10-06-2016 09:31 AM - edited 02-21-2020 09:00 PM
I have been banging my head on this problem for a couple days now and coming up with nothing. I have followed a couple/few configuration examples (http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118084-configure-anyconnect-00.html) of how to get my Anyconnect VPN clients IP addresses from a DHCP server not running on the ASA and I am still not getting anywhere....any help would be appreciated!
I'm going to try to upload an image but the basic layout is my clients will hit a public address on my ASA 5520 over the internet, I want our Microsoft DHCP server to supply an IP address for the client VPN session....the DHCP server is not on the same subnet as the ASA.
Here are my tunnel-group and group-policy configs:
tunnel-group LimitedNetAdminAccess type remote-access
tunnel-group LimitedNetAdminAccess general-attributes
authentication-server-group New-LDAP
default-group-policy LimitedNetAdminAccess
dhcp-server 10.1.100.6
password-management password-expire-in-days 7
group-policy LimitedNetAdminAccess internal
group-policy LimitedNetAdminAccess attributes
dns-server value 10.4.99.8 10.3.99.8
dhcp-network-scope 10.1.64.0
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter value NetAdminLimited
vpn-tunnel-protocol ssl-client ssl-clientless
group-lock value LimitedNetAdminAccess
split-tunnel-network-list value NetAdminMinimal
default-domain value xxxx.com
split-dns value xxxx.com xxxxxxxxxxx.com xxxxxxxxxxxxxxx.com
nac-settings none
address-pools none
vpn-addr-assign dhcp
10-06-2016 05:37 PM
Hi jrichterkessing,
The configuration on the ASA looks fine, do you see the DHCP Discover packets getting to the DHCP server?
If you are trying to troubleshoot this on the ASA i will recommend you to take captures from the inside interface of the ASA to the server and also from the server to the dhcp scope configure on the ASA:
example:
capture test interface inside match ip host <ASAinsideip> host 10.1.100.6
capture test1 interface inside match ip host 10.1.100.6 host 10.1.64.0
sh cap test
sh cap test1
You can also check the logs on the server.
Hope this info helps!!
Rate if helps you!!
-JP-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide