Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
940
Views
5
Helpful
7
Replies

ASA5506 Windows DHCP Server Reliability Issues on vlan

mibian
Level 1
Level 1

‎11-15-2021 12:22 AM

Hi,

 

I have a mixed network, where I utilize some Ubiquiti equipment, with an ASA5506 in front. I do not use the USG due to feature shortage, reliability issues and a general lack of trust in the sequrity of the device.

 

I have several subnets on separate vlan, split over two buildings, seperated by a fiber trunk, where the firewall is in one building, and the Windows Server is at the other.

 

All the lan subnets/vlans are on one port on the ASA on subinterfaces.

 

To not make the building where the ASA is located, dependant on the fibertrunk, I have configured the ASA as DHCP server on some vlans, and the Windows Server as DHCP on one particular vlan that is located in the other building.

 

My issue is that the Windows part of it is unreliable and inconsistant. On all cabled connections to the Ubiquiti switches, DHCP seems to work reliably on that particular vlan, and all the vlan that use the ASA as DHCP server also seems to work reliably. However, devices connecting via WIFI, are a hit and mis on the vlan from the Windows Server. Sometimes an IP is provided, but sometimes it's not; it's mostly not.

 

The ASA does not support "Reservations", and it also only supports dhcp relay if it is configured for all interfaces (as I understand it?), and then I would be back to the full reliance on the server in both buildings.

 

My short term "solution" has been to activate DHCP on the ASA also (split scope), but now my "Reservations" are kind of hit and miss, as some devices could get their IP from the ASA instead of the reserved ones from the server.

 

The Ubiquiti USG which could solve allot of the problems, as it has allot of flexibility around DHCP, has no option to set another gateway than itself, so that's also useless here, as I don't want it to be gateway.

 

If I could explain and fix the DHCP reliability issues in the current setup, I would be fine, but it seems like a strange problem to me? I assume that when you configure a switchport to a vlan, and plugin a Windows Server with a DHCP server, all devices on that vlan and subnet would alway be able to aquire an IP from the server? Am I missing something?

 

All advice is appreciated

 

Michael 

Labels:
0 Helpful
7 Replies 7

Georg Pauwen
VIP
VIP

‎11-15-2021 12:28 AM

Hello,

 

post a schematic drawing of your topology showing how your devices are connected. The Windows DHCP server is located in a different building than the ASA...where are the WiFi clients, and how are they connected (e.g. with Access Points) ?

0 Helpful

mibian
Level 1
Level 1
In response to Georg Pauwen

‎11-15-2021 12:47 AM

Thank you Georg,

 

There is a couple of switches in each building, and the trunk inbetween. One switch in each building, is PoE and there are several access points distributed over the two buildings connected to those two switches.

 

All accesspoints recieve all vlans.

 

There is no issues via WIFI on all the vlan that get DHCP from the ASA, only for the vlan that utilize the Windows Server, and only when it's via WIFI.

 

I will work on a diagram.

 

Michael

0 Helpful

Georg Pauwen
VIP
VIP
In response to mibian

‎11-15-2021 01:08 AM

Hello,

 

the first thing to look at with these kind of issues are usually the access points the wireless clients are using, which are those ? 

0 Helpful

mibian
Level 1
Level 1
In response to Georg Pauwen

‎11-15-2021 01:19 AM

They are all: Ubuquiti UAP-AC-Pro

0 Helpful

mibian
Level 1
Level 1
In response to Georg Pauwen

‎11-15-2021 01:42 AM

Hi Georg,

 

Do you think the issue could be related to DHCP Snooping? It was enbled on the Ubuquiti equipment. I have diabled it, but I'm not able to test right now.

 

Br Michael

0 Helpful

Georg Pauwen
VIP
VIP
In response to mibian

‎11-15-2021 06:51 AM

Hello,

 

DHCP snooping...could be, but it would usually mean that no DHCP traffic at all goes through...

 

I have looked around and found the interesting thread below, with some good suggestions:

 

https://community.ui.com/questions/Clients-cant-always-get-IP-address-from-DHCP/9ca99099-8ffe-4fa4-901b-a70174902fff

0 Helpful

mibian
Level 1
Level 1
In response to Georg Pauwen

‎11-15-2021 05:11 PM

Thanks Georg,

 

I did look at some posts similar to the one you have refered to. They indicate that there is some long outstandig error in this area; several years, and contain a number of suggestions in line with the post you have linked to.

 

I have tried several things, but not been willing to downgrade software, as I don't seee this as a solution, so far I haven't been sucessful.

 

I have however also found out that ASA now supports DHCP reservations, and since I have not experienced any issue with the ASA handing out IPs, I really have a solution that could work, namely dropping the Windows Server as DHCP, and only using the ASA instead, for all DHCP on the network. There is one negative thing about that though; that I'm again dependant on the fiber trunk, as all DHCP comes from only one of the buildings.

 

In the post you sent, one person suggests that using the All (vlan) instead of one with a limited number of vlans, might do the trick, I'm doing exactly that, as there were a few vlans I do not need to expose on WIFI, I will try and change that, and see if it makes any difference, should be able to test that tomorrow.

 

Br Michael

 

 

Customers Also Viewed These Support Documents