01-20-2023 02:19 AM
Hello,
I need to use external windows DHCP server for address assignement for AnyConnect clients
I found several guides how to make configuration. For instance :
https://www.petenetlive.com/KB/Article/0001050
https://integratingit.wordpress.com/2022/02/06/asa-anyconnect-vpn-dhcp-address-assignment/
it is very simple configuration. But it does not work to me.
I sniffed traffic at DHCP server. I see dhcp discover packets only coming from ASA and DHCP server does not send answer for them.
I made VLAN at L3 switch with the same IP I am using for VPN. Created ip helper for the same DHCP server and I see dhcp request. DHCP server send answer with proposed IP immediately.
Does anybody know what is wrong ? Suppose that problem is at DHCP server because there are no other options at ASA. And I believe that it works for some other people.
I tried more version of ASA and DHCP server (2012, 2019) in different environments.
Config is the same as in case of tutorials in text.
Thank in advance for help,
Petr
Solved! Go to Solution.
01-24-2023 05:20 AM
funny story
two problems on journey to solution
first is internal firewall between radius server and ASA - it must allow traffic from internal IP to RADIUS and in oposite way it must allow traffic from RADIUS server to IP subnet of VPN pools (because replay is not going to ASAs IP, but to IP of VPN pool)
second is NAT extempt for VPN pool at ASA; without this (if there is some NATting enabled), IP address offer never reaches AnyConnect client ...
01-20-2023 02:27 AM
@podvarka what version of ASA software are you running? I seem to recall an issue with DHCP relay using ASA 9.10 or 9.12.
01-20-2023 03:49 AM
currently I have it configured at ASA with 9.8(4)41 and at FTD with 9.16(3)23
both behaves the same - senmding dhcp discover
01-20-2023 02:41 AM
are you config dhcp-scope in ASA ??
01-20-2023 03:45 AM
no; and it would not be needed if I understand tutorial well; because dhcp scope is configured at external server
01-20-2023 04:42 AM
dhcp-server subnet-selection (server ip) (3011)
hcp-server link-selection (server ip) (3527)
these two command need,
01-20-2023 05:08 AM
thank you for tip; but these options are not usable for windows
I moved forward now; I made it working with ASA with 9.8(4)41
it still does not work with FTD with 9.16(3)23
DHCP answer reaches ASA, but AnyConnect client does not get IP
01-20-2023 05:44 AM
you wireshark the DHCP answer from server to FTD ? can I see it?
01-22-2023 11:05 PM
I tried to attach cap files, but it is not supported; send me email please; I will send you files as attachement
Petr
01-24-2023 05:20 AM
funny story
two problems on journey to solution
first is internal firewall between radius server and ASA - it must allow traffic from internal IP to RADIUS and in oposite way it must allow traffic from RADIUS server to IP subnet of VPN pools (because replay is not going to ASAs IP, but to IP of VPN pool)
second is NAT extempt for VPN pool at ASA; without this (if there is some NATting enabled), IP address offer never reaches AnyConnect client ...
01-24-2023 05:29 AM
this is my email, please send capture to me if you can
ciscomhm@gmail.com
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide