Solved: Here is your problem

Dennis Topo Jr · ‎09-04-2015

Hello all....

I have a simple ASA (v 7.2 (4) base license) dhcp relay that is just not working... I'm not sure I ever set up relaying on an ASA before but there's a first time for everything.

So...as my incredibly basic drawing shows, I want to DHCP relay requests the MS DHCP server @ 10.30.10.3 (no windows firewall) on the inside network, to the Guest clients sitting on the Guest network (Vlan 997) 10.30.220.0 /24 The Windows server has the appropriate scope setup on it for the clients and obviously the ASA has connectivity via the inside interface.

I'm getting these in the relay debugs: DHCPRA: dhcp_relay_agent_receiver:can't find binding) and nothing back from the DHCP server and my pertinent config is as follows: any help is appreciated ! Thanks...Dennis

interface Vlan1
nameif inside
security-level 100
ip address 10.30.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.0
!
interface Vlan997
no forward interface Vlan1
nameif Guest-Wireless
security-level 50
ip address 10.30.220.1 255.255.255.0

interface Ethernet0/7
switchport access vlan 997

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Guest-Wireless) 1 0.0.0.0 0.0.0.0

dhcpd auto_config outside
!
dhcprelay server 10.30.10.3 inside
dhcprelay enable Guest-Wireless
dhcprelay setroute Guest-Wireless
dhcprelay timeout 120

ASA# DHCPD/RA: Punt 10.30.10.3/17152 --> 255.255.255.255/17152 to CP
DHCPRA: Received a BOOTREPLY from interface 1
DHCPRA: dhcp_relay_agent_receiver:can't find binding

ASA# show dhcprelay stati
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0

Packets Relayed
BOOTREQUEST 0
DHCPDISCOVER 36
DHCPREQUEST 0
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 0

BOOTREPLY 0
DHCPOFFER 0
DHCPACK 15
DHCPNAK 0

Marius Gunnerud · ‎09-04-2015

Here is your problem:

interface Vlan997
no forward interface Vlan1
nameif Guest-Wireless
security-level 50
ip address 10.30.220.1 255.255.255.0

You need to upgrade to a security plus license. Other than that your config looks fine.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎09-04-2015

Here is your problem:

interface Vlan997
no forward interface Vlan1
nameif Guest-Wireless
security-level 50
ip address 10.30.220.1 255.255.255.0

You need to upgrade to a security plus license. Other than that your config looks fine.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Dennis Topo Jr · ‎09-04-2015

It's what I thought too after submitting. I did take the no forward off to Vlan 1, and in it's place, I added no forward interface vlan 2...the outside....just so the inside and guest-wireless interfaces would have full connectivity - still not working though.

Thanks for your response....

Marius Gunnerud · ‎09-05-2015

Change the command on the Guest-wireless interface to no forward interface outside.

Then test with ping to the DHCP server to make sure that traffic is permitted. You would also need to allow the DHCP traffic in the ACL from the Guest-wireless to the inside toward the DHCP server.

Make sure connectivity is there for DHCP (and ICMP for testing), and then we can continue with the troubleshooting.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Dennis Topo Jr · ‎09-14-2015

Guys...I went another route- just could not get the relay to work. I would chalk it up to the restricted base license, although I'm not positive. I labbed a similar set up, although not w a base license 5505, and it's super simple. So....I ended up just serving DHCP directly from the ASA for the guest network...and that works ....

Thanks for the suggestions and input.

rodrigog · ‎09-04-2015

Is that the full output of the debug?

It seems the ASA isn't seeing the request from the clients since you don't see the next log

dhcpd_forward_request: request from 000c.291c.34b5 forwarded to x.x.x.x

It seems the ASA is getting the binding from the server but not the request from the users so he can't asociate a session so the issue may reside in the switch

Do you have IP helper on the switch?

Try getting the full debug output of the next 2 commands during the testing

debug dhcprelay packet
debug dhcprelay event

Dennis Topo Jr · ‎09-04-2015

That is the full output of debug dhcprelay packet. That's as far as it gets. I don't have access now to the switch or ASA, but I believe there was no ip helper on it. Just all layer 2 in fact.

I will debug events also come Monday. It's frustrating because it's so simple it should just work !

ASA# DHCPD/RA: Punt 10.30.10.3/17152 --> 255.255.255.255/17152 to CP
DHCPRA: Received a BOOTREPLY from interface 1
DHCPRA: dhcp_relay_agent_receiver:can't find binding

DHCP relay on ASA 5505 to Windows DHCP Server not working