ASA 5500 IP Sec Connection Profile - multiple dhcp-server

mjauner · ‎06-11-2013

Hi All

We assign in our IPSec VPN the tunnel-address from our centralized dhcp server pools.

In the profile we have two server's ip configured.

In test (whireshark) we noticed that the discover always go to the first configured ip.

I do not understand and could not finf hints how the function is.

- backup server with a timeout when no answer comes from primary ?

- should ASA do simultaneous discover to all configured ip's ?

=>Problem is, that although the first server not answered in a timely manner, we noticed no discover to the second.

Here the partial CLI - Config:

++

tunnel-group AZInt07 type remote-access

tunnel-group AZInt07 general-attributes

authentication-server-group ActivPack

default-group-policy AZInt

dhcp-server 10.x.x.y

dhcp-server 10.x.y.y

tunnel-group AZInt07 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group AZWlan07 type remote-access

tunnel-group AZWlan07 general-attributes

authentication-server-group ActivPack

<--- More --->

++

Thank You, Regards

Martin

Jouni Forss · ‎06-11-2013

Hi,

I think you might actually need to use the command in a different way.

Actually listing the servers under the same "dhcp-server" command

Here is a link to the command in the Command Reference

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/d2.html#wp1943327

It has an option to enter multiple IP address under the same command.

Not sure if this changes your situation. I have not configured more than one server personally.

Hope this helps

- Jouni

mjauner · ‎06-11-2013

Hi Jouni

We do configation this in the ASDM. There it is only possible in the same line.

Resulting in CLI is like posted.

Martin

Jouni Forss · ‎06-11-2013

Hi,

Tested on my home ASA and it does seem that it enter it the same way into the configuration no matter if you insert multiple servers at a time or one by one.

No document so far has explained how it uses those multiple DHCP servers.

- Jouni