DHCPD: Sending DHCPACK to client 0186.1577.ac17.db (192.168.20.111).
DHCPD: client requests option 3.
DHCPD: copy option 3 (length = 4) to outgoing message.

DHCPD: Total # of raw options copied to outgoing DHCP message is 1.
DHCPD/RA: creating ARP entry (192.168.20.111, 8615.77ac.17db).
DHCPD: unicasting BOOTREPLY to client 8615.77ac.17db(192.168.20.111).
DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPDECLINE received from client 0186.1577.ac17.db.
DHCPD/RA: Binding successfully deactivated
dhcpd_destroy_binding() removing NP rule for client 192.168.20.111
DHCPD/RA: free ddns info and binding

It is getting no connection. He is running trough the ip addreses and count +1 all the time to the ip addresses.

I'm no expert but please can someone help me.

Hindin O · ‎10-25-2020

sorry still not working:

ciscoasa(config)# DHCPD/RA:  Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPDISCOVER received from client 016c.e85c.ce7f.20 on interface Guestnetwork.
DHCPD: Sending DHCPOFFER to client 016c.e85c.ce7f.20 (192.168.20.75).
DHCPD: client requests option 3.
DHCPD: copy option 3 (length = 4) to outgoing message.

DHCPD: Total # of raw options copied to outgoing DHCP message is 1.
DHCPD/RA: creating ARP entry (192.168.20.75, 6ce8.5cce.7f20).
DHCPD: unicasting BOOTREPLY to client 6ce8.5cce.7f20(192.168.20.75).
DHCPD/RA:  Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPREQUEST received from client 016c.e85c.ce7f.20.
DHCPD: Extracting client address from the message
DHCPD: State = DHCPS_REBOOTING
DHCPD: State = DHCPS_REQUESTING
DHCPD: Client 016c.e85c.ce7f.20 specified it's address 192.168.20.75
DHCPD: Client is on the correct network
DHCPD: Client accepted our offer
DHCPD: Client and server agree on address 192.168.20.75
DHCPD: Renewing client 016c.e85c.ce7f.20 lease
DHCPD: Client lease can be renewed
DHCPD: Sending DHCPACK to client 016c.e85c.ce7f.20 (192.168.20.75).
DHCPD: client requests option 3.
DHCPD: copy option 3 (length = 4) to outgoing message.

DHCPD: Total # of raw options copied to outgoing DHCP message is 1.
DHCPD/RA: creating ARP entry (192.168.20.75, 6ce8.5cce.7f20).
DHCPD: unicasting BOOTREPLY to client 6ce8.5cce.7f20(192.168.20.75).
DHCPD/RA:  Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPDISCOVER received from client 70ee.5004.8328 on interface Guestnetwork.
DHCPD: send ping pkt to 192.168.20.76
DHCPD: ping got no response for ip: 192.168.20.76
DHCPD: Add binding 192.168.20.76 to radix tree
DHCPD/RA: Binding successfully added to hash table
DHCPD: Sending DHCPOFFER to client 70ee.5004.8328 (192.168.20.76).
DHCPD: client requests option 3.
DHCPD: copy option 3 (length = 4) to outgoing message.

DHCPD: Total # of raw options copied to outgoing DHCP message is 1.
DHCPD/RA: creating ARP entry (192.168.20.76, 70ee.5004.8328).
DHCPD: unicasting BOOTREPLY to client 70ee.5004.8328(192.168.20.76).
DHCPD/RA:  Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPREQUEST received from client 70ee.5004.8328.
DHCPD: Extracting client address from the message
DHCPD: State = DHCPS_REBOOTING
DHCPD: State = DHCPS_REQUESTING
DHCPD: Client 70ee.5004.8328 specified it's address 192.168.20.76
DHCPD: Client is on the correct network
DHCPD: Client accepted our offer
DHCPD: Client and server agree on address 192.168.20.76
DHCPD: Renewing client 70ee.5004.8328 lease
DHCPD: Client lease can be renewed
DHCPD: Sending DHCPACK to client 70ee.5004.8328 (192.168.20.76).
DHCPD: client requests option 3.
DHCPD: copy option 3 (length = 4) to outgoing message.

DHCPD: Total # of raw options copied to outgoing DHCP message is 1.
DHCPD/RA: creating ARP entry (192.168.20.76, 70ee.5004.8328).
DHCPD: unicasting BOOTREPLY to client 70ee.5004.8328(192.168.20.76).

MHM Cisco World · ‎10-25-2020

DHCPD: DHCPRELEASE message received from client 70ee.5004.8328 (192.168.20.72).

this message appear again. this message from client to ASA (DHCP Server)?

check this message and reply, I think your issue solve.

Hindin O · ‎10-25-2020

This is one of the clients.

Aref Alsouqi · ‎10-25-2020

The release message is sent by the client to the server (ASA) when the client wants to declare that it does not need to use the assigned IP address anymore, a common example of this is when the client is about to be shutdown.

There must be an option configured on the ASA that does not seem to be compatible with the clients. Can you please try to remove the following and disable/re-enable the DHCP server and see if that makes any difference, if it does, try to add them again once at a time and see where it fails:

no dhcpd lease 86400 interface Guestnetwork
no dhcpd domain test.priv interface Guestnetwork
no dhcpd option 3 ip 192.168.20.254 interface Guestnetwork
no dhcpd enable Guestnetwork
dhcpd enable Guestnetwork

Hindin O · ‎10-25-2020

Hi I have deleted all entires and entered only hte minimum now:

ciscoasa# sh running-config  | grep dhcp
dhcpd auto_config outside
dhcpd address 192.168.20.50-192.168.20.200 Guestnetwork
dhcpd dns 9.9.9.9 149.112.112.112 interface Guestnetwork
dhcpd enable Guestnetwork
dhcprelay timeout 60

Still not working:

ciscoasa# debug dhcpd packet
debug dhcpd packet enabled at level 1
ciscoasa# DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPDISCOVER received from client 016c.e85c.ce7f.20 on interface Guestnetwork.
DHCPD: send ping pkt to 192.168.20.50
DHCPD: ping got no response for ip: 192.168.20.50
DHCPD: Add binding 192.168.20.50 to radix tree
DHCPD/RA: Binding successfully added to hash table
DHCPD: Sending DHCPOFFER to client 016c.e85c.ce7f.20 (192.168.20.50).

DHCPD: Total # of raw options copied to outgoing DHCP message is 0.
DHCPD/RA: creating ARP entry (192.168.20.50, 6ce8.5cce.7f20).
DHCPD: unicasting BOOTREPLY to client 6ce8.5cce.7f20(192.168.20.50).
DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPREQUEST received from client 016c.e85c.ce7f.20.
DHCPD: Extracting client address from the message
DHCPD: State = DHCPS_REBOOTING
DHCPD: State = DHCPS_REQUESTING
DHCPD: Client 016c.e85c.ce7f.20 specified it's address 10.200.112.70
DHCPD: Client is on the correct network
DHCPD: Server ID 10.200.112.254 for requested address 10.200.112.70 is not us, do not NAK.
DHCPD/RA: Server msg received, fip=ANY, fport=0 on Guestnetwork interface
DHCPD: DHCPDISCOVER received from client 016c.e85c.ce7f.20 on interface Guestnetwork.
DHCPD: Sending DHCPOFFER to client 016c.e85c.ce7f.20 (192.168.20.50).

DHCPD: Total # of raw options copied to outgoing DHCP message is 0.
DHCPD/RA: creating ARP entry (192.168.20.50, 6ce8.5cce.7f20).
DHCPD: unicasting BOOTREPLY to client 6ce8.5cce.7f20(192.168.20.50).

What I'm doing wrong?

MHM Cisco World · ‎10-25-2020

Con...

Aref Alsouqi · ‎10-25-2020

I did some lab on my end and it worked just fine:

ASA(config)# sh run dhcpd     
dhcpd auto_config outside
!
dhcpd address 10.10.10.10-10.10.10.15 inside
dhcpd dns 1.1.1.1 8.8.8.8 interface inside
dhcpd lease 86400 interface inside
dhcpd domain lab.local interface inside
dhcpd option 3 ip 10.10.10.1 interface inside
dhcpd enable inside

ASA(config)# sh dhcpd binding 
IP address       Client Identifier        Lease expiration        Type
   10.10.10.10    0150.0000.0300.00           86263 seconds    Automatic

What code is running on your ASA?

Hindin O · ‎10-26-2020

System image file is "disk0:/asa9-14-1-30-lfbff-k8.SPA"

Aref Alsouqi · ‎10-26-2020

Interesting, yesterday I tested your configs on one of my ASA lab devices running version 9.14(1)6 and it worked just fine. At this point, I would try to run Wireshark on the client and try to capture the messages between the ASA and the client to analyse them.

MHM Cisco World · ‎10-25-2020

try this command and send me result ASAP.

dhcp-cleint client-id interface

Hindin O · ‎10-26-2020

I have enterd the follwing command:

ciscoasa(config)# dhcp-client client-id interface Guestnetwork

What result you want me to show.

MHM Cisco World · ‎10-26-2020

Do you see any release message from client anymore?

Hindin O · ‎10-26-2020

Hello gentlemen,

I had a very strange experience.
When i switched on my PC today, which is in VLAN 1, i got an IP address assigned which is only available in VLAN6. So I had another look at the switch config. The only thing I changed after it was said here in the forum was to configure the uplink port from the switch to the ASA.

changed to:

 switchport trunk native vlan 6

After I had the strange behaviour on my PC, I reset the port back to the old statement.

interface GigabitEthernet1/0/39
 description Uplink to ASA 5508 Guestnetwork
 switchport access vlan 6

After I entered this command all devices were working immediately and got an IP address in the guest network.

Thanks to everyone who took the time to help me.
This is really a great community.

MHM Cisco World · ‎10-26-2020

First Thanks a lot for sharing the solution,
second can you try truck but make native VLAN any VLAN other than VLAN use in ASA.

Aref Alsouqi · ‎10-26-2020

Setting up a trunk connection between the switch and the ASA is unnecessary in this case, as the ASA is not using a subinterface. This means the ASA won't be able to read the tagged traffic coming over the trunk link. The reason why it would work when you configure VLAN6 as native, is because VLAN6 traffic in that case would be sent across the trunk link untagged (unless you force the native VLAN tagging), so the ASA can read it. But again, in your case you don't need to configure any trunk port, and the switch port should be in access mode, in VLAN6.