ASA 5505; DSL PPPoE / DHCP Lease Issues [Config/Debug Posted]

Mitchell Dyer · ‎01-26-2011

Hello,

I've been having this issue for about 3 months now, off and on, never seemed to be predictable but started happening more and more, which prompted me to look into it.

Currently, the DSL Modem is configured in bridge mode with the ASA handling PPPoE. The WAN address is being assigned via DHCP. The ASA is running 8.2(1). The WAN interface will drop it's DHCP lease and will not renew it without power cycling the DSL modem. I did a little bit of googling and found mention of setting "dhcp-client client-id interface outside", specifically this was an issue pre 7.2(22), but doesn't seem to affect my situation. Originally, I had the MTU on the outside interface configured as 1500, changing it to 1492 has not resolved my issue either.

I've enabled PPPoE and DHCPC debugging and posted the results below when the event occurs, I'm thinking this is moreso a PPPoE issue than it is a DHCP/DHCP Lease issue as I am not seeing any debug messages from DHCPC.

The config is also below. Any help is greatly appreciated. Thank you!

PPPoE/DHCPC Debug:

gatekeeper# PPPoE: Shutting down client session

PPPoE: send_padt:(Snd) Dest:0021.d816.538c Src:0021.d816.538c Type:0x8863=PPPoE-
Discovery
PPPoE: Ver:1 Type:1 Code:A7=PADT Sess:20393 Len:0
PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:0021.d816.538c Type:0x8863=PPPoE-
Discovery
PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000003
PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:0021.d816.538c Type:0x8863=PPPoE-
Discovery
PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000003
PPPoE: padi timer expired

PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:0021.d816.538c Type:0x8863=PPPoE-
Discovery
PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000003
PPPoE: padi timer expired

PPPoE: PPPoE:(Rcv) Dest:0021.d816.538c Src:0002.3b02.accb Type:0x8863=PPPoE-Disc
overy
PPPoE: Ver:1 Type:1 Code:07=PADO Sess:0 Len:48
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000003
PPPoE: Type:0102:ACNAME-AC Name Len:28
PPPoE: 90084030600411-rback3.chi2ca

PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: PADO

PPPoE: send_padr:(Snd) Dest:0002.3b02.accb Src:0021.d816.538c Type:0x8863=PPPoE-
Discovery
PPPoE: Ver:1 Type:1 Code:19=PADR Sess:0 Len:48
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000003
PPPoE: Type:0102:ACNAME-AC Name Len:28
PPPoE: 90084030600411-rback3.chi2ca

PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: PPPoE:(Rcv) Dest:0021.d816.538c Src:0002.3b02.accb Type:0x8863=PPPoE-Disc
overy
PPPoE: Ver:1 Type:1 Code:65=PADS Sess:20574 Len:48
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000003
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0102:ACNAME-AC Name Len:28
PPPoE: 90084030600411-rback3.chi2ca

PPPoE: PADS

PPPoE: IN PADS from PPPoE tunnel

PPPoE: Opening PPP link and starting negotiations.

Config:

: Saved
: Written by enable_15 at 00:19:40.679 PST Wed Jan 26 2011
!
ASA Version 8.2(1)
!
hostname gatekeeper
domain-name *********

enable password ********* encrypted
passwd ********* encrypted
names
name 10.81.220.8 VPNpool description VPNpool
name 76.193.78.227 DynDNS description DynDNS Server
name 68.94.157.1 DNS1
name 68.94.156.1 DNS2
name 10.81.225.1 WAP description Linksys WRT54 with dd-wrt
name 10.81.220.90 DrJones description DrJones
name 10.81.220.91 ShortRound
name 75.54.236.86 Outside description Outside Interface
!
interface Vlan1
nameif inside
security-level 100
ip address 10.81.220.1 255.255.255.0
!
interface Vlan2
description WAN- PPoE here
nameif outside
security-level 0
pppoe client vpdn group INTERNET
ip address pppoe setroute
!
interface Vlan12
no forward interface Vlan1
nameif DMZ
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 12
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server DNS2
name-server DNS1
domain-name manywhelps.local
same-security-traffic permit intra-interface
object-group network DNSServers
description DNS Servers
network-object host DNS2
network-object host DNS1
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service TQ
description TQ Ports
service-object udp source eq 42800 eq 42800
service-object udp source range 49152 49172 range 49152 49172
service-object udp source range 49272 49292 range 49272 49292
object-group service win-radius udp
description win-radius
port-object eq 1812
object-group service uTorrentWebUI tcp-udp
description uTorrentWebUI
port-object eq 8080
object-group service Minecraft tcp
port-object eq 25565
object-group service uTorrent
description uTorrent
service-object tcp-udp eq 27938
access-list inside_access_in extended permit object-group uTorrent any interface outside
access-list inside_access_in extended permit ip 10.81.220.0 255.255.255.0 any
access-list outside_access_in extended permit object-group uTorrent any interface outside
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging facility 16
logging permit-hostdown
mtu inside 1500
mtu outside 1492
mtu DMZ 1500
ip local pool VPNpool 10.81.220.133-10.81.221.163 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.81.220.0 255.255.255.0 inside
icmp deny any outside
asdm image disk0:/asdm-621.bin
asdm location VPNpool 255.255.255.248 inside
asdm location DynDNS 255.255.255.255 inside
asdm location WAP 255.255.255.255 inside
asdm location DrJones 255.255.255.255 inside
asdm location Outside 255.255.255.255 inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 dns
nat (DMZ) 1 0.0.0.0 0.0.0.0 dns
static (inside,outside) tcp interface 8080 DrJones 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 27938 DrJones 27938 netmask 255.255.255.255
static (inside,outside) udp interface 27938 DrJones 27938 netmask 255.255.255.255
access-group inside_access_in in interface inside control-plane
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ********* protocol radius
aaa-server ********* (inside) host 10.81.220.240
key *********
authentication-port 1812
acl-netmask-convert auto-detect
aaa authentication secure-http-client
aaa local authentication attempts max-fail 3
http server enable
http 10.81.220.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Authenticate!
auth-prompt accept Gonna have a rape party!
auth-prompt reject Gotcha Bitch!
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=gatekeeper.manywhelps.local
keypair anysslvpn
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=gatekeeper
keypair NewKey
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
telnet 10.81.220.0 255.255.255.0 inside
telnet timeout 5
ssh 10.81.220.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
vpdn group INTERNET request dialout pppoe
vpdn group INTERNET localname *******************

vpdn group INTERNET ppp authentication pap
vpdn username ************ password ******* store-local
dhcp-client client-id interface outside
dhcpd domain manywhelps.local
dhcpd auto_config outside vpnclient-wins-override
dhcpd update dns both
!
dhcpd address 10.81.220.100-10.81.220.131 inside
dhcpd dns DNS2 DNS1 interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.150-192.168.1.180 DMZ
dhcpd dns DNS2 DNS1 interface DMZ
!

no threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 207.171.30.106 source outside prefer
ntp server 69.56.251.238 source outside
webvpn
svc image disk0:/anyconnect/anyconnect-win-2.3.0254-k9.pkg 1 regex "Windows NT"
svc image disk0:/anyconnect/anyconnect-macosx-i386.2.3.0254-k9.pkg 2 regex "Intel Mac OS X"
svc enable
tunnel-group-list enable
smart-tunnel list RDP RDP mstsc.exe platform windows
smart-tunnel list RDP RDP \Windows\System32\mstsc.exe platform windows
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy AnySSLPolicy internal
group-policy AnySSLPolicy attributes
banner value Herro!
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
default-domain value manywhelps.local
address-pools value VPNpool
ipv6-address-pools none
webvpn
url-list value Test
smart-tunnel enable RDP
username mdyer password A8mHWZLlgZRWI4hG encrypted
tunnel-group DefaultRAGroup ipsec-attributes
radius-sdi-xauth
tunnel-group AnySSLProfile type remote-access
tunnel-group AnySSLProfile general-attributes
address-pool VPNpool
default-group-policy AnySSLPolicy
tunnel-group AnySSLProfile webvpn-attributes
group-alias AnySSL disable
group-alias Test enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a7da4be0b12861332382ac9384913eb2
: end

Mitchell Dyer · ‎01-26-2011

Ended up replacing the modem, has not had issues under load.