Anyconnect DHCP Lease is removed after Disconnect

Chellis Dodge · ‎03-21-2014

Hello Everyone,

I have a strange issue happening with DHCP on two 5510 ASA's running 8.4. We have anyconnect profiles setup to point DHCP to seperate Windows Server 2008 R2 DHCP Servers. The pools are setup with the standard 8 day lease. The behavior we've noticed is that when a client connects with Anyconnect it pulls the first available IP address. Upon disconnecting the lease is imeadily removed from the Lease List. I setup a 5505 ASA as a test and I am using version 9.1 code. I am seeing the same situation. Upon disconnecting the lease is released. I have scoured the internet trying to find a resolution to the problem and I have seen others post the same problem. The common denominator is they are using a Cisco ASA for SSL VPN. Does anyone have any ideas or suggestions on how to fix this?

On the 5505 ASA I am setting DHCP as follows using ASDM

Remote Access VPN > Network (Client) Access > AnyConnect Connecton Profiles > Select my Profile > Edit > Under Client Address Asignment I'm putting in my DHCP server IP address and selecting the DHCP Link Radio button.

Thanks in Advance

Chellis

Ryan Anderson · ‎05-01-2015

Did you ever find a resolution to this? Thanks for any info you can provide

luke.woitalla · ‎10-07-2015

The good news: I submitted a bug fix/request for this, and Cisco is aware of the issue. We have our Cisco account rep's on our side and I'm signed up to receive updates on the progress of the issue/resolution.

The bad news: Cisco was not able to give us an ETA for the bug fix.

So like everyone else we are hanging in the dead cold water too...

Chellis Dodge · ‎10-07-2015

Sorry guys I never got a resolution for this, it wreaks havoc with DNS. We tuned our DNS server so we don't have so many duplicates, but were still having cashing issues with client hostnames matching up to the wrong machine. We had to move back to DHCP pools on the local ASA's we've had so many problems.

kidsdidthis · ‎10-07-2015

very good news!! Thanks Luke, for chasing it and posting the update!

Jason Farinsky · ‎04-18-2016

Luke,

Has Cisco made any progress on your bug fix request? Can you provide the bug ID so that I can track it?

Thanks,

Jason

luke.woitalla · ‎05-28-2015

We are having the same exact issue with our ASA for anyconnect clients. This happens when the ASA is setup to hand out addresses directly from the ASA DHCP pool, or when configured as a DHCP relay with our InfoBlox DHCP server. It will grab an address from DHCP, and when disconnecting and reconnecting, it will grab a new DHCP address, and the process repeats with every disconnect and reconnect.

kidsdidthis · ‎10-06-2015

Same problem here. It messes up our load-balancing stickiness when a VPN connection is lost due to network/Internet and re-connected. Our users with Citrix sessions are not re-established.

Really wish Cisco would ack these unanswered ??s

Isaac Smith · ‎01-04-2018

Did anyone find a solution for this? I believe this exact thing is happening to us because DNS cache is holding onto machine names much longer than users are actually connected to VPN and so when another user connects and gets that IP, the machine name does not match the actual machine name. We currently have the ASA 5545X (9.4(4)5).

"Server team is discovering that SCSM is having issues reaching people on AnyConnect. They indicated it uses DNS names to reach them so this would make sense because we know that the DNS time is a lot longer than users connect to AnyConnect. After a little reading, it looks like when a user connects to VPN they get an IP and as soon as they disconnect, the lease is removed and if they reconnect they get a new IP. This causes problems because Microsoft caches DNS (maybe for 8 days?) and so when someone connects and gets an IP that someone else had when DNS was last flushed the DNS name won’t match the actual machine. "

ankirana · ‎01-29-2018

Hi Everyone,

we have filed the enhancement request, in which it will add the ability for ASA to pass on all/full DHCP option. Below if the bug ID:

CSCsr53828

N3t W0rK3r · ‎05-07-2020

I'm guessing this still hasn't been fixed. It's now May 2020 and we're running 9.12(3)9 on our ASAs. What a nightmare this has been. I cannot believe a solution has yet to be created. Wow.

CMD0968 · ‎07-31-2020

The Bug ID mentioned doesn't necessarily pertain to the OP. As the post with the Bug ID Link stated, it is for passing dhcp options, not about the disconnect/reconnect = new lease and DNS not updating issue.

We currently experience this issue with our setup due to the ASA's handling the DHCP pools. By doing it this way, the clients themselves (windows at least) handle the DNS name registration, however they don't do any cleanup and rely on the DNS server to age/scavenge the records. This is definitely not ideal.

An example situation of where this could be a problem - ClientA connects to anyconnect, pulls an IP from the ASA, registers itself in DNS, and then disconnects (for whatever reason). Well, let's then say the ClientA has been disconnected long enough for that lease to now be available. ClientB connects and pulls that same IP address ClientA had. ClientB will register itself as having that IP address in DNS, but the other A record saying ClientA also has that IP address is still in DNS. The PTR record situation would be similar, although when ClientA registers the PTR as the IP address, ClientA will own that record. When ClientB tries to update the PTR record it will fail because ClientB does not own that record.

One way to "somewhat" get around the above examples would be to allow insecure dynamic DNS updates. I do not recommend doing this because it would very likely cause chaos in your environment (anyone can update any dynamic record).

We are currently researching moving to using our internal Windows DHCP servers to handle the Anyconnect scopes (hence what lead me to this post). I believe it is still possible to do this and that it would alleviate some of the problems I mentioned above, but may not fully remove them. The key is in having your DHCP server handle ALL DNS records for the clients requesting leases....this means A records and PTR records. That way, when a client connects, the DHCP server will own the record and should be able to update the A/PTR records. DNS aging/scavenging may still be something that needs to be tweaked, but that's a much different conversation.

I found this blog article that goes into quite a bit of detail about Windows DHCP integration with DNS and I found it very helpful - Dynamic DNS Updates with DHCP (Microsoft)

I will try to provide a status update once we have implemented this.