cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1679
Views
15
Helpful
10
Replies

AnyConnect with ASA and Microsoft Windows DHCP server for address

podvarka
Level 1
Level 1

Hello,

I need to use external windows DHCP server for address assignement for AnyConnect clients

I found several guides how to make configuration. For instance :

https://www.petenetlive.com/KB/Article/0001050
https://integratingit.wordpress.com/2022/02/06/asa-anyconnect-vpn-dhcp-address-assignment/

it is very simple configuration. But it does not work to me.

I sniffed traffic at DHCP server. I see dhcp discover packets only coming from ASA and DHCP server does not send answer for them.

I made VLAN at L3 switch with the same IP I am using for VPN. Created ip helper for the same DHCP server and I see dhcp request. DHCP server send answer with proposed IP immediately.

Does anybody know what is wrong ? Suppose that problem is at DHCP server because there are no other options at ASA. And I believe that it works for some other people.

I tried more version of ASA and DHCP server (2012, 2019) in different environments.

Config is the same as in case of tutorials in text.

Thank in advance for help,

Petr

1 Accepted Solution

Accepted Solutions

podvarka
Level 1
Level 1

funny story

two problems on journey to solution

first is internal firewall between radius server and ASA - it must allow traffic from internal IP to RADIUS and in oposite way it must allow traffic from RADIUS server to IP subnet of VPN pools (because replay is not going to ASAs IP, but to IP of VPN pool)

second is NAT extempt for VPN pool at ASA; without this (if there is some NATting enabled), IP address offer never reaches AnyConnect client ...

View solution in original post

10 Replies 10

@podvarka what version of ASA software are you running? I seem to recall an issue with DHCP relay using ASA 9.10 or 9.12.

 

currently I have it configured at ASA with 9.8(4)41 and at FTD with  9.16(3)23

both behaves the same - senmding dhcp discover

are you config dhcp-scope in ASA ??

no; and it would not be needed if I understand tutorial well; because dhcp scope is configured at external server

dhcp-server subnet-selection (server ip) (3011)
hcp-server link-selection (server ip) (3527)

these two command need, 

thank you for tip; but these options are not usable for windows

I moved forward now; I made it working with ASA with 9.8(4)41 

it still does not work with FTD with  9.16(3)23

DHCP answer reaches ASA, but AnyConnect client does not get IP

you wireshark the DHCP answer from server to FTD ? can I see it?

I tried to attach cap files, but it is not supported; send me email please; I will send you files as attachement

Petr

podvarka
Level 1
Level 1

funny story

two problems on journey to solution

first is internal firewall between radius server and ASA - it must allow traffic from internal IP to RADIUS and in oposite way it must allow traffic from RADIUS server to IP subnet of VPN pools (because replay is not going to ASAs IP, but to IP of VPN pool)

second is NAT extempt for VPN pool at ASA; without this (if there is some NATting enabled), IP address offer never reaches AnyConnect client ...

this is my email, please send capture to me if you can 
ciscomhm@gmail.com