Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
995
Views
0
Helpful
1
Replies

Cisco ASA IPsec VPN Client cannot obtain an ip address from the "Local defined ip pool" not Extenal DHCP server for remote peer

Sandile Mazamane
Level 1
Level 1

‎05-04-2015 07:01 AM - edited ‎02-21-2020 08:12 PM

Cisco ASA 5585 IPsec VPN Client and AnyConnect cannot obtain an ip address from the "Local defined ip pool" not External DHCP server for remote peer.

Everything is fine, but remote peer can't obtain address.

 

isakmp policy 50 
encryption 3des 
hash sha 
Aauthentication pre-share 
group 2 
lifetime 3600

no ip local pool PUBNET-IPSEC-POOL 192.32.221.9-192.32.221.14 mask 255.255.255.248


no object network obj-PUBNET-IPSEC-POOL 
subnet 192.32.221.8 255.255.255.248 
exit 
no nat (inside,outside) 1 source static any any destination static obj-PUBNET-IPSEC-POOL obj-PUBNET-IPSEC-POOL


no group-policy PUBNET-IPSEC-POOL-POLICY internal 
no group-policy PUBNET-IPSEC-POOL-POLICY attributes 
vpn-idle-timeout 30 
dns-server value 10.0.X.X 10.0.X.X  
wins-server value 10.0.X.X 10.0.X.X


crypto ipsec transform-set PUBNET-IPSEC-3des-TS esp-3des esp-sha-hmac 


crypto dynamic-map PUBNET-IPSEC-DYN_MAP 10 set transform-set PUBNET-IPSEC-3des-TS

  
mcrypto map outside_map  76 ipsec-isakmp dynamic PUBNET-IPSEC-PUBNET-IPSEC-DYN_MAP 
crypto map outside_map interface outside


no tunnel-group PUBNET-IPSEC-PROFILE type remote-access 
no tunnel-group PUBNET-IPSEC-PROFILE general-attributes 
Aaddress-pool PUBNET-IPSEC-POOL
authentication-server-group TACACS+ LOCAL  
default-group-policy PUBNET-IPSEC-POOL-POLICY  
no tunnel-group PUBNET-IPSEC-PROFILE ipsec-attributes 
pre-shared-key groupkey123

Labels:
0 Helpful
1 Reply 1

Karsten Iwen
VIP
VIP

‎05-04-2015 08:33 AM

do a 

show run vpn-addr-assign

and make sure you didn't disable the lines for "local" and "dhcp".

If the adress-assignment ist enabled (it is by default) then look at your logs and start debugging. Very often the reason for adressing-problems is clearly stated.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents