Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6849
Views
0
Helpful
2
Replies

Cisco ASA 5510 interfering with DHCP requests

Go to solution
licenses
Level 1
Level 1

‎07-20-2011 02:24 PM - edited ‎03-03-2019 06:19 AM

So this is rather complicated to explain but I will do my best.

I am currently trying to configure a brand new ASA 5510. In order to test within my company's network, my ASA is connected to 1 PC on the inside network, and our public network on the outside network. We have a class C public range of IP addresses as we are a gaming company and our xboxes have issues with NAT....something we thought that the ASA could solve. At any rate, the outside interface of the ASA basically simulates being directly connected to the internet although it is also connected to other PCs in our network.

Still with me?

So things seemed to be ok, and everything was alright, and then we noticed that a lot of users were losing connectivity. We then spotted a lot of BAD ADDRESSES on the DHCP server that was handing out addresses for the public pool. Eventually we figured out that unplugging the ASA solved the problem. DHCP is not configured at all on the ASA. Nor is it using IP addresses that are in the public DHCP pool.

After a lot more testing, and packet captures, we realized that the ASA is responding to DHCP requests and saying that it is using the requested IP address so the DHCP server marks it as bad as their is an IP address conflict. If you try to renew multiple times, it creates many bad addresses this way. Like I said though, those addresses are definitely not configured on the ASA.

So if you followed all of this, my question is thus: why would the ASA say it is using an IP address when it is not? Is there any way I can stop the ASA from responding to DHCP requests?

Let me know if I need to clear things up any more. Thanks so much for your help!

Oh and I don't know if it is relevant, but I am running a version of the IOS that is above 8.3.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎07-20-2011 03:36 PM

This is just a guess but it sounds like it could be related to proxy arp. Can you disable proxy-arp on the outside interface just to see ie.

sysopt noproxyarp

however proxyarp is needed on the outside if you have static NAT commands on the ASA so when you turn off proxy arp these will stop working. If that causes a problem then an easier test is to make sure the DHCP server is not on the same subnet as the outside interface of your ASA so you would need 2 subnets on the outside.

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎07-20-2011 03:36 PM

This is just a guess but it sounds like it could be related to proxy arp. Can you disable proxy-arp on the outside interface just to see ie.

sysopt noproxyarp

however proxyarp is needed on the outside if you have static NAT commands on the ASA so when you turn off proxy arp these will stop working. If that causes a problem then an easier test is to make sure the DHCP server is not on the same subnet as the outside interface of your ASA so you would need 2 subnets on the outside.

Jon

0 Helpful

Go to solution
licenses
Level 1
Level 1
In response to Jon Marshall

‎07-25-2011 12:19 PM

Yep, that worked! We will have to find a way around this for now, but at least we know the cause. Thank you very much!

0 Helpful
Customers Also Viewed These Support Documents