Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4502
Views
2
Helpful
14
Replies

DHCP Relay AnyConnect VPN Clients

mjvenema
Level 1
Level 1

‎01-20-2020 12:10 PM

Hello Everyone! I am trying to configure our anyconnect VPN clients to relay to a windows DHCP server. I have about 15 DMZ relays and 20 802.1x relays that work fine from the inside. However I am having trouble getting the VPN clients to relay. I have set up a DHCP relay agent from the outside interface pointing to my Windows DHCP server. 

 

Under VPN > Remote Access I have the AnyConnect client set up to use DHCP first meaning our Windows DHCP servers and then the internal address pool second. However the clients only use the internal address pool and never receive an IP address assignment from the Windows DHCP server. I can ping and access the server remotely from the VPN clients so there isn't anything blocking traffic. Cisco TAC is telling me to add an IP helper to my downstream device, however that IP scheme has no presence on that switch and the firewall is doing all the routing for the VPN so that really makes no sense to me. I also can't add an IP helper or a DHCP relay on that switch if the IP scheme doesn't exist. 

 

Has anyone configured AnyConnect clients to relay their DHCP requests? Or does anyone have any tips?

 

 

Labels:
0 Helpful
14 Replies 14

Rob Ingram
VIP
VIP

‎01-20-2020 01:32 PM

Hi,
Do you have a route on the network for the RAVPN Pool (the subnet defined in DHCP) pointing to the ASA?
0 Helpful

mjvenema
Level 1
Level 1
In response to Rob Ingram

‎01-20-2020 01:38 PM

Hi! 

Yes our default route should grab all that traffic and forward to the FW. We are actually running a Firepower 2110 with FTD. 

0 Helpful

Rob Ingram
VIP
VIP
In response to mjvenema

‎01-20-2020 01:47 PM

Ok, if you run a packet capture on the DHCP server, do you see the DHCP Discover from the FTD server and then a DHCP Offer sent from the DHCP server?
0 Helpful

mjvenema
Level 1
Level 1
In response to Rob Ingram

‎01-20-2020 02:56 PM

Yes we have tried that. The DHCP server never sees the request. I think that's why TAC thinks we need a DHCP relay on the downstream device. However like I mentioned that doesn't seem right to me..

0 Helpful

buffkata
Level 1
Level 1

‎07-06-2023 11:25 AM

Has anyone done this - do we have a guide form Cisco on DHCP Relay for Anyconnect IP assignments form internal DHCP server ? 

0 Helpful

Rob Ingram
VIP
VIP
In response to buffkata

‎07-06-2023 11:29 AM

@buffkata try this guide

0 Helpful

buffkata
Level 1
Level 1
In response to Rob Ingram

‎07-06-2023 11:45 AM

That article is for "DHCP to assign IP address to AnyConnect". In our case we want to forward the Anyconnect DHCP requests(DHCP Relay)  to Infoblox so that Infoblox can control the IP assignments and even do a static IPs if needed ( based on the user MAC). 

Not sure if this is even possible with the FTD DHCP Relay function enabled on the OUTSIDE interface for Anyconnect users ? 

0 Helpful

Aref Alsouqi
VIP
VIP
In response to buffkata

‎07-07-2023 08:21 AM

I don't believe you would need a DHCP relay agent in this case and I think if you configure Infoblox IP as the DHCP server IP under the tunnel group as shown on the guide shared by @Rob Ingram that should be enough for the DHCP requests to be relayed to Infoblox. In addition to that, you would need to define the network scope under AnyConnect group policy to allow the Infoblox allocating an IP from the right scope.

0 Helpful

buffkata
Level 1
Level 1
In response to Aref Alsouqi

‎07-07-2023 08:25 AM

That is true - we have configured DHCP scope and Infoblox as a DHCP server and it works. The problem is that Infoblox does not get the client MAC so it cannot do IP reservations. We were thinking that if we add the DHCP Relay on the outside interface - Anyconnect users will still get the IPs from Infoblox but the FTD/ASA will relay their requests so the MACs are preserved. 

0 Helpful

Aref Alsouqi
VIP
VIP
In response to buffkata

‎07-07-2023 09:23 AM

I see. I don't believe that would work for AnyConnect clients as by the time the DHCP DORA started, the traffic would've been already encrypted, so the outside interface wouldn't really see those requests.

Aref Alsouqi
VIP
VIP
In response to buffkata

‎07-07-2023 09:25 AM

From Infoblox, when you look at the IP lease, do you see the clients MAC addresses or just the ASA interface one? if you see the client MAC addresses maybe you can create the reservation after they have been assigned with an IP for the first time? rather than creating it in advance?

0 Helpful

buffkata
Level 1
Level 1
In response to Aref Alsouqi

‎07-07-2023 11:01 AM

No - Just the MAC of the ASA. That is why we cannot add any IP reservations in the DHCP server. 

0 Helpful

Rob Ingram
VIP
VIP
In response to buffkata

‎07-07-2023 11:00 AM

@buffkata you aren't going to get the client MAC address over a VPN connection, the client MAC address can be obtained as an  AnyConnect ACIDEX attribute...which isn't much help in this scenario.

tvotna
Spotlight
Spotlight

‎07-07-2023 02:12 AM

I'm not 100% sure that DHCP Proxy Client works on ASA for AnyConnect. This was initially implemented for L2TP, but you can try this out:

tunnel-group <name> general-attributes
 dhcp-server subnet-selection <subnet-to-assign-IP-from--DHCP-option-118>
 dhcp-server link-selection <ASA-IP--DHCP-option-82-suboption-5>

Refer to RFC 3011 and RFC 3527 and https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118084-configure-anyconnect-00.html

And this is not exactly a DHCP relay. The "dhcprelay client outside" won't do.

Also note that DHCP Proxy Client is incompatible with other DHCP features on the same ASA, i.e. DHCP relay and DHCP server:

CSCvo49141 DHCP Relay and DHCP Proxy conflict if both are configured

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card