Re: AnyConnect took a long time to get an IP address from VPN Pool using DHCP server

doukkalli · ‎04-24-2020

Hi,

I am using a Cisco Firepower 2130 with FTD code version 6.5.0 for RA VPN using AnyConnect Client 4.x.

I configured my VPN to use a DHCP Server a.b.c.d and DHCP Scope 10.44.96.20-10.44.111.254.

When I use only the VPN Pool (like DHCP scope) AnyConnect client connet immédiately and I can connect to our internal LAN.

When I ise DHCP server in the connection profile and I remove the VPN Pool from Address Pools. I get the following events via FMC:

Group <DfltGrpPolicy> User <AREI> IP <86.252.225.255> First UDP SVC connection established for SVC session.

Group <DfltGrpPolicy> User <AREI> IP <86.252.225.255> IPv4 Address <10.44.96.23> IPv6 address <::> assigned to session

Group <DfltGrpPolicy> User <AREI> IP <86.252.225.255> First TCP SVC connection established for SVC session.

TunnelGroup <VPN> GroupPolicy <DfltGrpPolicy> User <AREI> IP <86.252.225.255> No IPv6 address available for SVC connection

IPAA: Session=0x00337000, IPv4 address: UTL_ProcIpAddrQEvent DHCP Failed - trying local pool

AnyConnect client took a long long time to get the IP address and connect.

What is the brest practice for use DHCP server for RA VPN ?

What's wrong in my setup ?

Thanks for your help.

Francesco Molino · ‎04-24-2020

Hi

After you sure it took an ip from your dhcp server or from the local pool? Can you check the dhcp lease on your server to validate?
Can you also share the config of your tunnel-group and group-policy please (using cli output)?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

doukkalli · ‎04-25-2020

Thanks Francesco.

I have a DHCP and VPN Pool. The IP address assigned to AnyConnect is from the VPN Pool not from DHCP.

I configured, via FMC, the VPN like this:

- I removed the VPN Pool from Connection profile and I kept the DHCP server

- I removed the VPN Pool from Policy and add DHCP scope using an network object with 10.44.96.0 (this scope exist in our DHCP Server)

- In Devices > VPN > Remote Access > RA_VPN > Advanced > Address Assignment Policy > Use DHCP (I kept only this box checked)

Firepower 2130 can ping DHCP server.

When I connect I can see in the VPN Troubleshooting no TCP SVC and I got a message in AnyConnect client indicating that there is No IP.

doukkalli · ‎04-27-2020

I will close this because I found this thread exposing my issue with DHCP:

https://community.cisco.com/t5/network-security/ftd-ra-vpn-dhcp-server-configuration-not-working/m-p/4075331#M1069555

Francesco Molino · ‎04-28-2020

You're still not able to get an ip from your dhcp? Can you share the config please of your vpn configuration, including your nat?
I got it working on 6.4, 6.5 and 6.6 without issues.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Marvin Rhoads · ‎04-28-2020

Is your DHCP server on the same subnet as your FTD inside interface?

I've found that it will not work when that is the case.

doukkalli · ‎04-29-2020

Is your DHCP server on the same subnet as your FTD inside interface?

DHCP is in another VLAN than Inside interface but there is no filtering.

Francesco Molino · ‎04-29-2020

Are you able to share your config?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

doukkalli · ‎04-29-2020

Yes sure.

I will write a complete setup guide RA VPN with DHCP, Microsoft NPS for Radius and MFA.

I need to santize the document to remove all company private information to avoid any information gathering.

Will keep you updated.