Solved: Anyconnect IP address assignment and DNS

Ricky Sandhu · ‎10-19-2020

Hello all, all our ASAs are configured to assign IP addresses to Anyconnect clients from a local pool. After a client disconnects, their IP address is released after 15 minutes and put back into the pool. However we find our DNS gets messed up, where the DNS resolves to incorrect IP address for a client who may have now moved to a different IP address. Is there anything from an ASA perspective to do cleanup of records in DNS (forward/reverse zones) when the IP address is placed back into the pool?

Thank you

balaji.bandi · ‎10-20-2020

Who is handling DHCP Service, Do you have Dedicated DHCP Server - which should be able to interact with DNS server for the DNS records ?

we are not sure how this was configured here. cisco any connect uses DHCP Server, once it disconnect, it sent notification to DHCP for disconnection.

to understand better, what is ASA model, version of code, Cisco any connect version,

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎10-20-2020

Who is handling DHCP Service, Do you have Dedicated DHCP Server - which should be able to interact with DNS server for the DNS records ?

we are not sure how this was configured here. cisco any connect uses DHCP Server, once it disconnect, it sent notification to DHCP for disconnection.

to understand better, what is ASA model, version of code, Cisco any connect version,

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ricky Sandhu · ‎10-20-2020

Hi BB, thanks for your reply. Actually IP addresses are assigned directly from the Internal address pool on the ASA

Configuration > Remote Access VPN > Network (Client) Access > Address Assignment >

ASA model is 5525x, Version 9.10(1)40, Anyconnect version 4.8

Do you recommend we use an external DHCP server?

Aref Alsouqi · ‎10-21-2020

I don't believe you can workaround this since the ASA is unaware and can't imply any policies to the DNS records created on the DNS server. It would be a good practice to move the DHCP services from the firewall to your domain controller.

vsurresh · ‎10-29-2020

I'm not sure if this is useful but if you are authenticating the users against AD using LDAP or Radius, you can use the FramedIPAddress (I can't remember the exact name) attribute on the AD. This way the ASA always hands out the same IP address to the users.

Aref Alsouqi · ‎10-30-2020

Good shout, however if no external authentication is used, I think there would be an option to overcome this issue by using the vpn-framed-ip-address attribute under the users attributes to hardcode the IP addresses for each user:

username aref attributes

vpn-framed-ip-address 192.168.0.5 255.255.255.0

Ricky Sandhu · ‎10-30-2020

Thank you everyone. We are geographically spread throughout North America and have several locations for employees to chose from when it comes to connecting to Anyconnect. Locking users down to an IP address each time they connect would become a routing nightmare. I did have a discussion with some of the senior server staff and they came up a solution to fix the stale DNS entries by running hourly PowerShell scripts that check for discrepancies in name to IP mappings for both forward and reverse lookup zones. This script that clears all older entries and keeps the most recent one. They decided it's better for them to do it that way rather than introducing more complexity at each location where we have an Anyconnect concentrator.

NinoRenzi66429 · ‎06-30-2021

Hi Ricky can you guys share the script i have similar issues. if not i understand no problem