07-22-2019 10:09 AM - edited 02-21-2020 09:19 AM
ASA 5515 ver 9.4(4)36 is not handing out DHCP leases, only one interface is setup for DHCP
dhcpd address 192.168.45.129-192.168.45.252 Guest
dhcpd dns 8.8.8.8 8.8.4.4 interface Guest
dhcpd lease 3000 interface Guest
dhcpd enable Guest
I have done no dhcpd enable Guest and then re-enabled it. I have tried debug dhcpd packet and debug dhcpd event but no output when user tried to connect, setup a packet capture:
Access-list dhcp permit udp any any eq 67
access-list dhcp permit udp any eq 67 any
access-list dhcp permit udp any any eq 68
access-list dhcp permit udp any eq 68 any
cap dhcp access-list dhcp interface Guest
capture did not show any packets, but when I do:
packet-tracer input Guest udp 0.0.0.0 68 255.255.255.255 67 detailed
I get this:
packet-tracer input Guest udp 0.0.0.0 68 255.255.255.255 67 detailed
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffe2d2ce30, priority=13, domain=capture, deny=false
hits=7, user_data=0x7fffe1448bd0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=Guest, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffe1b8feb0, priority=1, domain=permit, deny=false
hits=9867, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Guest, output_ifc=any
Phase: 3
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map rmap-1 permit 10
match ip address pbr-acl
set ip next-hop 1.2.3.4
Additional Information:
Matched route-map rmap-1, sequence 10, permit
Found next-hop 1.2.3.5 using egress ifc guest_mediacom
Result:
input-interface: Guest
input-status: up
input-line-status: up
output-interface: guest_mediacom
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed
I have verified the dhcp daemon is running:
show processes | i dhcp
Mwe 0x000000000075bdac 0x00007fffcb8b0d78 0x0000000006b50960 19233 0x00007fffcb8a9030 30088/32768 dhcp_daemon 202
07-22-2019 08:36 PM
I assume that here is a switch between the ASA and DHCP clients? If so, and it is managed device, check that DHCP snooping is correctly configured.
More here, for some Cisco switches.
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_2_se/configuration/guide/3750x_cg/swdhcp82.html#24258
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide