cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6761
Views
0
Helpful
9
Replies

ASA AnyConnect: clients unable to get IPs from remote DHCP

Anton Pestov
Level 1
Level 1

ASA5510 (without any NAT configuration):

_____________________________________

interface Ethernet0/0.34

vlan 34

nameif INSIDE34

security-level 100

ip address 172.20.254.49 255.255.255.248

!

interface Ethernet0/0.118

vlan 118

nameif INSIDE118

security-level 100

no ip address

!

interface Ethernet0/3.52

vlan 52

nameif OUTSIDE

security-level 0

ip address 172.21.254.17 255.255.255.248

!

group-policy GP1 attributes

dhcp-network-scope 10.254.34.0

vlan 118

!

tunnel-group TG2 general-attributes

default-group-policy GP1

dhcp-server 192.168.254.254

!

WS-3750:

____________________________________________

ip dhcp pool HOST-VPN18

   network 10.254.34.0 255.255.254.0

   default-router 10.254.34.1

!

interface Loopback0

ip address 192.168.254.254 255.255.255.255

!

interface Vlan34

ip address 172.20.254.54 255.255.255.248

!

interface Vlan118

ip address 10.254.34.1 255.255.254.0

!

Log on ASA, when try to establish VPN AnyConnect with client:

_____________________________________________________

Sep 24 2012 12:20:58: %ASA-6-725002: Device completed SSL handshake with client OUTSIDE:x.x.x.x/x

Sep 24 2012 12:21:00: %ASA-2-106006: Deny inbound UDP from 10.254.34.1/67 to 10.254.34.15/68 on interface INSIDE118

Sep 24 2012 12:21:01: %ASA-2-106006: Deny inbound UDP from 10.254.34.1/67 to 10.254.34.15/68 on interface INSIDE118

Sep 24 2012 12:21:10: %ASA-3-106014: Deny inbound icmp src INSIDE118:10.254.34.1 dst INSIDE118:10.254.34.15 (type 8, code 0)

Sep 24 2012 12:21:12: %ASA-3-106014: Deny inbound icmp src INSIDE118:10.254.34.1 dst INSIDE118:10.254.34.15 (type 8, code 0)

Sep 24 2012 12:21:23: %ASA-4-737019: IPAA: Unable to get address from group-policy or tunnel-group local pools

Log on WS-3750 (to time difference don't pay attention) :

___________________________________________________

Sep 24 13:04:02: DHCPD: Reload workspace interface Vlan118 tableid 0.

Sep 24 13:04:02: DHCPD: tableid for 10.254.34.2 on Vlan118 is 0

Sep 24 13:04:02: DHCPD: client's VPN is .

Sep 24 13:04:02: DHCPD: using received relay info.

Sep 24 13:04:02: DHCPD: DHCPDISCOVER received from client 0063.6973.636f.2d35.3033.642e.6535.6132.2e39.3065.382d.4e42.5350.4f49.5431.3332.2d49.4e53.4944.4531.3138.00 through relay 10.254.34.0.

Sep 24 13:04:02: DHCPD: using received relay info.

Sep 24 13:04:04: DHCPD: Sending DHCPOFFER to client 0063.6973.636f.2d35.3033.642e.6535.6132.2e39.3065.382d.4e42.5350.4f49.5431.3332.2d49.4e53.4944.4531.3138.00 (10.254.34.17).

Why DHCP-OFFER blocked by ASA? and how to make that the connection worked?

1 Accepted Solution

Accepted Solutions

Looks like you are hitting bugID: CSCtz59915

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtz59915

Upgrade to 8.4(4)2 or higher will resolve the issue.

View solution in original post

9 Replies 9

Jennifer Halim
Cisco Employee
Cisco Employee

Do you have the following command configured:

vpn-addr-assign dhcp

Also, can you pls remove the following:

interface Ethernet0/0.118

Since you don't need to have an interface that is in the same vlan as the AnyConnect assigned address.

Hello, Jennifer!

1. vpn-addr-assign dhcp is configured.

2. When remove subinterface e0/0.118, there is an error:

Sep 24 2012 17:45:50: %ASA-4-113036: Group User IP AAA parameter value invalid.

..Login failed

P.S.: how the traffic will get to a local area network if there is no dot1.q interface 118?

Pls check out the sample configuration and as advised you don't need an interface on the ASA for the ip address subnet assigned to the VPN:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a66bc6.shtml

Also, i don't see that you are providing any specific attribute to the AnyConnect host on the DHCP server, isn't it easier to just configure VPN Pool on the ASA itself. It's probably a lot simpler than using the DHCP.

Here is an example for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml#step4

Jennifer,

I understand, what for receiving the address the interface isn't necessary but if after that all VPN of traffics is located in 118 VLAN (group-policy attribute vlan 118) how it will pass in LAN, or I not correctly understand parameter 'vlan 118' in group-policy? And the corp policy requires only external DHCP-server.

Once an ip address is assigned to the VPN Client, it will get routed to LAN to access LAN resources.

Anton Pestov
Level 1
Level 1

Ok! New config with same problem:

ASA5510:

_____________________________________

interface Ethernet0/0.34

vlan 34

nameif INSIDE34

security-level 100

ip address 172.20.254.49 255.255.255.248

!

interface Ethernet0/3.52

vlan 52

nameif OUTSIDE

security-level 0

ip address 172.21.254.17 255.255.255.248

!

group-policy GP1 attributes

dhcp-network-scope 10.254.34.0

!

tunnel-group TG2 general-attributes

default-group-policy GP1

dhcp-server 192.168.254.254

!

route OUTSIDE 0.0.0.0 0.0.0.0 172.21.254.22 1

route INSIDE34 10.0.0.0 255.0.0.0 172.20.254.54 1

route INSIDE34 192.168.254.0 255.255.254.0 172.20.254.54 1

WS-3750:

____________________________________________

ip dhcp pool HOST-VPN18

   network 10.254.34.0 255.255.254.0

   default-router 10.254.34.1

!

interface Loopback0

ip address 192.168.254.254 255.255.255.255

!

interface Vlan34

ip address 172.20.254.54 255.255.255.248

!

ip route 10.254.34.0 255.255.254.0 172.20.254.49      

Log on ASA, when try to establish VPN AnyConnect with client:

_____________________________________________________

Sep 25 2012 13:41:19: %ASA-6-725002: Device completed SSL handshake with client OUTSIDE:x.x.x.x/x

Sep 25 2012 13:41:19: %ASA-3-106014: Deny inbound icmp src INSIDE34:172.20.254.54 dst INSIDE34:10.254.34.50 (type 8, code 0)

Sep 25 2012 13:41:20: %ASA-3-106014: Deny inbound icmp src INSIDE34:172.20.254.54 dst INSIDE34:10.254.34.50 (type 8, code 0)

Sep 25 2012 13:41:44: %ASA-3-722020: TunnelGroup GroupPolicy User IP No address available for SVC connection

Sep 25 2012 13:41:44: %ASA-6-725007: SSL session with client OUTSIDE:x.x.x.x/x terminated.

Log on WS-3750:

______________________________________________________

Sep 25 13:44:46: DHCPD: Reload workspace interface Vlan21 tableid 0.

Sep 25 13:44:46: DHCPD: tableid for 172.18.254.190 on Vlan21 is 0

Sep 25 13:44:46: DHCPD: client's VPN is .

Sep 25 13:44:46: DHCPD: using received relay info.

Sep 25 13:44:46: DHCPD: DHCPDISCOVER received from client 0063.6973.636f.2d35.3033.642e.6535.6132.2e39.3065.382d.4e42.5350.4f49.5431.392d.494e.5349.4445.3334.00 through relay 10.254.34.0.

Sep 25 13:44:46: DHCPD: using received relay info.

Sep 25 13:44:48: DHCPD: Sending DHCPOFFER to client 0063.6973.636f.2d35.3033.642e.6535.6132.2e39.3065.382d.4e42.5350.4f49.5431.392d.494e.5349.4445.3334.00 (10.254.34.51).

Sep 25 13:44:48: DHCPD: no option 125

Sep 25 13:44:48: DHCPD: unicasting BOOTREPLY for client 503d.e5a2.90e8 to relay 10.254.34.0.

How to do: VPN clients lease IP's from external DHCP?

On the ASA, you would also need a route for the VPN Pool to be routed to the outside:

route OUTSIDE 10.254.34.0 255.255.255.0 172.21.254.22 1

Also, what is your ASA version?

Cisco Adaptive Security Appliance Software Version 8.4(4)1

Device Manager Version 6.4(9)

Compiled on Thu 14-Jun-12 11:20 by builders

System image file is "disk0:/asa844-1-k8.bin"

Config file at boot was "startup-config"

ASA1-1 up 5 hours 1 min

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06

                             Number of accelerators: 1

______________

ASA and AnyConnect with lastest IOS/version

Looks like you are hitting bugID: CSCtz59915

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtz59915

Upgrade to 8.4(4)2 or higher will resolve the issue.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: