11-02-2012 08:02 PM - edited 03-11-2019 05:18 PM
I get the following message when appling "DHCPD ENABLE INSIDE"
DHCP: Interface 'INSIDE' is currently configured as CLIENT and cannot be changed to a SERVER by a SERVER feature
This is an ASA 5505 Running 8.2.
11-02-2012 08:11 PM
Did you have that VLAN interface which is assigned to the INSIDE interface configured as DHCP?
Pls share the output of:
sh run interface
If you have configured it as DHCP, change the IP Address to be a static IP Address on that VLAN, as it can't act as DHCP server and client at the same time.
11-02-2012 08:27 PM
it is set to static - IP's removed
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
description This is the inside
nameif INSIDE
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif OUTSIDE
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.0
11-02-2012 08:28 PM
I also just rebooted it about 30 minutes ago to make sure it wasn't a quirk
11-02-2012 08:34 PM
XXXXXXXXX-ASA# show dhcpd state
Context Not Configured for DHCP
Interface INSIDE, Configured for DHCP CLIENT
Interface OUTSIDE, Not Configured for DHCP
11-02-2012 08:42 PM
Can you pls share the whole configuration? Maybe there is other commands that overlaps.
Did you configure it via ASDM or CLI?
11-02-2012 09:03 PM
I removed IP address, hostnames and my CA KEY..
If you can also tell me why i can't ssh in from a remote location that would be awesome, but the DHCP issue is the most important.
ASA Version 8.2(5)
!
hostname HOST-HOST-ASA
domain-name HOSTexp.com
enable password XXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
no names
name 192.168.1.25 HOST01-INSIDE
name XXX.XXX.XXX.235 HOST01-OUTSIDE
name 192.168.1.19 HOST-PBX-INSIDE
name XXX.XXX.XXX.236 CTSPBX
name XXX.XXX.XXX.234 UNUSED1
name XXX.XXX.XXX.237 TruckMate-Outside
name 192.168.1.17 TruckMate-Inside
name 192.168.1.16 HOST02-INSIDE
name XXX.XXX.XXX.238 HOST02-Outside
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
description This is the inside
nameif INSIDE
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif OUTSIDE
security-level 0
ip address XXX.XXX.XXX.234 255.255.255.0
!
ftp mode passive
clock timezone est -5
clock summer-time edt recurring
dns server-group DefaultDNS
domain-name HOSTexp.com
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.235 eq 3389
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.235 eq 4125
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.235 eq smtp
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.235 eq www
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.235 eq ftp
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.235 eq https
access-list outside_access_in remark CTS PBX
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.236 eq www
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.236 eq https
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.237 eq 3389
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.238 eq 3389
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.238 eq www
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.238 eq 7998
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.235 eq 987
access-list tmp extended deny tcp any any eq smtp
access-list tmp extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging trap informational
logging facility 23
logging device-id hostname
logging host INSIDE 192.168.1.25
mtu INSIDE 1500
mtu OUTSIDE 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (OUTSIDE) 10 interface
nat (INSIDE) 10 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) tcp XXX.XXX.XXX.238 www 192.168.1.29 7998 netmask 255.255.255.255
static (OUTSIDE,INSIDE) tcp XXX.XXX.XXX.238 www 192.168.1.29 7998 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp XXX.XXX.XXX.238 3389 192.168.1.17 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) XXX.XXX.XXX.235 192.168.1.25 netmask 255.255.255.255
static (INSIDE,OUTSIDE) XXX.XXX.XXX.236 192.168.1.19 netmask 255.255.255.255
access-group outside_access_in in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 INSIDE
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh timeout 20
console timeout 0
dhcpd address 192.168.1.151-192.168.1.225 INSIDE
dhcpd dns 192.168.1.25 8.8.8.8 interface INSIDE
dhcpd wins 192.168.1.25 interface INSIDE
dhcpd lease 84600 interface INSIDE
dhcpd domain HOST.local interface INSIDE
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.5.41.209 source OUTSIDE
webvpn
username HOST password OwKVLn6sUhSw5cBD encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
11-02-2012 09:10 PM
Weird.. config looks good.
For SSH:
- can you check that the clock on the ASA is correct?
- Are you able to SSH when you are on the inside?
For DHCP:
- can you pls remove all the DHCP command and reconfigure it:
clear configure dhcpd
dhcpd enable INSIDE
dhcpd address 192.168.1.151-192.168.1.225 INSIDE
dhcpd dns 192.168.1.25 8.8.8.8 interface INSIDE
dhcpd wins 192.168.1.25 interface INSIDE
dhcpd lease 84600 interface INSIDE
dhcpd domain HOST.local interface INSIDE
11-02-2012 09:17 PM
Hello Karl,
I do not see why the ASA is telling you the inside interface is configured as a DHCP client if there is no configuration related to that on the asa. Maybe Jennifer could point us to a known issue that I am not seeing
I know it sounds weird because the configuration does not present it but can you run the following command over the inside interface
interface Vlan1
no ip address dhcp
ip address 192.168.1.254 255.255.255.0
Afterwards try to enable it and let us know the result,
Regards,
11-03-2012 04:45 PM
Jcarvaja,
That was going to be my next course of action. It is a remote ASA though and i can't gain access to the device via SSH from the outside. I have to figure out a way around that first.
Jennifer,
SSH works inside, the clock is correct as well. I have also tried to enable telnet from the outside and it doesn't work either.. i know wierd, i think something might be wrong with the IOS on this device.
I removed the DHCPD config and readded it... still the same error message.
11-03-2012 06:32 PM
hello,
Ok so
Lets first resolve
The ssh issue and then you can do
What I suggested!
So ssh is currently running on the inside of your network.
It might be that the ssh process got
Stuck. Let's go first with the easy one
Clear configure ssh
Ssh 0 0 inside
Ssh 0 0 outside
Cap capout interface outside match tcp any host interface_outside_ip eq 22
Cap asp type asp-drop all circular-buffer
Then try it and i it does not work share the following.
Show cap capout
Show cap asp | include your_client_public_ip
Regards,
Sent from Cisco Technical Support iPhone App
11-05-2012 05:13 AM
I was able to get SSH working by regenerating the key.
I logged in and issued no ip address dhcp, then reapplied the IP address to the interface. Same error when i try to start DHCP..
11-05-2012 09:28 AM
Hello Karl,
Wow, pretty unnusual behavior,
Let me know something, is there a way you could reboot the ASA?
Regards,
Julio
01-29-2013 08:43 AM
Did this ever get resolved as we have several ASA 5505's with exactly the same problem.
We've tried upgrading the firmware from 8.2.5 to 8.4.5 but still have the same issue.
Erasing the config (write erase) and rebooting the ASA so its completley blank allows us to add the dhcpd enable Inside
So there must be something in the configuration unrelated to dhcpd that causes the error...
DHCP: Interface 'INSIDE' is currently configured as CLIENT and cannot be changed to a SERVER by a SERVER feature
06-23-2013 03:14 PM
When the call-home functionality is enabled, even with anonymous, then the error 'DHCP: Interface 'inside' is currently configured as CLIENT and cannot be changed to a SERVER by a SERVER feature' is displayed when setting the 'dhcpd enable inside' command.
Clear the call-home configuration and you are good to go.
Trouble shooting steps:
* Save your configuration somewhere safe
1) Write erase
2) reboot
3) Open console session and don't use the interactive prompts to configure
Pre-configure Firewall now through interactive prompts [yes]? n
4) Goto enable mode and configuration mode; Select 'n' when asked for error reporting
ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: n
5) configure the interface where dhcpd need to be configured; in this example 'E0/1' inside
ciscoasa(config)# int e0/1
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip add 192.168.1.254 255.255.255.0
ciscoasa(config)# dhcpd address 192.168.1.100-192.168.1.149 inside
ciscoasa(config)# dhcpd dns 212.54.35.25 212.54.40.25 interface inside
ciscoasa(config)# dhcpd lease 86400 interface inside
ciscoasa(config)# dhcpd domain cande.local interface inside
ciscoasa(config)# dhcpd enable inside
ciscoasa(config)# int e0/1
ciscoasa(config-if)# no sh
ciscoasa(config-if)# end
ciscoasa# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0/1 inside 192.168.1.254 255.255.255.0 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0/1 inside 192.168.1.254 255.255.255.0 manual
ciscoasa# conf t
6) try to enable error-reporting:
ciscoasa# call-home reporting anonymous
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...
Trustpoint '_SmartCallHome_ServerCA' is a subordinate CA and holds a non self-signed certificate.
Trustpoint CA certificate accepted.
cefw-nldh-001(config)# call-home
cefw-nldh-001(cfg-call-home)# DHCP Client: can't enable DHCP Client when DHCP Server/Relay is running on the interface.
DHCP: Interface 'inside' is currently configured as SERVER and cannot be changed to a CLIENT by a CLIENT feature
Conclusion: Call-home functionality with dhcpd doesn't work !!
(Cisco Adaptive Security Appliance Software Version 9.1(2))
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide