Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2245
Views
7
Helpful
30
Replies

Anyconnect VPN and DHCP

jakmor
Level 1
Level 1

‎05-18-2023 06:13 AM

Hey Everyone!

I came across a problem with assigning addresses for VPN users via an external DHCP windows server 2016 instead of the local Address-pool.
I specified the dhcp server in the profile settings and the network range in the group policy.
I also created NAT rules:
nat (EXTERNAL,DHCP_NETWORK) source static vpn-clients vpn-clients destination static DHCP_NETWORK DHCP_NETWORK route-lookup
nat (DHCP_NETWORK,EXTERNAL) source static DHCP_NETWORK DHCP_NETWORK destination static vpn-clients vpn-clients route-lookup

DHCP enabled in assigned policy.

ASA VERSION: 9.8(4).40

 

Do you have any idea where could be the problem?
If you need more info please let me know.

Labels:
30 Replies 30

jakmor
Level 1
Level 1

‎05-18-2023 06:59 AM

It's already set and it doesn't work.
group-policy TEST-POLICY attributes
  wins-server none
  dns-server value 1.1.1.1 2.2.2.2
  dhcp-network-scope 192.168.0.0
  vpn-simultaneous-logins 2
  vpn-session-timeout 1200
  vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
  ip-comp disable
  split-tunnel-policy tunnelspecified
  ipv6-split-tunnel-policy tunnelall
  split-tunnel-network-list value VPN-Filter-Split-Tunneling
  default-domain none
  split-dns none
  split-tunnel-all-dns enable
  client-bypass-protocol enable
  address-pools none
  ipv6-address-pools none
  webvpn

0 Helpful

jakmor
Level 1
Level 1

‎05-18-2023 07:03 AM

And Tunnel config:
tunnel-group TEST-TUNNEL-GROUP type remote-access
tunnel-group TEST-TUNNEL-GROUP general-attributes
 authentication-server-group [Active Directory]
 default-group-policy TEST-POLICY
 dhcp-server X.X.X.X

0 Helpful

MHM Cisco World
VIP
VIP
In response to jakmor

‎05-18-2023 07:06 AM

dhcp-server subnet-selection (server ip)
dhcp-server link-selection (server ip)
under the general-attributes of tunnel 

make review the link I share again 
thanks
MHM

0 Helpful

jakmor
Level 1
Level 1

‎05-18-2023 07:15 AM

I tested both options but still it doesn't work

0 Helpful

jakmor
Level 1
Level 1

‎05-18-2023 07:17 AM

I did all the configuration following this documentation and unfortunately it does not work.

0 Helpful

MHM Cisco World
VIP
VIP
In response to jakmor

‎05-18-2023 07:17 AM

can I see last config ?

0 Helpful

jakmor
Level 1
Level 1

‎05-18-2023 07:23 AM

GP:
group-policy TEST-POLICY internal
group-policy TEST-POLICY attributes
wins-server none
dns-server value 1.1.1.1 2.2.2.2
dhcp-network-scope 192.168.0.0
vpn-simultaneous-logins 2
vpn-session-timeout 1200
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
ip-comp disable
split-tunnel-policy tunnelspecified
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list value VPN-Filter-Split-Tunneling
default-domain none
split-dns none
split-tunnel-all-dns enable
client-bypass-protocol enable
address-pools none
ipv6-address-pools none
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect keep-installer installed
anyconnect ssl keepalive 15
anyconnect ssl compression none
anyconnect dtls compression none
anyconnect modules none
anyconnect profiles value TEST-PROFILE type user
anyconnect ask none default anyconnect
anyconnect ssl df-bit-ignore disable
always-on-vpn profile-setting

TUNNEL:
tunnel-group TEST-TUNNEL type remote-access
tunnel-group TEST-TUNNEL general-attributes
authentication-server-group [Active Directory]
default-group-policy TEST-POLICY
dhcp-server subnet-selection x.x.x.x

0 Helpful

jakmor
Level 1
Level 1

‎05-18-2023 07:28 AM

The topic is similar to this below but unfortunately none of the given solutions solved my problem.
https://community.cisco.com/t5/vpn/anyconnect-with-asa-and-microsoft-windows-dhcp-server-for/m-p/4758618#M287197

0 Helpful

MHM Cisco World
VIP
VIP
In response to jakmor

‎05-18-2023 07:45 AM

Yes we see alot for same issue 

do packet tracer in asa using the VPN Pool IP (non used one) and OUTside interface as input and IP of server 
NOTE:- use keyword detail in acket tracer 

0 Helpful

jakmor
Level 1
Level 1

‎05-18-2023 08:00 AM - edited ‎05-18-2023 08:01 AM

packet tracer passes.
I dont want to give details publicly, but everything looks good.


Result:
input-interface: EXTERNAL
input-status: up
input-line-status: up
output-interface: DHCP_NETWORK
output-status: up
output-line-status: up
Action: allow

MHM Cisco World
VIP
VIP
In response to jakmor

‎05-18-2023 12:34 PM - edited ‎05-18-2023 01:29 PM

that OK 
add 
vpn-addr-assign dhcp  

are the DHCP server direct connect to DHCP_NETWORK interface ? or there is L3 device?
if there is L3 device you need ip helper address

one more point can you capture the traffic out pass through DHCP_NETWORK

0 Helpful

jakmor
Level 1
Level 1

‎05-19-2023 02:21 AM

vpn-addr-assign dhcp is already added (enabled) but without asy result.

DHCP server has direct connect to DHCP_NETWORK interface. There are only L2 switches between them.

Capture is empty, it looks like VPN clients dont even send DHCP request.

MHM Cisco World
VIP
VIP
In response to jakmor

‎05-19-2023 02:25 AM

check the Access list again some time packet tracer not show correct result 

0 Helpful
Customers Also Viewed These Support Documents