09-24-2012 02:32 AM
ASA5510 (without any NAT configuration):
_____________________________________
interface Ethernet0/0.34
vlan 34
nameif INSIDE34
security-level 100
ip address 172.20.254.49 255.255.255.248
!
interface Ethernet0/0.118
vlan 118
nameif INSIDE118
security-level 100
no ip address
!
interface Ethernet0/3.52
vlan 52
nameif OUTSIDE
security-level 0
ip address 172.21.254.17 255.255.255.248
!
group-policy GP1 attributes
dhcp-network-scope 10.254.34.0
vlan 118
!
tunnel-group TG2 general-attributes
default-group-policy GP1
dhcp-server 192.168.254.254
!
WS-3750:
____________________________________________
ip dhcp pool HOST-VPN18
network 10.254.34.0 255.255.254.0
default-router 10.254.34.1
!
interface Loopback0
ip address 192.168.254.254 255.255.255.255
!
interface Vlan34
ip address 172.20.254.54 255.255.255.248
!
interface Vlan118
ip address 10.254.34.1 255.255.254.0
!
Log on ASA, when try to establish VPN AnyConnect with client:
_____________________________________________________
Sep 24 2012 12:20:58: %ASA-6-725002: Device completed SSL handshake with client OUTSIDE:x.x.x.x/x
Sep 24 2012 12:21:00: %ASA-2-106006: Deny inbound UDP from 10.254.34.1/67 to 10.254.34.15/68 on interface INSIDE118
Sep 24 2012 12:21:01: %ASA-2-106006: Deny inbound UDP from 10.254.34.1/67 to 10.254.34.15/68 on interface INSIDE118
Sep 24 2012 12:21:10: %ASA-3-106014: Deny inbound icmp src INSIDE118:10.254.34.1 dst INSIDE118:10.254.34.15 (type 8, code 0)
Sep 24 2012 12:21:12: %ASA-3-106014: Deny inbound icmp src INSIDE118:10.254.34.1 dst INSIDE118:10.254.34.15 (type 8, code 0)
Sep 24 2012 12:21:23: %ASA-4-737019: IPAA: Unable to get address from group-policy or tunnel-group local pools
Log on WS-3750 (to time difference don't pay attention) :
___________________________________________________
Sep 24 13:04:02: DHCPD: Reload workspace interface Vlan118 tableid 0.
Sep 24 13:04:02: DHCPD: tableid for 10.254.34.2 on Vlan118 is 0
Sep 24 13:04:02: DHCPD: client's VPN is .
Sep 24 13:04:02: DHCPD: using received relay info.
Sep 24 13:04:02: DHCPD: DHCPDISCOVER received from client 0063.6973.636f.2d35.3033.642e.6535.6132.2e39.3065.382d.4e42.5350.4f49.5431.3332.2d49.4e53.4944.4531.3138.00 through relay 10.254.34.0.
Sep 24 13:04:02: DHCPD: using received relay info.
Sep 24 13:04:04: DHCPD: Sending DHCPOFFER to client 0063.6973.636f.2d35.3033.642e.6535.6132.2e39.3065.382d.4e42.5350.4f49.5431.3332.2d49.4e53.4944.4531.3138.00 (10.254.34.17).
Why DHCP-OFFER blocked by ASA? and how to make that the connection worked?
Solved! Go to Solution.
09-25-2012 06:27 AM
Looks like you are hitting bugID: CSCtz59915
Upgrade to 8.4(4)2 or higher will resolve the issue.
09-24-2012 06:36 AM
Do you have the following command configured:
vpn-addr-assign dhcp
Also, can you pls remove the following:
interface Ethernet0/0.118
Since you don't need to have an interface that is in the same vlan as the AnyConnect assigned address.
09-24-2012 06:52 AM
Hello, Jennifer!
1. vpn-addr-assign dhcp is configured.
2. When remove subinterface e0/0.118, there is an error:
Sep 24 2012 17:45:50: %ASA-4-113036: Group
..Login failed
P.S.: how the traffic will get to a local area network if there is no dot1.q interface 118?
09-24-2012 07:01 AM
Pls check out the sample configuration and as advised you don't need an interface on the ASA for the ip address subnet assigned to the VPN:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a66bc6.shtml
Also, i don't see that you are providing any specific attribute to the AnyConnect host on the DHCP server, isn't it easier to just configure VPN Pool on the ASA itself. It's probably a lot simpler than using the DHCP.
Here is an example for your reference:
09-24-2012 07:20 AM
Jennifer,
I understand, what for receiving the address the interface isn't necessary but if after that all VPN of traffics is located in 118 VLAN (group-policy attribute vlan 118) how it will pass in LAN, or I not correctly understand parameter 'vlan 118' in group-policy? And the corp policy requires only external DHCP-server.
09-24-2012 07:22 AM
Once an ip address is assigned to the VPN Client, it will get routed to LAN to access LAN resources.
09-25-2012 02:47 AM
Ok! New config with same problem:
ASA5510:
_____________________________________
interface Ethernet0/0.34
vlan 34
nameif INSIDE34
security-level 100
ip address 172.20.254.49 255.255.255.248
!
interface Ethernet0/3.52
vlan 52
nameif OUTSIDE
security-level 0
ip address 172.21.254.17 255.255.255.248
!
group-policy GP1 attributes
dhcp-network-scope 10.254.34.0
!
tunnel-group TG2 general-attributes
default-group-policy GP1
dhcp-server 192.168.254.254
!
route OUTSIDE 0.0.0.0 0.0.0.0 172.21.254.22 1
route INSIDE34 10.0.0.0 255.0.0.0 172.20.254.54 1
route INSIDE34 192.168.254.0 255.255.254.0 172.20.254.54 1
WS-3750:
____________________________________________
ip dhcp pool HOST-VPN18
network 10.254.34.0 255.255.254.0
default-router 10.254.34.1
!
interface Loopback0
ip address 192.168.254.254 255.255.255.255
!
interface Vlan34
ip address 172.20.254.54 255.255.255.248
!
ip route 10.254.34.0 255.255.254.0 172.20.254.49
Log on ASA, when try to establish VPN AnyConnect with client:
_____________________________________________________
Sep 25 2012 13:41:19: %ASA-6-725002: Device completed SSL handshake with client OUTSIDE:x.x.x.x/x
Sep 25 2012 13:41:19: %ASA-3-106014: Deny inbound icmp src INSIDE34:172.20.254.54 dst INSIDE34:10.254.34.50 (type 8, code 0)
Sep 25 2012 13:41:20: %ASA-3-106014: Deny inbound icmp src INSIDE34:172.20.254.54 dst INSIDE34:10.254.34.50 (type 8, code 0)
Sep 25 2012 13:41:44: %ASA-3-722020: TunnelGroup
Sep 25 2012 13:41:44: %ASA-6-725007: SSL session with client OUTSIDE:x.x.x.x/x terminated.
Log on WS-3750:
______________________________________________________
Sep 25 13:44:46: DHCPD: Reload workspace interface Vlan21 tableid 0.
Sep 25 13:44:46: DHCPD: tableid for 172.18.254.190 on Vlan21 is 0
Sep 25 13:44:46: DHCPD: client's VPN is .
Sep 25 13:44:46: DHCPD: using received relay info.
Sep 25 13:44:46: DHCPD: DHCPDISCOVER received from client 0063.6973.636f.2d35.3033.642e.6535.6132.2e39.3065.382d.4e42.5350.4f49.5431.392d.494e.5349.4445.3334.00 through relay 10.254.34.0.
Sep 25 13:44:46: DHCPD: using received relay info.
Sep 25 13:44:48: DHCPD: Sending DHCPOFFER to client 0063.6973.636f.2d35.3033.642e.6535.6132.2e39.3065.382d.4e42.5350.4f49.5431.392d.494e.5349.4445.3334.00 (10.254.34.51).
Sep 25 13:44:48: DHCPD: no option 125
Sep 25 13:44:48: DHCPD: unicasting BOOTREPLY for client 503d.e5a2.90e8 to relay 10.254.34.0.
How to do: VPN clients lease IP's from external DHCP?
09-25-2012 03:52 AM
On the ASA, you would also need a route for the VPN Pool to be routed to the outside:
route OUTSIDE 10.254.34.0 255.255.255.0 172.21.254.22 1
Also, what is your ASA version?
09-25-2012 06:23 AM
Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 6.4(9)
Compiled on Thu 14-Jun-12 11:20 by builders
System image file is "disk0:/asa844-1-k8.bin"
Config file at boot was "startup-config"
ASA1-1 up 5 hours 1 min
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
______________
ASA and AnyConnect with lastest IOS/version
09-25-2012 06:27 AM
Looks like you are hitting bugID: CSCtz59915
Upgrade to 8.4(4)2 or higher will resolve the issue.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: