Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
8445
Views
0
Helpful
15
Replies

AnyConnect Remote DHCP Issue

tim829
Level 1
Level 1

ā€Ž03-10-2016 11:06 AM - edited ā€Ž02-21-2020 08:43 PM

We cannot get AnyConnect VPN clients to retrieve an IP address from our primary DHCP server. If we setup a local pool in the VPN profile the client can connect and gets an IP address fine. I've looked at multiple articles addressing this issue including documentation from Cisco on configuring the VPN to use a remote DHCP server but nothing seems to work. I feel like it might have something to do with a NAT or an ACL blocking the response coming from the DHCP server. The ASA doesn't have an issue communicating with that server though because it's also using it for RADIUS authentication which is working fine.

I ran a debug on the VPN connection and I see this in the output:

cstp_util_address_ipv6_accept: No IPv6 Address
cstp_util_address_ipv4_accept: no address?!?
No assigned address
Not calling vpn_remove_uauth: not IPv4!
webvpn_svc_np_tear_down: no IPv6 ACL

Here is the NAT we are using for the VPN clients:

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.15.65.0_24 NETWORK_OBJ_10.15.65.0_24 no-proxy-arp route-lookup description *DO NOT DELETE* NAT for AnyConnect VPN

Here is the config from webvpn:

webvpn
enable outside
anyconnect image disk0:/anyconnect-macosx-i386-4.2.02075-k9.pkg 1
anyconnect image disk0:/anyconnect-win-4.2.02075-k9.pkg 2 regex "Windows NT"
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_VPN_TUNNEL
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
wins-server none
dns-server value 172.17.1.1 172.17.2.1
dhcp-network-scope 10.15.65.0
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_VPN_TUNNEL
default-domain value **********
webvpn
anyconnect profiles value vpn.gwdcity.com_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username tim.stumbo password VlWsX6rJpka5QVbt encrypted
username tim.stumbo attributes
vpn-group-policy GroupPolicy_VPN
password-storage disable
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
authentication-server-group RADIUS
default-group-policy GroupPolicy_VPN
dhcp-server 172.17.1.1
tunnel-group VPN webvpn-attributes
group-alias *********** enable

Thanks for the help.

Labels:
0 Helpful
15 Replies 15

vinayjaiswal
Level 3
Level 3

ā€Ž08-08-2018 07:06 PM

I ran into the same issue.

 

DHCP offered the IP to ASA , however ASA did not forward to client.

 

The same worked well with local pool.

 

I tried everything but without any success.

 

Thankfully , I saw the forum and reloaded the box.

 

Expectedly , everything is fine now.

 

I am on version 9.8(20) .

 

0 Helpful
Customers Also Viewed These Support Documents