05-18-2023 06:13 AM
Hey Everyone!
I came across a problem with assigning addresses for VPN users via an external DHCP windows server 2016 instead of the local Address-pool.
I specified the dhcp server in the profile settings and the network range in the group policy.
I also created NAT rules:
nat (EXTERNAL,DHCP_NETWORK) source static vpn-clients vpn-clients destination static DHCP_NETWORK DHCP_NETWORK route-lookup
nat (DHCP_NETWORK,EXTERNAL) source static DHCP_NETWORK DHCP_NETWORK destination static vpn-clients vpn-clients route-lookup
DHCP enabled in assigned policy.
ASA VERSION: 9.8(4).40
Do you have any idea where could be the problem?
If you need more info please let me know.
05-18-2023 06:49 AM
Anyconnect Client to ASA with Use of DHCP for Address Assignment (cisco.com)
you need dhcp network scope
05-18-2023 06:59 AM
It's already set and it doesn't work.
group-policy TEST-POLICY attributes
wins-server none
dns-server value 1.1.1.1 2.2.2.2
dhcp-network-scope 192.168.0.0
vpn-simultaneous-logins 2
vpn-session-timeout 1200
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
ip-comp disable
split-tunnel-policy tunnelspecified
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list value VPN-Filter-Split-Tunneling
default-domain none
split-dns none
split-tunnel-all-dns enable
client-bypass-protocol enable
address-pools none
ipv6-address-pools none
webvpn
05-18-2023 07:03 AM
And Tunnel config:
tunnel-group TEST-TUNNEL-GROUP type remote-access
tunnel-group TEST-TUNNEL-GROUP general-attributes
authentication-server-group [Active Directory]
default-group-policy TEST-POLICY
dhcp-server X.X.X.X
05-18-2023 07:06 AM
dhcp-server subnet-selection (server ip)
dhcp-server link-selection (server ip)
under the general-attributes of tunnel
make review the link I share again
thanks
MHM
05-18-2023 07:15 AM
I tested both options but still it doesn't work
05-18-2023 07:17 AM
I did all the configuration following this documentation and unfortunately it does not work.
05-18-2023 07:17 AM
can I see last config ?
05-18-2023 07:23 AM
GP:
group-policy TEST-POLICY internal
group-policy TEST-POLICY attributes
wins-server none
dns-server value 1.1.1.1 2.2.2.2
dhcp-network-scope 192.168.0.0
vpn-simultaneous-logins 2
vpn-session-timeout 1200
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
ip-comp disable
split-tunnel-policy tunnelspecified
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list value VPN-Filter-Split-Tunneling
default-domain none
split-dns none
split-tunnel-all-dns enable
client-bypass-protocol enable
address-pools none
ipv6-address-pools none
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect keep-installer installed
anyconnect ssl keepalive 15
anyconnect ssl compression none
anyconnect dtls compression none
anyconnect modules none
anyconnect profiles value TEST-PROFILE type user
anyconnect ask none default anyconnect
anyconnect ssl df-bit-ignore disable
always-on-vpn profile-setting
TUNNEL:
tunnel-group TEST-TUNNEL type remote-access
tunnel-group TEST-TUNNEL general-attributes
authentication-server-group [Active Directory]
default-group-policy TEST-POLICY
dhcp-server subnet-selection x.x.x.x
05-18-2023 07:28 AM
The topic is similar to this below but unfortunately none of the given solutions solved my problem.
https://community.cisco.com/t5/vpn/anyconnect-with-asa-and-microsoft-windows-dhcp-server-for/m-p/4758618#M287197
05-18-2023 07:45 AM
Yes we see alot for same issue
do packet tracer in asa using the VPN Pool IP (non used one) and OUTside interface as input and IP of server
NOTE:- use keyword detail in acket tracer
05-18-2023 08:00 AM - edited 05-18-2023 08:01 AM
packet tracer passes.
I dont want to give details publicly, but everything looks good.
Result:
input-interface: EXTERNAL
input-status: up
input-line-status: up
output-interface: DHCP_NETWORK
output-status: up
output-line-status: up
Action: allow
05-18-2023 12:34 PM - edited 05-18-2023 01:29 PM
that OK
add
vpn-addr-assign dhcp
are the DHCP server direct connect to DHCP_NETWORK interface ? or there is L3 device?
if there is L3 device you need ip helper address
one more point can you capture the traffic out pass through DHCP_NETWORK
05-19-2023 02:21 AM
vpn-addr-assign dhcp is already added (enabled) but without asy result.
DHCP server has direct connect to DHCP_NETWORK interface. There are only L2 switches between them.
Capture is empty, it looks like VPN clients dont even send DHCP request.
05-19-2023 02:25 AM
check the Access list again some time packet tracer not show correct result
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide