Re: Realize this is an old issue,

kirk.frankovich · ‎07-14-2015

Good day everyone,

I am trying to setup AnyConnect 4.1 to use a Windows DHCP server, however I am not having any luck. I have everything configured as the guides and other posts in these forums show, but my client does not receive an IP address.

I did a packet capture on the ASA and what I saw was repeated DHCP Discover packets (coming from the ASA) and DHCP Offer Packets (coming from my DHCP server). So it appears that for some reason the ASA is not forwarding the requests to the client (in the one capture I took, the DHCP server offered 4 different addresses.

I have the server configured correctly in the tunnel group and I believe I have the group policy correct as well (the option is set to 172.24.15.0 which is my DHCP subnet). In the packet capture, I see the DHCP Offers sent to 172.24.15.0 as the relay agent).

I thought perhaps there was an access-list issue, so for the heck of it I allowed all bootpc and bootps traffic from the server through the firewall. No luck.

I am not sure what exactly I am missing. Note that if I use an internal pool on the ASA with the same subnet everything works great.

This is ASA 9.4.1 with ASDM 7.4.2.

Thanks in advance for any suggestions.

Abaji Rawool · ‎07-14-2015

Hi,

You can apply capture on ASA interface facing the DHCP server and check if the server is responding to DHCP requests and also use "debug webvpn anyconnect 255" to check the errors if any.

To stop debugs "undebug all"

HTH

Abaji.

kirk.frankovich · ‎07-14-2015

Greetings,

I did do a capture and found the following:

DHCP Discover being sent out from the ASA

DHCP Offer being sent back to the address configured under the group policy dhcp-network-scope option

And that is it...I never see anything else. The above just keeps happening (the server offers 4 addresses before giving up).

From what I can tell, the client or the ASA is never accepting the address or receiving the offer.

Any ideas what might be causing that scenario?

Abaji Rawool · ‎07-14-2015

Could you post the relevant config and exported captures in pcap here?

HTH

Abaji.

Professor_Pickles · ‎05-05-2016

Realize this is an old issue, but you might want to set your DHCP subnet to a real IP, in your case you have 172.24.15.0 you should change that to 172.24.15.1. For some reason ASA/Windows DHCP require a real IP address to work on the 9.x code.

Hope you figured it out.

rgreville666 · ‎09-07-2017

I get the same issue no matter what.. I also allowed it through the firewall just to make sure...

%ASA-2-106006: Deny inbound UDP from 192.168.201.100/67 to 192.168.202.0/67 on interface INSIDE
%ASA-2-106006: Deny inbound UDP from 192.168.201.100/67 to 192.168.202.1/67 on interface INSIDE

Im on 9.8

BEN ROBINSON · ‎03-28-2018

Did you ever find a fix for this?

rgreville666 · ‎03-28-2018

Nope, I gave up and just ended up doing a pool. When it did work it would just stop, very flaky feature in my opinion. I was using a context and there where loads of incompatible features.

BEN ROBINSON · ‎03-28-2018

Ah, okay! We are having the issue where the DHCP server sends an OFFER, but then nothing back from ASA and AnyConnect client never gets IP. Configured the dhcp-subnet under the group and the tunnel-group to use that subnet-RFC thing, but no go. Working with TAC now.

Supersix1 · ‎05-27-2018

Ben,

Did the TAC help you resolve the use of a MS DHCP server? I'm seeing the same thing you were.

BEN ROBINSON · ‎05-27-2018

So the answer for me here was to use the route-lookup argument as the end of the NAT statement for the VPN clients. Ensure that is there and let me know if it works for you!

Bruce1 · ‎03-18-2019

Realize this is an old thread but was struggling with this on an ASA migration (was using local pools on old ASA and wanted to use MS DHCP on new). The route-lookup at the end of the NAT statement for the anyconnect traffic resolved the issue for me. Thanks for fix.

AnyConnect and Windows DHCP Server