cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14369
Views
0
Helpful
15
Replies
Beginner

DHCP server won't enable - ASA 5505

I get the following message when appling "DHCPD ENABLE INSIDE"                  

DHCP: Interface 'INSIDE' is currently configured as CLIENT and cannot be changed to a SERVER by a SERVER feature

This is an ASA 5505 Running 8.2.

15 REPLIES 15
Highlighted
Cisco Employee

DHCP server won't enable - ASA 5505

Did you have that VLAN interface which is assigned to the INSIDE interface configured as DHCP?

Pls share the output of:

sh run interface

If you have configured it as DHCP, change the IP Address to be a static IP Address on that VLAN, as it can't act as DHCP server and client at the same time.

Highlighted
Beginner

DHCP server won't enable - ASA 5505

it is set to static - IP's removed

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

description This is the inside

nameif INSIDE

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Vlan2

nameif OUTSIDE

security-level 0

ip address XXX.XXX.XXX.XXX 255.255.255.0

Highlighted
Beginner

DHCP server won't enable - ASA 5505

I also just rebooted it about 30 minutes ago to make sure it wasn't a quirk

Highlighted
Beginner

DHCP server won't enable - ASA 5505

XXXXXXXXX-ASA# show dhcpd state

Context  Not Configured for DHCP

Interface INSIDE, Configured for DHCP CLIENT

Interface OUTSIDE, Not Configured for DHCP

Highlighted
Cisco Employee

DHCP server won't enable - ASA 5505

Can you pls share the whole configuration? Maybe there is other commands that overlaps.

Did you configure it via ASDM or CLI?

Highlighted
Beginner

DHCP server won't enable - ASA 5505

I removed IP address, hostnames and my CA KEY..

If you can also tell me why i can't ssh in from a remote location that would be awesome, but the DHCP issue is the most important.

ASA Version 8.2(5)
!
hostname HOST-HOST-ASA
domain-name HOSTexp.com
enable password XXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
no names
name 192.168.1.25 HOST01-INSIDE
name XXX.XXX.XXX.235 HOST01-OUTSIDE
name 192.168.1.19 HOST-PBX-INSIDE
name XXX.XXX.XXX.236 CTSPBX
name XXX.XXX.XXX.234 UNUSED1
name XXX.XXX.XXX.237 TruckMate-Outside
name 192.168.1.17 TruckMate-Inside
name 192.168.1.16 HOST02-INSIDE
name XXX.XXX.XXX.238 HOST02-Outside
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
description This is the inside
nameif INSIDE
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif OUTSIDE
security-level 0
ip address XXX.XXX.XXX.234 255.255.255.0
!

ftp mode passive
clock timezone est -5
clock summer-time edt recurring
dns server-group DefaultDNS
domain-name HOSTexp.com
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.235 eq 3389
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.235 eq 4125
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.235 eq smtp
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.235 eq www
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.235 eq ftp
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.235 eq https
access-list outside_access_in remark CTS PBX
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.236 eq www
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.236 eq https
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.237 eq 3389
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.238 eq 3389
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.238 eq www
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.238 eq 7998
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.235 eq 987
access-list tmp extended deny tcp any any eq smtp
access-list tmp extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging trap informational
logging facility 23
logging device-id hostname
logging host INSIDE 192.168.1.25
mtu INSIDE 1500
mtu OUTSIDE 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (OUTSIDE) 10 interface
nat (INSIDE) 10 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) tcp XXX.XXX.XXX.238 www 192.168.1.29 7998 netmask 255.255.255.255
static (OUTSIDE,INSIDE) tcp XXX.XXX.XXX.238 www 192.168.1.29 7998 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp XXX.XXX.XXX.238 3389 192.168.1.17 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) XXX.XXX.XXX.235 192.168.1.25 netmask 255.255.255.255
static (INSIDE,OUTSIDE) XXX.XXX.XXX.236 192.168.1.19 netmask 255.255.255.255
access-group outside_access_in in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
 
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 INSIDE
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh timeout 20
console timeout 0
dhcpd address 192.168.1.151-192.168.1.225 INSIDE
dhcpd dns 192.168.1.25 8.8.8.8 interface INSIDE
dhcpd wins 192.168.1.25 interface INSIDE
dhcpd lease 84600 interface INSIDE
dhcpd domain HOST.local interface INSIDE
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.5.41.209 source OUTSIDE
webvpn
username HOST password OwKVLn6sUhSw5cBD encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect dns preset_dns_map
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

Highlighted
Cisco Employee

DHCP server won't enable - ASA 5505

Weird.. config looks good.

For SSH:

- can you check that the clock on the ASA is correct?

- Are you able to SSH when you are on the inside?

For DHCP:

- can you pls remove all the DHCP command and reconfigure it:

clear configure dhcpd

dhcpd enable INSIDE

dhcpd address 192.168.1.151-192.168.1.225 INSIDE

dhcpd dns 192.168.1.25 8.8.8.8 interface INSIDE

dhcpd wins 192.168.1.25 interface INSIDE

dhcpd lease 84600 interface INSIDE

dhcpd domain HOST.local interface INSIDE

Highlighted

DHCP server won't enable - ASA 5505

Hello Karl,

I do not see why the ASA is telling you the inside interface is configured as a DHCP client if there is no configuration related to that on the asa. Maybe Jennifer could point us to a known issue that I am not seeing

I know it sounds weird because the configuration does not present it but can you run the following command over the inside interface

interface Vlan1

no ip address dhcp

ip address 192.168.1.254 255.255.255.0

Afterwards try to enable it and let us know the result,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted
Beginner

DHCP server won't enable - ASA 5505

Jcarvaja,

That was going to be my next course of action. It is a remote ASA though and i can't gain access to the device via SSH from the outside. I have to figure out a way around that first.

Jennifer,

SSH works inside, the clock is correct as well. I have also tried to enable telnet from the outside and it doesn't work either.. i know wierd, i think something might be wrong with the IOS on this device.

I removed the DHCPD config and readded it... still the same error message.

Highlighted

Re: DHCP server won't enable - ASA 5505

hello,

Ok so
Lets first resolve
The ssh issue and then you can do
What I suggested!

So ssh is currently running on the inside of your network.

It might be that the ssh process got
Stuck. Let's go first with the easy one

Clear configure ssh
Ssh 0 0 inside
Ssh 0 0 outside
Cap capout interface outside match tcp any host interface_outside_ip eq 22
Cap asp type asp-drop all circular-buffer
Then try it and i it does not work share the following.
Show cap capout
Show cap asp | include your_client_public_ip

Regards,

Sent from Cisco Technical Support iPhone App

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted
Beginner

Re: DHCP server won't enable - ASA 5505

I was able to get SSH working by regenerating the key.

I logged in and issued no ip address dhcp, then reapplied the IP address to the interface. Same error when i try to start DHCP..

Highlighted

Re: DHCP server won't enable - ASA 5505

Hello Karl,

Wow, pretty unnusual behavior,

Let me know something, is there a way you could reboot the ASA?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted
Beginner

DHCP server won't enable - ASA 5505

Did this ever get resolved as we have several ASA 5505's with exactly the same problem.

We've tried upgrading the firmware from 8.2.5 to 8.4.5 but still have the same issue.

Erasing the config (write erase) and rebooting the ASA so its completley blank  allows us to add the dhcpd enable Inside

So there must be something in the configuration unrelated to dhcpd that causes the error...

DHCP: Interface 'INSIDE' is currently configured as CLIENT and cannot be changed to a SERVER by a SERVER feature

Highlighted
Beginner

Re: DHCP server won't enable - ASA 5505

When the call-home functionality is enabled, even with anonymous, then the error 'DHCP: Interface 'inside' is currently configured as CLIENT and cannot be changed to a SERVER by a SERVER feature' is displayed when setting the 'dhcpd enable inside' command.

Clear the call-home configuration and you are good to go.

Trouble shooting steps:

* Save your configuration somewhere safe

1) Write erase

2) reboot

3) Open console session and don't use the interactive prompts to configure

Pre-configure Firewall now through interactive prompts [yes]? n

4) Goto enable mode and configuration mode; Select 'n' when asked for error reporting

ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: n

5) configure the interface where dhcpd need to be configured; in this example 'E0/1' inside

ciscoasa(config)# int e0/1

ciscoasa(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

ciscoasa(config-if)# ip add 192.168.1.254 255.255.255.0

ciscoasa(config)# dhcpd address 192.168.1.100-192.168.1.149 inside

ciscoasa(config)# dhcpd dns 212.54.35.25 212.54.40.25 interface inside

ciscoasa(config)# dhcpd lease 86400 interface inside

ciscoasa(config)# dhcpd domain cande.local interface inside

ciscoasa(config)# dhcpd enable inside

ciscoasa(config)# int e0/1

ciscoasa(config-if)# no sh

ciscoasa(config-if)# end

ciscoasa# show ip

System IP Addresses:

Interface                Name                   IP address      Subnet mask       Method

Ethernet0/1              inside                 192.168.1.254   255.255.255.0   manual

Current IP Addresses:

Interface                Name                   IP address      Subnet mask      Method

Ethernet0/1              inside                 192.168.1.254   255.255.255.0   manual

ciscoasa# conf t

6) try to enable error-reporting:

ciscoasa# call-home reporting anonymous
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...

Trustpoint '_SmartCallHome_ServerCA' is a subordinate CA and holds a non self-signed certificate.

Trustpoint CA certificate accepted.
cefw-nldh-001(config)# call-home
cefw-nldh-001(cfg-call-home)# DHCP Client: can't enable DHCP Client when DHCP Server/Relay is running on the interface.
DHCP: Interface 'inside' is currently configured as SERVER and cannot be changed to a CLIENT by a CLIENT feature

Conclusion: Call-home functionality with dhcpd doesn't work !!

(Cisco Adaptive Security Appliance Software Version 9.1(2))