Re: Anyconnect VPN and DHCP - Page 2

jakmor · ‎05-18-2023

Hey Everyone!

I came across a problem with assigning addresses for VPN users via an external DHCP windows server 2016 instead of the local Address-pool.
I specified the dhcp server in the profile settings and the network range in the group policy.
I also created NAT rules:
nat (EXTERNAL,DHCP_NETWORK) source static vpn-clients vpn-clients destination static DHCP_NETWORK DHCP_NETWORK route-lookup
nat (DHCP_NETWORK,EXTERNAL) source static DHCP_NETWORK DHCP_NETWORK destination static vpn-clients vpn-clients route-lookup

DHCP enabled in assigned policy.

ASA VERSION: 9.8(4).40

Do you have any idea where could be the problem?
If you need more info please let me know.

MHM Cisco World · ‎05-19-2023

vpn-simultaneous-logins 2 <<- only two VPN ?? are this correct

jakmor · ‎05-19-2023

Yes, with a local address pool, everything works properly.
If that setting was causing the problem then I wouldn't be able to log in with the local pool either.

jakmor · ‎05-19-2023

Traffic from DHCP POOL on External interface to DHCP Server is allowed.

Traffic from DHCP Server on DHCP_NETWORK interface to DHCP POOL is allowed.

Everything looks correct.

It looks as if the ASA didn't even try to send a DHCP request, but instead immediately rejected the connection with the result "No address assigned."

MHM Cisco World · ‎05-19-2023

group-policy TEST-POLICY internal
group-policy TEST-POLICY attributes
wins-server none
dns-server value 1.1.1.1 2.2.2.2
dhcp-network-scope 192.168.0.0
vpn-simultaneous-logins 2
vpn-session-timeout 1200
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
ip-comp disable
split-tunnel-policy tunnelspecified
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list value VPN-Filter-Split-Tunneling
default-domain none
split-dns none
split-tunnel-all-dns enable
client-bypass-protocol enable
address-pools none
ipv6-address-pools none
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect keep-installer installed
anyconnect ssl keepalive 15
anyconnect ssl compression none
anyconnect dtls compression none
anyconnect modules none
anyconnect profiles value TEST-PROFILE type user
anyconnect ask none default anyconnect
anyconnect ssl df-bit-ignore disable
always-on-vpn profile-setting

TUNNEL:
tunnel-group TEST-TUNNEL type remote-access
tunnel-group TEST-TUNNEL general-attributes
authentication-server-group [Active Directory]
default-group-policy TEST-POLICY
dhcp-server subnet-selection 192.168.0.0
dhcp-server x.x.x.x

jakmor · ‎05-19-2023

I set it, but same result
TUNNEL:
tunnel-group TEST-TUNNEL type remote-access
tunnel-group TEST-TUNNEL general-attributes
authentication-server-group [Active Directory]
default-group-policy TEST-POLICY
dhcp-server subnet-selection 192.168.0.0
dhcp-server x.x.x.x

MHM Cisco World · ‎05-19-2023

now check the capture you must see the traffic from ASA to DHCP server
confirm that

jakmor · ‎05-19-2023

still none
Could it affect that the network 192.168.0.0 is used for another active tunnel profile as a local pool ?

MHM Cisco World · ‎05-19-2023

Sure it will effect if other user use same subnet.

jakmor · ‎05-19-2023

just don't want to delete the local pool until I make a new profile configured to DHCP.

jakmor · ‎05-19-2023

So I have to create new test subnet.
New NAT, ACL
I'll let you know

jakmor · ‎05-19-2023

I will wait until tomorrow until everyone disconnects from the local pool, I will delete it and then test with DHCP.
I'll let you know if it helped on Monday.

MHM Cisco World · ‎05-19-2023

take your time,
now you have full view of DHCP config
do steps and see capture
thanks
MHM

jakmor · ‎05-22-2023

Hello,

I tested it when subnet 192.168.0.0 was empty. Unfortunately the same problem ;/
But this time, when I tried to connect using AnyConnect, the connection stopped on "Establish VPN session..." and after a while the same error as before was displayed.

Still no captured packets on DHCP_NETWORK interface

MHM Cisco World · ‎05-30-2023

sorry for late reply, can you share the last config you test.
thanks
MHM

MHM Cisco World · ‎05-30-2023

let start, I was far from my laptop, now I am home.
the DHCP server is direct connect or there is l3 device in between the ASA and Server is big different so double check this point.
the use of subnet-selection or link-selection with DHCP server IP is also make change.
the ASA first send using interface connect to DHCP server as source of DHCP packet
the DHCP server reply with DHCP scope <<- here the DHCP server must have route to VPN Pool of Anyconnect point to ASA interface connect to DHCP server.
if we use subnet/link then the DHCP server no need to route BUT the DHCP server must enable this two option.
the capture must done in the interface connect to DHCP server