ASA will not pull DHCP address from Frontier Fiber

Grant-Security/Network Analyst · ‎08-19-2021

I started this topic here, I hope this is correct.

We changed ISP services yesterday and I love how Frontier is delivering a true FTTH(Fiber to the Home). Once the account is activated you simple plug the network cable into their NVG or you can connect directly to a device. Everything works GREAT except for the Cisco ASA. It will NOT pull the DHCP address. I have no routing set, interface is set to dhcp. If I connect to their NVG(setup as a router) it will pull an internal address. If I set the NVG to bridge mode, the ASA doesn't get an IP. I then can plug directly to my laptop, boom online. Back to ASA, well you get the point.

Any ideas why the ASA will not pull an IP. What is different on the Cisco ASA on how it request for DHCP from the NVG(NVG468MQ in routing mode) or my laptop that is able to obtain an IP?

Grant-Security/Network Analyst · ‎08-19-2021

Could this be the ISP not allowing a Cisco device to connect because of the type of device? This just doesn't make sense. One of them is the cause of this problem.

Georg Pauwen · ‎08-19-2021

Hello,

odd indeed. Do you know the IP address of the Frontier side ? If so, try to configure:

dhcprelay server ip_address outside

I think the ASA has 'debug dhcpd event' and 'debug dhcpd packet' options, what is the output of that when you shut/no shut the outside interface ?

Grant-Security/Network Analyst · ‎08-22-2021

interface GigabitEthernet1/1
shutdown
nameif outside
security-level 0
ip address dhcp setroute

asa(config-if)# no sh

asa(config-if)#

asa#

--------------------------Moved the ISP Directly to ASA--------------------

asa# sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.168.254.254 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.254.254, outside
D 10.0.0.0 255.0.0.0 [90/3072] via 172.16.10.1, 4d04h, inside
C 172.16.10.0 255.255.255.248 is directly connected, inside
L 172.16.10.2 255.255.255.255 is directly connected, inside
C 192.168.5.0 255.255.255.128 is directly connected, streaming
L 192.168.5.1 255.255.255.255 is directly connected, streaming
D 192.168.20.0 255.255.255.0 [90/3072] via 172.16.10.1, 4d04h, inside
C 192.168.254.0 255.255.255.0 is directly connected, outside
L 192.168.254.10 255.255.255.255 is directly connected, outside

asa# DHCPD/RA: Server msg received, fip=ANY, fport=0 on streaming interface
DHCPD: DHCPREQUEST received from client 0170.bc10.c83e.53.
DHCPD: Extracting client address from the message
DHCPD: State = DHCPS_REBOOTING
DHCPD: Client 0170.bc10.c83e.53 specified it's address 192.168.5.48
DHCPD: Client is on the correct network
DHCPD: Client accepted our offer
DHCPD: Client and server agree on address 192.168.5.48
DHCPD: Renewing client 0170.bc10.c83e.53 lease
DHCPD: Client lease can be renewed
DHCPD: adding option 3
DHCPD: deleting option 3
DHCPD: Sending DHCPACK to client 0170.bc10.c83e.53 (192.168.5.48).
DHCPD: adding option 3
DHCPD: Including FQDN option name 'XBOXONE.' rcode1=0, rcode2=0 flags=0x0
DHCPD: client requests option 3.
DHCPD: copy option 3 (length = 4) to outgoing message.

DHCPD: Total # of raw options copied to outgoing DHCP message is 1.
DHCPD/RA: creating ARP entry (192.168.5.48, 70bc.10c8.3e53).
DHCPD: unicasting BOOTREPLY to client 70bc.10c8.3e53(192.168.5.48).
DHCPD: deleting option 3

asa#

---------------------Moved the ISP back the the NVG----------------------

asa# sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.168.254.254 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.254.254, outside
D 10.0.0.0 255.0.0.0 [90/3072] via 172.16.10.1, 4d04h, inside
C 172.16.10.0 255.255.255.248 is directly connected, inside
L 172.16.10.2 255.255.255.255 is directly connected, inside
C 192.168.5.0 255.255.255.128 is directly connected, streaming
L 192.168.5.1 255.255.255.255 is directly connected, streaming
D 192.168.20.0 255.255.255.0 [90/3072] via 172.16.10.1, 4d04h, inside
C 192.168.254.0 255.255.255.0 is directly connected, outside
L 192.168.254.10 255.255.255.255 is directly connected, outside

asa# DHCPD/RA: Server msg received, fip=ANY, fport=0 on outside interface
DHCPD/RA: Server msg received, fip=ANY, fport=0 on outside interface
DHCPD/RA: Server msg received, fip=ANY, fport=0 on outside interface
DHCPD/RA: Server msg received, fip=ANY, fport=0 on outside interface
DHCPD/RA: Server msg received, fip=ANY, fport=0 on outside interface
DHCPD/RA: Server msg received, fip=ANY, fport=0 on outside interface
DHCPD/RA: Server msg received, fip=ANY, fport=0 on outside interface
DHCPD/RA: Server msg received, fip=ANY, fport=0 on outside interface
DHCPD/RA: Server msg received, fip=ANY, fport=0 on outside interface
DHCPD/RA: Server msg received, fip=ANY, fport=0 on outside interface
DHCPD/RA: Server msg received, fip=ANY, fport=0 on outside interface
DHCPD/RA: Server msg received, fip=ANY, fport=0 on outside interface
DHCPD/RA: Server msg received, fip=ANY, fport=0 on outside interface
DHCPD/RA: Server msg received, fip=ANY, fport=0 on outside interface

paul driver · ‎08-19-2021

Hello

You dont show any exiitng configuration however so an an example:
int x/x/
nameif outside
security-level 0
ip address dhcp setroute

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Grant-Security/Network Analyst · ‎08-22-2021

sorry I didn't get notified of your response. Here is the current setup.

asa# sh run inter g1/1
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute

Grant-Security/Network Analyst · ‎08-22-2021

It is very odd, but I also observed this on the cable modem if I configured a vlanX(no SVI) on two ports. One going to the ASA and one to the cable modem, the asa would not get an address. But if you plug the modem directly to the asa it works fine. I know that I have three other frontier customers that currently that cannot plug directly to frontier either on Fiber or DSL connections.

Very strange.

paul driver · ‎08-23-2021

Hello

@Grant-Security/Network Analyst wrote:

It is very odd, but I also observed this on the cable modem if I configured a vlanX(no SVI) on two ports. One going to the ASA and one to the cable modem, the asa would not get an address. But if you plug the modem directly to the asa it works fine. I know that I have three other frontier customers that currently that cannot plug directly to frontier either on Fiber or DSL connections.

Why are you tagging the access ports interconnecting the ASA and modem?, Try the native vlan on the access ports( usually vlan1) and test again

Another thing could be the switch interconnecting the modem and ASA isnt MDIX compatible as such it not negotiating speed/duplex correctly.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Grant-Security/Network Analyst · ‎08-23-2021

In the comment above, I was NOT tagging traffic. Just trying to say that similar result. Either way, DHCP is working on for a home router, Laptop but no the Cisco ASA. Doesn't make sense. But the ASA does however work in "certain" situations. I was hoping to post on her to find people that could give helpful information.

paul driver · ‎08-23-2021

Hello

@Grant-Security/Network Analyst wrote:

But if you plug the modem directly to the asa it works fine

But the ASA does however work in "certain" situations. I was hoping to post on her to find people that could give helpful information.

Your “certain situations” are a bit vague, However as it seems when the ASA is directly connected to the cable modem it works, and as you say you dont tag anything then another alternative could be that the cable modem is registering the mac- address of the ASA.

You could try spoofing the cable modem, By giving the switches access-port the mac-address of the ASA outside interface and the ASA the mac-address off the switches access port.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎08-23-2021

Hello,

since nothing seems to help, you might as well try something that is sort of out of the box: change the MAC address on the outside interface to something different. I think the interface command is 'mac-address xxxx.xxxx.xxxx'....

Grant-Security/Network Analyst · ‎09-09-2021

Paul,

Can you explain MDIX compatible? Is this something the ASA needs to get a DHCP address? Why would the laptop and basic router get an IP?

Grant-Security/Network Analyst · ‎08-26-2021

Paul, your suggestions are vague. This is very simple, just look at a direct ISP connection via cat5. DHCP is working when connected to a laptop or a generic router. But the ASA will not obtain an address via the frontier connection, but will with the cable modem. Non of the devices have issues connecting to the cable modem. I am simply trying to find out what is happening in the dhcp request that is not being made with the ASA.

paul driver · ‎08-26-2021

Hello

tagging isnt the issue also it sounds that mac reservation isn’t either so the can you elaborate on this”frontier connection,” what is it

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎08-26-2021

Hello,

Frontier uses Arris NVGs ? What is your exact model ?

You probably already have done this, but did you reboot the NVG and the ASA ? It might be that the MAC addresses are stored on the device)s)...