Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7057
Views
0
Helpful
9
Replies

ASA AnyConnect: clients unable to get IPs from remote DHCP

Go to solution
Anton Pestov
Level 1
Level 1

‎09-24-2012 02:32 AM

ASA5510 (without any NAT configuration):

_____________________________________

interface Ethernet0/0.34

vlan 34

nameif INSIDE34

security-level 100

ip address 172.20.254.49 255.255.255.248

!

interface Ethernet0/0.118

vlan 118

nameif INSIDE118

security-level 100

no ip address

!

interface Ethernet0/3.52

vlan 52

nameif OUTSIDE

security-level 0

ip address 172.21.254.17 255.255.255.248

!

group-policy GP1 attributes

dhcp-network-scope 10.254.34.0

vlan 118

!

tunnel-group TG2 general-attributes

default-group-policy GP1

dhcp-server 192.168.254.254

!

WS-3750:

____________________________________________

ip dhcp pool HOST-VPN18

   network 10.254.34.0 255.255.254.0

   default-router 10.254.34.1

!

interface Loopback0

ip address 192.168.254.254 255.255.255.255

!

interface Vlan34

ip address 172.20.254.54 255.255.255.248

!

interface Vlan118

ip address 10.254.34.1 255.255.254.0

!

Log on ASA, when try to establish VPN AnyConnect with client:

_____________________________________________________

Sep 24 2012 12:20:58: %ASA-6-725002: Device completed SSL handshake with client OUTSIDE:x.x.x.x/x

Sep 24 2012 12:21:00: %ASA-2-106006: Deny inbound UDP from 10.254.34.1/67 to 10.254.34.15/68 on interface INSIDE118

Sep 24 2012 12:21:01: %ASA-2-106006: Deny inbound UDP from 10.254.34.1/67 to 10.254.34.15/68 on interface INSIDE118

Sep 24 2012 12:21:10: %ASA-3-106014: Deny inbound icmp src INSIDE118:10.254.34.1 dst INSIDE118:10.254.34.15 (type 8, code 0)

Sep 24 2012 12:21:12: %ASA-3-106014: Deny inbound icmp src INSIDE118:10.254.34.1 dst INSIDE118:10.254.34.15 (type 8, code 0)

Sep 24 2012 12:21:23: %ASA-4-737019: IPAA: Unable to get address from group-policy or tunnel-group local pools

Log on WS-3750 (to time difference don't pay attention) :

___________________________________________________

Sep 24 13:04:02: DHCPD: Reload workspace interface Vlan118 tableid 0.

Sep 24 13:04:02: DHCPD: tableid for 10.254.34.2 on Vlan118 is 0

Sep 24 13:04:02: DHCPD: client's VPN is .

Sep 24 13:04:02: DHCPD: using received relay info.

Sep 24 13:04:02: DHCPD: DHCPDISCOVER received from client 0063.6973.636f.2d35.3033.642e.6535.6132.2e39.3065.382d.4e42.5350.4f49.5431.3332.2d49.4e53.4944.4531.3138.00 through relay 10.254.34.0.

Sep 24 13:04:02: DHCPD: using received relay info.

Sep 24 13:04:04: DHCPD: Sending DHCPOFFER to client 0063.6973.636f.2d35.3033.642e.6535.6132.2e39.3065.382d.4e42.5350.4f49.5431.3332.2d49.4e53.4944.4531.3138.00 (10.254.34.17).

Why DHCP-OFFER blocked by ASA? and how to make that the connection worked?

Labels:
Preview file
60 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Anton Pestov

‎09-25-2012 06:27 AM

Looks like you are hitting bugID: CSCtz59915

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtz59915

Upgrade to 8.4(4)2 or higher will resolve the issue.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-24-2012 06:36 AM

Do you have the following command configured:

vpn-addr-assign dhcp

Also, can you pls remove the following:

interface Ethernet0/0.118

Since you don't need to have an interface that is in the same vlan as the AnyConnect assigned address.

0 Helpful

Go to solution
Anton Pestov
Level 1
Level 1
In response to Jennifer Halim

‎09-24-2012 06:52 AM

Hello, Jennifer!

1. vpn-addr-assign dhcp is configured.

2. When remove subinterface e0/0.118, there is an error:

Sep 24 2012 17:45:50: %ASA-4-113036: Group User IP AAA parameter value invalid.

..Login failed

P.S.: how the traffic will get to a local area network if there is no dot1.q interface 118?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Anton Pestov

‎09-24-2012 07:01 AM

Pls check out the sample configuration and as advised you don't need an interface on the ASA for the ip address subnet assigned to the VPN:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a66bc6.shtml

Also, i don't see that you are providing any specific attribute to the AnyConnect host on the DHCP server, isn't it easier to just configure VPN Pool on the ASA itself. It's probably a lot simpler than using the DHCP.

Here is an example for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml#step4

0 Helpful

Go to solution
Anton Pestov
Level 1
Level 1
In response to Jennifer Halim

‎09-24-2012 07:20 AM

Jennifer,

I understand, what for receiving the address the interface isn't necessary but if after that all VPN of traffics is located in 118 VLAN (group-policy attribute vlan 118) how it will pass in LAN, or I not correctly understand parameter 'vlan 118' in group-policy? And the corp policy requires only external DHCP-server.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Anton Pestov

‎09-24-2012 07:22 AM

Once an ip address is assigned to the VPN Client, it will get routed to LAN to access LAN resources.

0 Helpful

Go to solution
Anton Pestov
Level 1
Level 1

‎09-25-2012 02:47 AM

Ok! New config with same problem:

ASA5510:

_____________________________________

interface Ethernet0/0.34

vlan 34

nameif INSIDE34

security-level 100

ip address 172.20.254.49 255.255.255.248

!

interface Ethernet0/3.52

vlan 52

nameif OUTSIDE

security-level 0

ip address 172.21.254.17 255.255.255.248

!

group-policy GP1 attributes

dhcp-network-scope 10.254.34.0

!

tunnel-group TG2 general-attributes

default-group-policy GP1

dhcp-server 192.168.254.254

!

route OUTSIDE 0.0.0.0 0.0.0.0 172.21.254.22 1

route INSIDE34 10.0.0.0 255.0.0.0 172.20.254.54 1

route INSIDE34 192.168.254.0 255.255.254.0 172.20.254.54 1

WS-3750:

____________________________________________

ip dhcp pool HOST-VPN18

   network 10.254.34.0 255.255.254.0

   default-router 10.254.34.1

!

interface Loopback0

ip address 192.168.254.254 255.255.255.255

!

interface Vlan34

ip address 172.20.254.54 255.255.255.248

!

ip route 10.254.34.0 255.255.254.0 172.20.254.49      

Log on ASA, when try to establish VPN AnyConnect with client:

_____________________________________________________

Sep 25 2012 13:41:19: %ASA-6-725002: Device completed SSL handshake with client OUTSIDE:x.x.x.x/x

Sep 25 2012 13:41:19: %ASA-3-106014: Deny inbound icmp src INSIDE34:172.20.254.54 dst INSIDE34:10.254.34.50 (type 8, code 0)

Sep 25 2012 13:41:20: %ASA-3-106014: Deny inbound icmp src INSIDE34:172.20.254.54 dst INSIDE34:10.254.34.50 (type 8, code 0)

Sep 25 2012 13:41:44: %ASA-3-722020: TunnelGroup GroupPolicy User IP No address available for SVC connection

Sep 25 2012 13:41:44: %ASA-6-725007: SSL session with client OUTSIDE:x.x.x.x/x terminated.

Log on WS-3750:

______________________________________________________

Sep 25 13:44:46: DHCPD: Reload workspace interface Vlan21 tableid 0.

Sep 25 13:44:46: DHCPD: tableid for 172.18.254.190 on Vlan21 is 0

Sep 25 13:44:46: DHCPD: client's VPN is .

Sep 25 13:44:46: DHCPD: using received relay info.

Sep 25 13:44:46: DHCPD: DHCPDISCOVER received from client 0063.6973.636f.2d35.3033.642e.6535.6132.2e39.3065.382d.4e42.5350.4f49.5431.392d.494e.5349.4445.3334.00 through relay 10.254.34.0.

Sep 25 13:44:46: DHCPD: using received relay info.

Sep 25 13:44:48: DHCPD: Sending DHCPOFFER to client 0063.6973.636f.2d35.3033.642e.6535.6132.2e39.3065.382d.4e42.5350.4f49.5431.392d.494e.5349.4445.3334.00 (10.254.34.51).

Sep 25 13:44:48: DHCPD: no option 125

Sep 25 13:44:48: DHCPD: unicasting BOOTREPLY for client 503d.e5a2.90e8 to relay 10.254.34.0.

How to do: VPN clients lease IP's from external DHCP?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Anton Pestov

‎09-25-2012 03:52 AM

On the ASA, you would also need a route for the VPN Pool to be routed to the outside:

route OUTSIDE 10.254.34.0 255.255.255.0 172.21.254.22 1

Also, what is your ASA version?

0 Helpful

Go to solution
Anton Pestov
Level 1
Level 1
In response to Jennifer Halim

‎09-25-2012 06:23 AM

Cisco Adaptive Security Appliance Software Version 8.4(4)1

Device Manager Version 6.4(9)

Compiled on Thu 14-Jun-12 11:20 by builders

System image file is "disk0:/asa844-1-k8.bin"

Config file at boot was "startup-config"

ASA1-1 up 5 hours 1 min

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06

                             Number of accelerators: 1

______________

ASA and AnyConnect with lastest IOS/version

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Anton Pestov

‎09-25-2012 06:27 AM

Looks like you are hitting bugID: CSCtz59915

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtz59915

Upgrade to 8.4(4)2 or higher will resolve the issue.

0 Helpful
Customers Also Viewed These Support Documents