Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1639
Views
0
Helpful
3
Replies

DHCPRELAY Issue - Cisco ASA 9.6

Yazeed Fataar
Level 1
Level 1

‎08-22-2017 01:57 AM

Hi

I am currently facing issues with the DHCPRELAY Agent on the Cisco ASA (5555-X ,ASA 9.6) . We have the following deployment.

Cisco AP -> Cat 3K -> Cat 6K -> ASA -> Windows DHCP Server

The APs are not able to get DHCP and from the ASA I can only see DHCP BOOTREQUEST when I issue debug dhcprelay packet. Below is the debug output which I hope someone can guide me to my issue. Thank you in advance.

DHCP Server IP- 10.15.4.48

BR-FW01/pri/act# debug dhcprelay packet

debug dhcprelay packet enabled at level 1

BR-FW01/pri/act# debug dhcprelay event

debug dhcprelay event enabled at level 1

BR-FW01/pri/act#

BR-FW01/pri/act#

BR-FW01/pri/act#

BR-FW01/pri/act# DHCPD/RA:  Relay msg received, fip=ANY, fport=0 on wlan interface

DHCP: Received a BOOTREQUEST from interface 6 (size = 304)

DHCPRA: relay binding found for client xxxx.xxxx.d864. (AP MAC ADDRESS)

DHCPRA: setting giaddr to 10.15.8.1.

dhcpd_forward_request: request from xxxx.xxxx.d864 forwarded to 10.15.4.48.

DHCPD: freeing relay binding 0x00007f3f2fcc0c70 (10.15.8.1).

DHCPRA: Setting DHCP relay binding expiration (10.15.8.1).

DHCPD/RA: Binding successfully deactivated

DHCPRA: returned relay binding 10.15.8.1/xxxx.xxxx.d864 to address pool.

DHCPD/RA: free ddns info and binding

DHCPD/RA:  Relay msg received, fip=ANY, fport=0 on wlan interface

DHCP: Received a BOOTREQUEST from interface 6 (size = 304)

DHCPD/RA: Binding successfully added to hash table

DHCPRA: relay binding created for client xxxx.xxxx.d864.

DHCPRA: setting giaddr to 10.15.8.1.

dhcpd_forward_request: request from xxxx.xxxx.d864 forwarded to 10.15.4.48.

DHCPRA Monitor: Attempt to auto reset DHCP relay on wlan

DHCPRA Monitor: Force auto reset DHCP relay on wlan

Removing divert entry for ingress 'wlan' to egress 'wlan': addr 255.255.255.255 port 67

Removing divert addr 255.255.255.255, port 67

Removing divert entry for ingress 'server' to egress 'wlan': addr 10.15.8.1 port 67

Removing divert addr 10.15.8.1, port 67

Removing server 10.15.4.48 rules from client ifc 'wlan'

Removing server 10.15.4.48 and ifc wlan rules from server ifc 'server'

Inserting divert entry for ingress 'wlan' to egress 'wlan': dest addr 255.255.255.255, src addr 0.0.0.0, port 67

DHCPRA: Inserting nat divert for 0.0.0.0 on 'wlan'

Inserting divert entry for ingress 'server' to egress 'wlan': dest addr 10.15.8.1, src addr 10.15.4.48, port 67

DHCPRA: Inserting nat divert for 10.15.4.48 on 'server'

DHCPRA: Inserting Relay rule on ifc 'wlan' src:10.15.8.0/255.255.252.0/17/68 dst:10.15.4.48/255.255.255.255/17/67

DHCPRA: Inserting Relay rules on ifc 'server' src:10.15.4.48/255.255.255.255/17/67 dst:0.0.0.0/0.0.0.0/0/0-0

BR-FW01/pri/act# show nameif

Interface                Name                     Security

Management0/0            mgmt                      99

GigabitEthernet1/2       internet                   0

GigabitEthernet1/3       wan                       10

Port-channel1            server                    90

Port-channel2.8          wlan                      90

BR-FW01/pri/act#show run same

same-security-traffic permit inter-interface

BR-FW01/pri/act# show ip

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/7       FAILOVER               192.168.254.1   255.255.255.0   unset

Management0/0            mgmt                   10.15.0.101     255.255.255.0   CONFIG

GigabitEthernet1/2       internet               10.13.0.9       255.255.255.248 manual

GigabitEthernet1/3       wan                    10.13.0.1       255.255.255.248 manual

Port-channel1            server                 10.15.4.1       255.255.252.0   CONFIG

Port-channel2.8          wlan                   10.15.8.1       255.255.252.0   manual

BR-FW01/pri/act#(config)# show run int po2.8

!

interface Port-channel2.8

vlan 8

nameif wlan

security-level 90

ip address 10.15.8.1 255.255.252.0 standby 10.15.8.2

!

BR-FW01/pri/act#(config)# show run int po1

!

interface Port-channel1

lacp max-bundle 8

nameif server

security-level 90

ip address 10.15.4.1 255.255.252.0 standby 10.15.4.2

!

BR-FW01/pri/act# show run dhcprelay

dhcprelay server 10.15.4.48 server

dhcprelay enable wlan

dhcprelay timeout 60

dhcprelay information trust-all

!

Regards

Yazeed

Labels:
0 Helpful
3 Replies 3

Yazeed Fataar
Level 1
Level 1

‎08-22-2017 02:24 AM

More Debug output, think issue is related to these drops...

BR-FW01/pri/act# capture asp type asp drop-all

BR-FW01/pri/act# show cap asp

117 packets captured

   1: 05:22:07.983652       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

   2: 05:22:07.984003       802.1Q vlan#8 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

   3: 05:22:07.986216       802.1Q vlan#100 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

   4: 05:22:07.986368       802.1Q vlan#104 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

   5: 05:22:07.986551       802.1Q vlan#108 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

   6: 05:22:07.986948       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

   7: 05:22:07.987558       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

   8: 05:22:08.412545       802.1Q vlan#8 P6 10.15.9.69.5264 > 255.255.255.255.5246:  udp 218 Drop-reason: (acl-drop) Flow is denied by configured rule

   9: 05:22:08.518543       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  10: 05:22:09.460593       802.1Q vlan#8 P6 10.15.9.60.5264 > 255.255.255.255.5246:  udp 218 Drop-reason: (acl-drop) Flow is denied by configured rule

  11: 05:22:09.996316       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  12: 05:22:09.996667       802.1Q vlan#8 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  13: 05:22:09.998849       802.1Q vlan#100 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  14: 05:22:09.999032       802.1Q vlan#104 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  15: 05:22:09.999200       802.1Q vlan#108 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  16: 05:22:09.999612       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  17: 05:22:10.000244       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  18: 05:22:10.079478       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  19: 05:22:10.140556       0.0.0.0.68 > 255.255.255.255.67:  udp 300 Drop-reason: (acl-drop) Flow is denied by configured rule

  20: 05:22:10.290481       172.18.13.23 > 10.15.3.14: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule

  21: 05:22:10.460913       0.0.0.0.68 > 255.255.255.255.67:  udp 548 Drop-reason: (acl-drop) Flow is denied by configured rule

  22: 05:22:10.575943       0.0.0.0.68 > 255.255.255.255.67:  udp 300 Drop-reason: (acl-drop) Flow is denied by configured rule

  23: 05:22:10.602721       10.15.4.48.53 > 10.15.8.255.15020:  udp 125 Drop-reason: (acl-drop) Flow is denied by configured rule

  24: 05:22:11.663738       172.18.21.18 > 10.15.3.10: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule

  25: 05:22:12.004134       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  26: 05:22:12.004501       802.1Q vlan#8 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  27: 05:22:12.006683       802.1Q vlan#100 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  28: 05:22:12.006866       802.1Q vlan#104 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  29: 05:22:12.007033       802.1Q vlan#108 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  30: 05:22:12.007445       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  31: 05:22:12.008040       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  32: 05:22:12.426842       10.15.37.5.5256 > 10.15.8.10.5246:  udp 218 Drop-reason: (acl-drop) Flow is denied by configured rule

  33: 05:22:12.598769       10.15.13.1.5272 > 10.15.8.10.5246:  udp 218 Drop-reason: (acl-drop) Flow is denied by configured rule

  34: 05:22:12.729744       10.15.36.255.5264 > 10.15.8.10.5246:  udp 218 Drop-reason: (acl-drop) Flow is denied by configured rule

  35: 05:22:12.911970       802.1Q vlan#8 P6 10.15.9.17.5248 > 255.255.255.255.5246:  udp 218 Drop-reason: (acl-drop) Flow is denied by configured rule

  36: 05:22:13.099970       10.15.4.48.67 > 10.15.8.1.67:  udp 305 Drop-reason: (no-route) No route to host

  37: 05:22:13.288833       0.0.0.0.68 > 255.255.255.255.67:  udp 300 Drop-reason: (acl-drop) Flow is denied by configured rule

  38: 05:22:13.491872       10.15.4.48.67 > 10.15.8.1.67:  udp 305 Drop-reason: (no-route) No route to host

  39: 05:22:13.978617       10.15.4.48.67 > 10.15.8.1.67:  udp 305 Drop-reason: (no-route) No route to host

  40: 05:22:14.028486       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  41: 05:22:14.028852       802.1Q vlan#8 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  42: 05:22:14.031050       802.1Q vlan#100 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  43: 05:22:14.031233       802.1Q vlan#104 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  44: 05:22:14.031400       802.1Q vlan#108 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  45: 05:22:14.031797       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  46: 05:22:14.032392       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  47: 05:22:14.203831       10.15.4.48.67 > 10.15.8.1.67:  udp 305 Drop-reason: (no-route) No route to host

  48: 05:22:14.429131       10.15.4.48.67 > 10.15.8.1.67:  udp 305 Drop-reason: (no-route) No route to host

  49: 05:22:14.617872       10.15.4.48.67 > 10.15.8.1.67:  udp 305 Drop-reason: (no-route) No route to host

  50: 05:22:14.750220       0.0.0.0.68 > 255.255.255.255.67:  udp 300 Drop-reason: (acl-drop) Flow is denied by configured rule

  51: 05:22:15.289276       172.18.13.23 > 10.15.3.14: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule

  52: 05:22:15.400217       0.0.0.0.68 > 255.255.255.255.67:  udp 300 Drop-reason: (acl-drop) Flow is denied by configured rule

  53: 05:22:15.608077       10.15.4.48.53 > 10.15.8.255.23836:  udp 125 Drop-reason: (acl-drop) Flow is denied by configured rule

  54: 05:22:16.032728       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  55: 05:22:16.033094       802.1Q vlan#8 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  56: 05:22:16.035291       802.1Q vlan#100 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  57: 05:22:16.035459       802.1Q vlan#104 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  58: 05:22:16.035642       802.1Q vlan#108 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  59: 05:22:16.036039       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  60: 05:22:16.036649       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  61: 05:22:16.092249       10.15.4.248.53 > 10.15.9.76.5310:  udp 125 Drop-reason: (acl-drop) Flow is denied by configured rule

  62: 05:22:16.092356       10.15.4.48.53 > 10.15.9.76.5310:  udp 125 Drop-reason: (acl-drop) Flow is denied by configured rule

  63: 05:22:16.463263       10.15.4.48.53 > 10.15.9.48.35775:  udp 125 Drop-reason: (acl-drop) Flow is denied by configured rule

  64: 05:22:16.463293       10.15.4.248.53 > 10.15.9.48.35775:  udp 125 Drop-reason: (acl-drop) Flow is denied by configured rule

  65: 05:22:16.667735       172.18.21.18 > 10.15.3.10: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule

  66: 05:22:17.512439       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  67: 05:22:18.049039       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  68: 05:22:18.049405       802.1Q vlan#8 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  69: 05:22:18.051617       802.1Q vlan#100 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  70: 05:22:18.051785       802.1Q vlan#104 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  71: 05:22:18.051968       802.1Q vlan#108 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  72: 05:22:18.052380       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  73: 05:22:18.053021       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  74: 05:22:18.540774       0.0.0.0.68 > 255.255.255.255.67:  udp 548 Drop-reason: (acl-drop) Flow is denied by configured rule

  75: 05:22:18.659267       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  76: 05:22:18.724510       0.0.0.0.68 > 255.255.255.255.67:  udp 300 Drop-reason: (acl-drop) Flow is denied by configured rule

  77: 05:22:19.422448       0.0.0.0.68 > 255.255.255.255.67:  udp 300 Drop-reason: (acl-drop) Flow is denied by configured rule

  78: 05:22:19.576660       0.0.0.0.68 > 255.255.255.255.67:  udp 300 Drop-reason: (acl-drop) Flow is denied by configured rule

  79: 05:22:20.053280       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  80: 05:22:20.053662       802.1Q vlan#8 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  81: 05:22:20.055844       802.1Q vlan#100 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  82: 05:22:20.056027       802.1Q vlan#104 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  83: 05:22:20.056195       802.1Q vlan#108 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  84: 05:22:20.056622       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  85: 05:22:20.057186       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  86: 05:22:20.295822       172.18.13.23 > 10.15.3.14: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule

  87: 05:22:20.433372       802.1Q vlan#8 P6 10.15.9.3.5248 > 255.255.255.255.5246:  udp 218 Drop-reason: (acl-drop) Flow is denied by configured rule

  88: 05:22:20.613646       10.15.4.248.53 > 10.15.8.255.57943:  udp 125 Drop-reason: (acl-drop) Flow is denied by configured rule

  89: 05:22:20.613814       10.15.4.48.53 > 10.15.8.255.57943:  udp 125 Drop-reason: (acl-drop) Flow is denied by configured rule

  90: 05:22:21.094019       10.15.4.48.53 > 10.15.9.76.56639:  udp 125 Drop-reason: (acl-drop) Flow is denied by configured rule

  91: 05:22:21.467322       10.15.4.248.53 > 10.15.9.48.2965:  udp 125 Drop-reason: (acl-drop) Flow is denied by configured rule

  92: 05:22:21.651852       172.18.21.18 > 10.15.3.10: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule

  93: 05:22:21.930402       10.15.37.5.5256 > 10.15.8.10.5246:  udp 218 Drop-reason: (acl-drop) Flow is denied by configured rule

  94: 05:22:22.065533       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  95: 05:22:22.065884       802.1Q vlan#8 P7 802.3 encap packet

  96: 05:22:22.068096       802.1Q vlan#100 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  97: 05:22:22.068264       802.1Q vlan#104 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  98: 05:22:22.068447       802.1Q vlan#108 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

  99: 05:22:22.068859       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

100: 05:22:22.069439       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

101: 05:22:22.109308       10.15.13.1.5272 > 10.15.8.10.5246:  udp 218 Drop-reason: (acl-drop) Flow is denied by configured rule

102: 05:22:22.233310       10.15.36.255.5264 > 10.15.8.10.5246:  udp 218 Drop-reason: (acl-drop) Flow is denied by configured rule

103: 05:22:23.100122       10.15.21.0.60988 > 192.168.33.10.443: S 630699825:630699825(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK> Drop-reason: (acl-drop) Flow is denied by configured rule

104: 05:22:23.129265       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

105: 05:22:23.615172       10.15.21.0.60988 > 192.168.33.10.443: S 630699825:630699825(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK> Drop-reason: (acl-drop) Flow is denied by configured rule

106: 05:22:23.747016       802.1Q vlan#8 P6 10.15.9.62.5264 > 255.255.255.255.5246:  udp 218 Drop-reason: (acl-drop) Flow is denied by configured rule

107: 05:22:24.081828       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

108: 05:22:24.082194       802.1Q vlan#8 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

109: 05:22:24.084376       802.1Q vlan#100 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

110: 05:22:24.084559       802.1Q vlan#104 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

111: 05:22:24.084727       802.1Q vlan#108 P7 802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

112: 05:22:24.085154       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

113: 05:22:24.085749       802.3 encap packet Drop-reason: (l2_acl) FP L2 rule drop

114: 05:22:24.130898       10.15.21.0.60988 > 192.168.33.10.443: S 630699825:630699825(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK> Drop-reason: (acl-drop) Flow is denied by configured rule

115: 05:22:24.461905       0.0.0.0.68 > 255.255.255.255.67:  udp 300 Drop-reason: (acl-drop) Flow is denied by configured rule

116: 05:22:24.638730       802.1Q vlan#8 P6 10.15.9.79.5248 > 255.255.255.255.5246:  udp 218 Drop-reason: (acl-drop) Flow is denied by configured rule

117: 05:22:25.290847       172.18.13.23 > 10.15.3.14: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule

117 packets shown

0 Helpful

Kelli Glass
Community Manager
Community Manager
In response to Yazeed Fataar

‎08-31-2017 04:37 PM

Yazeed,

I recommend you open a case with Cisco TAC so our technical experts can assist you with debugging.

Cisco Support - Software Downloads, Product Documentation, Support Tools, and Support Cases - Cisco

I hope this helps.

Kelli Glass

Moderator for Cisco Customer Communities

0 Helpful

networks.comms
Level 1
Level 1
In response to Yazeed Fataar

‎02-15-2018 08:15 AM

Hi Yazeed,

Did you ever get this fixed as seem to be having the same issue?

Gavin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card