Problem Description
AC cannot get address via DHCP and so the connection fails.
It works fine from local pool.
Validating address: 0.0.0.0
CSTP state = WAIT_FOR_ADDRESS
webvpn_cstp_accept_address: 0.0.0.0/0.0.0.0
webvpn_cstp_accept_address: no address?!?
CSTP state = HAVE_ADDRESS
No assigned address
webvpn_cstp_send_error: 503 Service Unavailable
CSTP state = ERROR
Resolution Suammary
Add a route-lookup keyword at the end of the VPN NAT statement.
Explanation:
This is expected behavior. A change to NAT behavior was made in the 8.4.4.7 release that was intended to correct a manual NAT ordering execution problem. In effect, this change caused all manual NAT entries to create entries in the ASA NAT divert table. However, this change also had some unintended side effects which caused traffic to be routed out the incorrect egress interface due to using the divert table even if the egress was in conflict with the ASA's routing table.
So in simple words without the route-lookup, the DHCP offer packet was matched again the manual NAT statement for VPN and then it will be diverted to egress interface in the NAT statement, so the ASA will consider this and passing through packet not terminated at the ASA (because the ASA adds the DHCP network scope as an identity route).
When we add the route-lookup the ASA will see that the route for this DHCP network scope is in conflict with the egress interface of the NAT, so it will use the route which is needed.