Re: DHCP Relay AnyConnect VPN Clients

mjvenema · ‎01-20-2020

Hello Everyone! I am trying to configure our anyconnect VPN clients to relay to a windows DHCP server. I have about 15 DMZ relays and 20 802.1x relays that work fine from the inside. However I am having trouble getting the VPN clients to relay. I have set up a DHCP relay agent from the outside interface pointing to my Windows DHCP server.

Under VPN > Remote Access I have the AnyConnect client set up to use DHCP first meaning our Windows DHCP servers and then the internal address pool second. However the clients only use the internal address pool and never receive an IP address assignment from the Windows DHCP server. I can ping and access the server remotely from the VPN clients so there isn't anything blocking traffic. Cisco TAC is telling me to add an IP helper to my downstream device, however that IP scheme has no presence on that switch and the firewall is doing all the routing for the VPN so that really makes no sense to me. I also can't add an IP helper or a DHCP relay on that switch if the IP scheme doesn't exist.

Has anyone configured AnyConnect clients to relay their DHCP requests? Or does anyone have any tips?

Rob Ingram · ‎01-20-2020

Hi,
Do you have a route on the network for the RAVPN Pool (the subnet defined in DHCP) pointing to the ASA?

mjvenema · ‎01-20-2020

Hi!

Yes our default route should grab all that traffic and forward to the FW. We are actually running a Firepower 2110 with FTD.

Rob Ingram · ‎01-20-2020

Ok, if you run a packet capture on the DHCP server, do you see the DHCP Discover from the FTD server and then a DHCP Offer sent from the DHCP server?

mjvenema · ‎01-20-2020

Yes we have tried that. The DHCP server never sees the request. I think that's why TAC thinks we need a DHCP relay on the downstream device. However like I mentioned that doesn't seem right to me..

buffkata · ‎07-06-2023

Has anyone done this - do we have a guide form Cisco on DHCP Relay for Anyconnect IP assignments form internal DHCP server ?

Rob Ingram · ‎07-06-2023

@buffkata try this guide

buffkata · ‎07-06-2023

That article is for "DHCP to assign IP address to AnyConnect". In our case we want to forward the Anyconnect DHCP requests(DHCP Relay) to Infoblox so that Infoblox can control the IP assignments and even do a static IPs if needed ( based on the user MAC).

Not sure if this is even possible with the FTD DHCP Relay function enabled on the OUTSIDE interface for Anyconnect users ?

Aref Alsouqi · ‎07-07-2023

I don't believe you would need a DHCP relay agent in this case and I think if you configure Infoblox IP as the DHCP server IP under the tunnel group as shown on the guide shared by @Rob Ingram that should be enough for the DHCP requests to be relayed to Infoblox. In addition to that, you would need to define the network scope under AnyConnect group policy to allow the Infoblox allocating an IP from the right scope.

buffkata · ‎07-07-2023

That is true - we have configured DHCP scope and Infoblox as a DHCP server and it works. The problem is that Infoblox does not get the client MAC so it cannot do IP reservations. We were thinking that if we add the DHCP Relay on the outside interface - Anyconnect users will still get the IPs from Infoblox but the FTD/ASA will relay their requests so the MACs are preserved.

Aref Alsouqi · ‎07-07-2023

I see. I don't believe that would work for AnyConnect clients as by the time the DHCP DORA started, the traffic would've been already encrypted, so the outside interface wouldn't really see those requests.

Aref Alsouqi · ‎07-07-2023

From Infoblox, when you look at the IP lease, do you see the clients MAC addresses or just the ASA interface one? if you see the client MAC addresses maybe you can create the reservation after they have been assigned with an IP for the first time? rather than creating it in advance?

buffkata · ‎07-07-2023

No - Just the MAC of the ASA. That is why we cannot add any IP reservations in the DHCP server.

Rob Ingram · ‎07-07-2023

@buffkata you aren't going to get the client MAC address over a VPN connection, the client MAC address can be obtained as an AnyConnect ACIDEX attribute...which isn't much help in this scenario.

tvotna · ‎07-07-2023

I'm not 100% sure that DHCP Proxy Client works on ASA for AnyConnect. This was initially implemented for L2TP, but you can try this out:

tunnel-group <name> general-attributes
 dhcp-server subnet-selection <subnet-to-assign-IP-from--DHCP-option-118>
 dhcp-server link-selection <ASA-IP--DHCP-option-82-suboption-5>

Refer to RFC 3011 and RFC 3527 and https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118084-configure-anyconnect-00.html

And this is not exactly a DHCP relay. The "dhcprelay client outside" won't do.

Also note that DHCP Proxy Client is incompatible with other DHCP features on the same ASA, i.e. DHCP relay and DHCP server:

CSCvo49141 DHCP Relay and DHCP Proxy conflict if both are configured