Re: FTD RA VPN - DHCP Server configuration not working

Elpakko · ‎01-06-2020

Hi.

I have a problem with RA VPN DHCP configuration. VPN users get IP address from the local pool just fine, but when I try to use my Windows Server 2012 R2 DHCP server, i get the following errors and it always falls back to local pool:

IPAA: Session=0x0000e000, DHCP request attempt 1 failed

IPAA: Session=0x0000e000, DHCP configured, request failed for tunnel-group 'DefaultWEBVPNGroup'

IPAA: Session=0x0000e000, Client assigned 172.16.10.13 from local pool VPN_user

IPAA: Session=0x0000e000, Local pool request succeeded for tunnel-group 'DefaultWEBVPNGroup'

In the Windows Server side I cannot see any logs pointing to this, so I guess the request never reaches the server.

Now, what I have done as per following the documentations I could find:

- Defined DHCP -server address (172.16.0.20) in the Connection Profile

- Defined the Address Pools (172.16.10.10-172.16.10.150) in Connection Profile and Group Policy

- Defined a DHCP Network Scope (172.16.10.0) in Group Policy and in the Windows Server

It seems like the FTD cannot find the DHCP server, but my DHCP Relay settings are working just fine for the same server. Any advice? Thanks.

Rob Ingram · ‎01-07-2020

Hi,
I recently setup FTD RAVPN (v6.4.5) with DHCP and it worked first time without issue, so special configuration that I can recall. Which FTD version are you running?

To troubleshoot run a packet capture on the server end and see if the DHCP server receives the DHCP "discover" packet from the FTD. Enable DHCP debugging on the FTD (debug dhcprelay error|event|packet) - and check to see if the DHCP request was even made. Upload the debug output for review if necessary.

Elpakko · ‎01-07-2020

Hi.

I'm running the latest version 6.5.0.2.

I enabled debugging for error, event and packet but connecting the VPN client does not produce any debug log entries. I can see other dhcp relay debug logs just fine. Again I just get the same error in the logs:

IPAA: Session=0x00020000, DHCP request attempt 1 failed

IPAA: Session=0x00020000, DHCP configured, request failed for tunnel-group 'DefaultWEBVPNGroup'

Elpakko · ‎01-15-2020

Any advice on what to do next? It seems like the FTD is not making the dhcp request at all for the RA VPN. Although in the log I can find "DHCP Configured".

Rob Ingram · ‎01-20-2020

Do you have a route on your core switch for the RAVPN subnet pointing to the FTD?
Did you run a packet capture on the DHCP server? Did you see any DHCP Discover packets from the FTD IP address?

Elpakko · ‎01-20-2020

Hi.

All the routing is done in the FTD device, I only have layer 2 switches. On the FTD I only have the default route atm.

Packet capture on the DHCP server doesn't show any traffic originating from the FTD IP.

mhidde · ‎03-02-2020

Where you ever able to solve this? I have the same problem.

Cristian Matei · ‎03-02-2020

Hi,

Following the correct steps and running a stable version, will make it work. Here'a document to guide you:

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200475-Configure-DHCP-Server-Relay-on-FTD-Using.html

Regards,

Cristian Matei.

Elpakko · ‎03-02-2020

Hi.

Unfortunately I couldn't make it work. I have followed every step in the configuration guides, both DHCP and Remote Access VPN. DHCP relay works for my interfaces just fine, but for the RA VPN it will not work no matter what I do.

Cristian Matei · ‎03-03-2020

Hi,

See if you're hitting this bug: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo12057/?rfs=iqvred

Do you have the hot fix applied? Or try using 6.5.0.4

Regards,

Cristian Matei.

Elpakko · ‎03-03-2020

Hi.

Thanks. I'm not sure if it's this bug or not, as my DHCP relay debug did not output anything. But I'll try installing 6.5.0.4 some time soon and investigate further after that. I'm currently running 6.5.0.2.

Cristian Matei · ‎03-04-2020

Hi,

If you have to postpone the upgrade, open a TAC case. Looking forward to know what your problem is, as it clearly looks like the FTD does not even initiate sending the DHCP packet to the DHCP server, so the relay function seem to be dead in this case.

Regards,

Cristian Matei.

doukkalli · ‎04-27-2020

Hi,

In Firepower 2130 with FTD 6.6.0 I got the same issue. Same issue with DHCP server:

1 0.000000 10.45.30.2 10.52.10.8 DHCP 590 DHCP Discover - Transaction ID 0x8c9cf9a
2 0.000565 10.52.10.8 10.44.96.20 DHCP 342 DHCP Offer - Transaction ID 0x8c9cf9a
3 2.988343 10.45.30.2 10.52.10.8 DHCP 590 DHCP Discover - Transaction ID 0x8c9cf9a
4 2.988740 10.52.10.8 10.44.96.20 DHCP 342 DHCP Offer - Transaction ID 0x8c9cf9a
5 6.988328 10.45.30.2 10.52.10.8 DHCP 590 DHCP Discover - Transaction ID 0x8c9cf9a
6 6.988770 10.52.10.8 10.44.96.20 DHCP 342 DHCP Offer - Transaction ID 0x8c9cf9a
7 11.990678 10.45.30.2 10.52.10.8 DHCP 590 DHCP Discover - Transaction ID 0x8c9cf9a
8 11.991105 10.52.10.8 10.44.96.20 DHCP 342 DHCP Offer - Transaction ID 0x8c9cf9a
9 17.988328 10.45.30.2 10.52.10.8 DHCP 590 DHCP Discover - Transaction ID 0x8c9cf9a
10 17.988679 10.52.10.8 10.44.96.20 DHCP 342 DHCP Offer - Transaction ID 0x8c9cf9a

Elpakko · ‎04-27-2020

Hi.

I recently upgraded to 6.5.0.4 and it did not solve the problem. I suppose I'll have to open a TAC case.

doukkalli · ‎04-27-2020

Based on my capture I noted that FTD send DHCP request to DHCP server using the IP address assigned to the VPN as configured in the DHCP Scope.

In this case I will check if my DHCP server has the correct route to the IP address configured in the DHCP scope.

I will try this way. I hope we can solve the issue.