Re: ASA picking from IPv6-pool on non IPv6 enabled Group Policy

erik.hammervold · ‎10-16-2020

Hi

I have a small nuisance.

We run Firepower 2130 with ASA image, and have several group policies with IPv6, but for a small set of users we need to run IPv4 only.

So I set up a group policy for this, but see that the ASA distributes IPv6 adresses from DfltGrpPolicy. Reconfigured and added/removed IPv6 pool and even restarted the ASA. The ASA is picking the adresses from local pools for all group policies.

I get the right profile, the right IPv4 scope, I do not inherit pool from DefaultGrpPolicy.

group-policy vpn_test attributes
split-tunnel-all-dns disable
address-pools value employee
ipv6-address-pools none
webvpn
anyconnect profiles value LAB_AC_profile type user

* also tried with the standard employee profile*
anyconnect ask none default anyconnect

What am I missing here?

I haven't got this behavior on any of my other policies.

Erik

erik.hammervold · ‎10-17-2020

xxx/xx/xx# sh ver

Cisco Adaptive Security Appliance Software Version 9.12(3)
SSP Operating System Version 2.6(1.156)
Device Manager Version 7.12(2)

Compiled on Fri 22-Nov-19 14:47 PST by builders
System image file is "disk0:/mnt/boot/installables/switch/fxos-k8-fp2k-npu.2.6.1.156.SPA"
Config file at boot was "startup-config"

vpn up 1 day 7 hours

Hardware: FPR-2130, 14822 MB RAM, CPU MIPS 1200 MHz, 1 CPU (12 cores)

Erik

erik.hammervold · ‎10-19-2020

Tested now on two boxes... Same on both. this weirds me out. Either this i a clear TAC case or I'm seriously missing some noob thing here.

Erik