Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2859
Views
10
Helpful
7
Replies

ASA Remote VPN with DHCP Failing

Go to solution
Keith McElroy
Level 1
Level 1

‎03-01-2013 09:18 AM

I am currently running an ASA5540 version 8.3(2). I have multiple remove vpn users currently working on this server. Lately, I have had issues with people getting booted or not being able to route anywhere and it appears to be cause they keep fighting for the same IP address using the local pool, so I decided to attempt to do DHCP instead (I have no idea why it keeps overlapping IPs, we have tons in the pool and they keep fighting for the same one). This just started about a month ago, we are only using maybe 3-5 IPs out of the /24 block. The only thing that has changed was we have hired more people, but we have separate groups for corporate vs operations team.

So, I setup the dhcp-network-scope for the subnet and the dhcp-server under the policies. I see the request going to the server, but it seems to be putting the ASA MAC into the Client Hardware Address field of the DHCP header. I have attached the PCAP from the ASA showing this. Does anyone know why this is happening and is there a way around it?

Labels:
15355624-dhcp.pcap.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Keith McElroy

‎03-05-2013 02:44 PM

Hello Keith,

Option 118 Great to have that info.

Please keep an eye on it and if you still see it working please mark the question as answered so future users can refer to this discussion for a solution

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎03-01-2013 02:22 PM

Hello Keith,

This has been taken from one CSC discussion:

When configured for DHCP address assignment with VPN clients, the ASA will always use its own MAC address in every DHCP request it send to the ASA, but, will change option 61 (Client Identifier) in the DHCP Discover message, so every Discover packet is different and hence, the ASA will track IP addresses assigned to the clients and each client will have its own unique IP address.

And looking at the sniffer you sent, you can clearly see option 61 (client identifier) is unique and different for every DHCP Discover.

Now, some DHCP servers like QIP assign IP addresses only based on the MAC address of the client, and since the ASA will always use its own Mac address, the DHCP server will always reply with the same IP address in the DHCP offer.

Please note that the ASA doesn’t support such servers (like QIP) which only assign IP addresses based on the MAC address, as documented in the bug with ID:

CSCsr96775    ASA source MAC address to request DHCP - dont work properly QIP srvr

The workaround for this is to have your DHCP server supporting the identification of the client based on the value contained in the client identifier in option 61 of the DHCP Discover message, rather than just identifying the clients based on the MAC address. This way, everything at your side should work fine and the Anyconnect clients should be assigned IP addresses using DHCP server properly.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
Keith McElroy
Level 1
Level 1
In response to Julio Carvajal

‎03-01-2013 02:24 PM

I will have to double checked on Monday, as my Linux admin has gone home, to see what is going on with the identifier. Thanks for the info.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Keith McElroy

‎03-01-2013 03:22 PM

Hey my plesure,

Remembe to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Keith McElroy
Level 1
Level 1
In response to Julio Carvajal

‎03-05-2013 10:00 AM

OK, we worked with it and setup the option 61. The problem is it seems that we can't run it without having an IP from the dhcp scope on the ASA itself. I looked at this thread and they seem to say that is the only way they got it to work.

https://supportforums.cisco.com/thread/2016063

This seems ridiculous as I don't have the VPN subnets on the ASA. Is that really the only way to make that work? I have multiple subnets that are dedicated for VPN only and use reverse route injection to pass them back and the DHCP server is in a completely different subnet.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Keith McElroy

‎03-05-2013 11:00 AM

Hello,

That does not make sense, actually when we configure a VPN pool we use a different one from the ASA inside interface as an example,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
Keith McElroy
Level 1
Level 1
In response to Julio Carvajal

‎03-05-2013 02:39 PM

Well, we ended up just using the option 118 to do it. dhcp-server subnet-selection is the command. Seems to be working fine now.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Keith McElroy

‎03-05-2013 02:44 PM

Hello Keith,

Option 118 Great to have that info.

Please keep an eye on it and if you still see it working please mark the question as answered so future users can refer to this discussion for a solution

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents