03-01-2013 09:18 AM
I am currently running an ASA5540 version 8.3(2). I have multiple remove vpn users currently working on this server. Lately, I have had issues with people getting booted or not being able to route anywhere and it appears to be cause they keep fighting for the same IP address using the local pool, so I decided to attempt to do DHCP instead (I have no idea why it keeps overlapping IPs, we have tons in the pool and they keep fighting for the same one). This just started about a month ago, we are only using maybe 3-5 IPs out of the /24 block. The only thing that has changed was we have hired more people, but we have separate groups for corporate vs operations team.
So, I setup the dhcp-network-scope for the subnet and the dhcp-server under the policies. I see the request going to the server, but it seems to be putting the ASA MAC into the Client Hardware Address field of the DHCP header. I have attached the PCAP from the ASA showing this. Does anyone know why this is happening and is there a way around it?
Solved! Go to Solution.
03-05-2013 02:44 PM
Hello Keith,
Option 118 Great to have that info.
Please keep an eye on it and if you still see it working please mark the question as answered so future users can refer to this discussion for a solution
Regards
03-01-2013 02:22 PM
Hello Keith,
This has been taken from one CSC discussion:
When configured for DHCP address assignment with VPN clients, the ASA will always use its own MAC address in every DHCP request it send to the ASA, but, will change option 61 (Client Identifier) in the DHCP Discover message, so every Discover packet is different and hence, the ASA will track IP addresses assigned to the clients and each client will have its own unique IP address.
And looking at the sniffer you sent, you can clearly see option 61 (client identifier) is unique and different for every DHCP Discover.
Now, some DHCP servers like QIP assign IP addresses only based on the MAC address of the client, and since the ASA will always use its own Mac address, the DHCP server will always reply with the same IP address in the DHCP offer.
Please note that the ASA doesn’t support such servers (like QIP) which only assign IP addresses based on the MAC address, as documented in the bug with ID:
CSCsr96775 ASA source MAC address to request DHCP - dont work properly QIP srvr
The workaround for this is to have your DHCP server supporting the identification of the client based on the value contained in the client identifier in option 61 of the DHCP Discover message, rather than just identifying the clients based on the MAC address. This way, everything at your side should work fine and the Anyconnect clients should be assigned IP addresses using DHCP server properly.
03-01-2013 02:24 PM
I will have to double checked on Monday, as my Linux admin has gone home, to see what is going on with the identifier. Thanks for the info.
03-01-2013 03:22 PM
Hey my plesure,
Remembe to rate all of the helpful posts
03-05-2013 10:00 AM
OK, we worked with it and setup the option 61. The problem is it seems that we can't run it without having an IP from the dhcp scope on the ASA itself. I looked at this thread and they seem to say that is the only way they got it to work.
https://supportforums.cisco.com/thread/2016063
This seems ridiculous as I don't have the VPN subnets on the ASA. Is that really the only way to make that work? I have multiple subnets that are dedicated for VPN only and use reverse route injection to pass them back and the DHCP server is in a completely different subnet.
03-05-2013 11:00 AM
Hello,
That does not make sense, actually when we configure a VPN pool we use a different one from the ASA inside interface as an example,
Regards
03-05-2013 02:39 PM
Well, we ended up just using the option 118 to do it. dhcp-server subnet-selection is the command. Seems to be working fine now.
03-05-2013 02:44 PM
Hello Keith,
Option 118 Great to have that info.
Please keep an eye on it and if you still see it working please mark the question as answered so future users can refer to this discussion for a solution
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide