Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
965
Views
0
Helpful
3
Replies

ASA 9.2(2) VPN Client DHCP Issue

m.glosson
Level 1
Level 1

‎12-29-2015 06:04 PM

We recently moved from a 5510 on 8.0 code to a 5525 on 9.2(2). The client VPN configuration was moved over exactly (and didn't need to be changed). However, since the move, getting an address for the clients via DHCP has not worked. As a workaround we just assigned the address from a local pool, but dynamic DNS is particularly important so that is not a good long-term solution for us. The inside interface is 10.11.10.1 but the clients get addresses from the 10.11.11.0/24 range. That is routed back to the ASA and worked fine on 8.0 and it works fine when allocated from a local pool.

Here is the relevant configuration (group names changed to protect the innocent):

tunnel-group ClientGroup general-attributes
 default-group-policy ClientGroup
 dhcp-server 10.200.1.12
 dhcp-server 10.200.1.13

group-policy ClientGroup attributes
 dhcp-network-scope 10.11.11.2

The only reason I have the scope as 10.11.11.2 instead of 10.11.11.0 (which is what it used to be) is that somebody suggested that elsewhere. If .2 is better, then using the word "scope" is a misnomer--it should be "relay-agent" or something.

When I do a debug dhcpc detail and debug dhcpc error I get:

DHCP: DHCP Proxy added rule 876961344 for interface: inside, scope: 10.11.11.2, server: 10.200.1.12, in use count: 1.
DHCP: DHCP Proxy added route for interface: inside, address: 10.11.11.2, to us: TRUE, in use count: 1.
DHCP: DHCP Proxy added rule 872373232 for interface: inside, scope: 10.11.11.2, server: 10.200.1.13, in use count: 1.
DHCP: DHCP Proxy route entry exists for interface: inside, address: 10.11.11.2, in use count: 2.
DHCP: Adding 10.200.1.13 as DHCP server
DHCP: DHCP Proxy decremented rule 876961344 count for interface: inside, scope: 10.11.11.2, server: 10.200.1.12, in use count: 0.
DHCP: DHCP Proxy decremented route count for interface: inside, address: 10.11.11.2, in use count: 1.
DHCP: DHCP proxy removed rule 876961344 on interface: inside address: 10.11.11.2.
DHCP: DHCP Proxy decremented rule 872373232 count for interface: inside, scope: 10.11.11.2, server: 10.200.1.13, in use count: 0.
DHCP: DHCP Proxy decremented route count for interface: inside, address: 10.11.11.2, in use count: 0.
DHCP: DHCP Proxy removed route on interface: inside, address: 10.11.11.2.
DHCP: DHCP proxy removed rule 872373232 on interface: inside address: 10.11.11.2.

DHCP Proxy command failed

DHCP: Failure removing rule for interface:inside, scope:10.11.11.2, server:10.200.1.12. Rule not in list.
DHCP: Failure removing rule for interface:inside, scope:10.11.11.2, server:10.200.1.13. Rule not in list.

When I do a packet capture I can see that the server is giving DHCPOFFER messages but they are apparently simply being discarded. If I don't use a dhcp-network-scope, I can get addresses from 10.11.10.0/24 range, but that's not what I want, dagnabbit. Is the ASA version 9.2(2) incapable of getting an "off network" address from a DHCP server? FYI, the DHCP server is Windows Server 2008, which I don't think supports RFC 3011 or 3527.

Thanks for any help.

1 person had this problem
Labels:
0 Helpful
3 Replies 3

rvarelac
Level 7
Level 7

‎12-30-2015 09:55 AM

Hi, 

Which address you want to be assigned to the user ?  The DHCP scope seems to be configured incorrectly, you can find example of this configuration on the following links:

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118084-configure-anyconnect-00.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/vpnadd.html

Happy holidays!

-Randy-

0 Helpful

m.glosson
Level 1
Level 1
In response to rvarelac

‎12-30-2015 02:24 PM

I guess it's not totally clear from my original post, but the clients are supposed to get an address in the 10.11.11.x range. They got that perfectly well when using 8.0 code. Just to repeat... we have a separate "virtual" subnet for just VPN clients (10.11.11.0/24) which is different from the physical subnet of the ASA's inside interface (that subnet is 10.11.10.0/24). If I don't include a dhcp-network-scope 10.11.11.0 command, the clients do get a 10.11.10.x address, but that's not what I want.

0 Helpful

m.glosson
Level 1
Level 1

‎02-22-2016 05:26 PM

Eventually TAC got me the answer. The NAT statement that defined the VPN traffic had to have the "route-lookup" statement in it. Here's what the NAT now looks like:

nat (inside,Outside) source static any any destination static OBJ-10.11.11.0-24 OBJ-10.11.11.0-24 no-proxy-arp route-lookup
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents