cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4484
Views
10
Helpful
12
Replies

Unique Client Identifier when sending DHCP Discover for VPN

Rene Mueller
Level 5
Level 5

Hello,

 

we have an 2911 VPN Router which is used for Anyconnect to dial in via IPSec. However, we are using an external Windows DHCP server to manage IP Adresses. We just found out, that the router passes the DHCP Discover each time with a differerent Client identifier number. For that the client computer each time gets a new IP from DHCP instead of keeping it's IP during Lease period.

 

2021-01-11 16_30_25-mRemoteNG - confCons.xml - admin-05.png

 

This is the setup on the Router:

 

crypto ikev2 authorization policy ikev2-author-policy_AnyConnect
dhcp server 10.128.9.98
dhcp giaddr 10.128.30.1
dhcp timeout 10
dns 10.128.9.99
def-domain company.name
route set access-list acl_split-tunnel

Is there a way to configure the router so that it doesn't regenerate a unique ID for a remote client computer?

 

12 Replies 12

Hello,

 

I have seen the option:

 

Router(config)#ip dhcp relay information option vpn

 

which changes the giaddr to the outgoing interface. 

 

Not sure what that does for AnyConnect/IPSec clients, but configure that and check if the unique ID is removed.

Rene Mueller
Level 5
Level 5

Hi Georg,

 

this command did not help at all and had no impact to the unique ID. Still the same situation. 

Hello,

 

I am not sure if there is something on the Cisco router that can prevent this. Can you test to disable option 61 on one of your (hopefully Windows) clients, and see what the results are ?

 

You need to change the HKEY below on the client:

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SkipClientID

 

By default, this registry entry is set to 0 (False),and therefore the option is included in outgoing DHCP requests.

Set this value to 1 (True) to prevent the option from being sent in the DHCP requests.

Rene Mueller
Level 5
Level 5

I think is not a client problem as the DHCP is working correctly whenver I vpn into a Cisco Firewall. Then the Unique ID keeps permanent for the client. This Problem is only happening in combination with an IOS Router. 

Hello Rene,

 

tough one. Can you debug the traffic to your DHCP server ? Maybe that reveals where the UCIs come from...

 

access-list extended 101 permit ip any 10.128.9.98
!
debug ip packet 101 detail

When I debug the dhcp request, I can see that a hex dump generated by the router itself will be used as Client identifier. And the frustrating thing is that the router generates a new hex dump every time a vpn client connects.

 

I did a test and configured a local dhcp pool on the router itself and also with this scenario, the generated hex dump from the router leads in the direction that every time when a client connect via VPN, it gets a new IP address although the old IP lease time hasn't expired. This comes to the end that the DHCP scope is getting out of available IPs.

 

Is there nobody out there living in the Cisco World who has a running setup with FlexVPN on a Router where DHCP is working as expected?

Hello,

 

I remember that (a very long time ago, admittedly) in Active Directory, you could set a static IP address, and then Cisco ISE would query AD for this attribute.

 

I wonder if something like this could be configured in your router, with local AAA. I researched this, and it should look something like below. The 'problem' is which attribute type to use, the options are massive...

 

aaa new-model
!
aaa authorization network attr-list-group local

aaa attribute list attr-list
attribute type --?

!

crypto ikev2 authorization policy ikev2-author-policy_AnyConnect
dhcp server 10.128.9.98
dhcp giaddr 10.128.30.1
dhcp timeout 10
dns 10.128.9.99
def-domain company.name
route set access-list acl_split-tunnel
aaa attribute list attr-list

Hi Rene

We have this exact problem, but on an ASA firewall. You wrote that it works correctly through a Cisco Firewall. Can you share some details on this setup?

Hi,

 

we don't use ASA firewall, but FTD (Firepower). I remember that we had to disable DHCP failover on Windows DHCP servers for that VPN scope. 

Rene Mueller
Level 5
Level 5

I opened a TAC Support case and the outcome is that there is no way to configure the router so that it sends the client's mac instead of a hex dump. With the local dhcp pool the router will give the user the next available IP. DHCP leases are ignored. 

 

 

For this the only workaround for now is to setup static IP attributes in AD which then can be used by a radius server. This is a very frustrating workaroung and not really a solution when having hundreds of vpn clients

 

If you are using ISE the following links may help in assigning static IP's:

 

https://integratingit.wordpress.com/2017/01/01/cisco-asa-anyconnect-vpn-with-static-client-ip-address/

https://community.cisco.com/t5/policy-and-access/cisco-ise-apply-attributes-ip-address-to-authenticated-user/td-p/3183967

https://community.cisco.com/t5/policy-and-access/assign-static-ip-address-to-asa-vpn-clients-by-ise/td-p/2345311

https://community.cisco.com/t5/identity-services-engine-ise/assign-an-ip-from-ise-for-every-user/td-p/3493342

Hello,

 

--> For this the only workaround for now is to setup static IP attributes in AD which then can be used by a radius server. This is a very frustrating workaroung and not really a solution when having hundreds of vpn clients

 

So nothing has changed since the AD/ISE 'workaround' I mentioned earlier, which as far as I recall has been around since at least the days of Windows 7. Frustrating indeed, especially if you have hundreds of clients.

 

I guess the next thing to do would be to look for a non-Cisco solution.

Rene Mueller
Level 5
Level 5

We have the same situation also with our FTD Firepower machine and there is an open Bug for this (and ASA) and NO solution for this! 

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsr53828