Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
34162
Views
5
Helpful
17
Replies

ASA AnyConnect client fails to get IP from remote DHCP Server

Go to solution
MCCC.Administrator
Level 1
Level 1

‎08-30-2011 07:57 AM - edited ‎02-21-2020 05:32 PM

I have and ASA with a dozen or so AnyConnect client profiles set up to get their IP address from my Windows DHCP server.

It was working great yesterday.

I saved the config and reloaded the device.

Now it won't issue IP's to my vpn clients.

I dont understand what is going on.

If I change the profiles to use a local pool it assigns an IP and works great.

But I can't use the local pools.  I have to use the DHCP server on the LAN.

The ONLY thing that was done recently was that a license enabling the AnyConnect Essentials was installed.

I get this in the debug:


6 Aug 30 2011 10:44:39      DAP: User test49, Addr 107.44.142.20, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy


6 Aug 30 2011 10:44:39      Group User IP <107.44.142.20> AnyConnect parent session started.


7 Aug 30 2011 10:44:39      IPAA: Received message 'UTL_IP_[IKE_]ADDR_REQ'


6 Aug 30 2011 10:44:39      IPAA: DHCP request attempt 1 succeeded


6 Aug 30 2011 10:44:39      IPAA: DHCP configured, request succeeded for tunnel-group 'MCSO-Mobiles'


6 Aug 30 2011 10:44:39  172.18.4.7 67 172.18.1.46 67 Built outbound UDP connection 30957 for Internal:172.18.1.46/67 (172.18.1.46/67) to identity:172.18.4.7/67 (172.18.4.7/67)


7 Aug 30 2011 10:44:39  192.168.6.1    Built local-host ISP1:192.168.6.1


6 Aug 30 2011 10:44:39  172.18.1.46 1 192.168.6.1 0 Built outbound ICMP connection for faddr 192.168.6.1/0 gaddr 172.18.1.46/1 laddr 172.18.1.46/1


6 Aug 30 2011 10:44:41  172.18.1.46 67 192.168.6.0 67 Built outbound UDP connection 30960 for ISP1:192.168.6.0/67 (192.168.6.0/67) to Internal:172.18.1.46/67 (172.18.1.46/67)


6 Aug 30 2011 10:44:42  192.168.6.1 0 172.18.1.46 1 Teardown ICMP connection for faddr 192.168.6.1/0 gaddr 172.18.1.46/1 laddr 172.18.1.46/1


7 Aug 30 2011 10:44:52      IPAA: Received message 'UTL_IP_DHCP_INVALID_ADDR'

4 Aug 30 2011 10:44:52      IPAA: Unable to get address from group-policy or tunnel-group local pools

1 person had this problem
Labels:
0 Helpful
17 Replies 17

Go to solution
aacole
Level 5
Level 5
In response to jim.davis

‎08-23-2012 08:27 AM

Just had a look over the configuration I had, on 8.4(3) the only parameter I changed to get the DHCP request passed to the server was the DHCP network-scope address, from the network address (x.x.x.0) to the first one in the scope (x.x.x.1) under the VPN group policy that fixed it for me. This command appears under each group policy attribute statement in my case.

However I see you are using 8.4(4), so perhaps there is yet another trip point here?

0 Helpful

Go to solution
jim.davis
Level 1
Level 1
In response to jim.davis

‎08-23-2012 08:46 AM

I have the scope set to x.x.x.1   Even tried .2 as suggested by TAC and .100 with no success.

0 Helpful

Go to solution
aacole
Level 5
Level 5
In response to jim.davis

‎08-23-2012 07:11 AM

Hi, have you first tried setting a local pool for the VPN users to verify if it is a similar issue? When I had this problem a local pool worked fine, but the upgrade broke the DHCP service when using an external DHCP server.

0 Helpful
Customers Also Viewed These Support Documents