cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1334
Views
0
Helpful
4
Replies
Highlighted
Beginner
Beginner

DHCP issues from vpn users

,

 

I am trying to configure infoblox as dhcp server for vpn users on Cisco asa. However, the problem is whenever user disconnects and reconnects immediately he gets new IP.

 

Packet capture shows cisco is using only inside interface mac in dhcp packets (client identifier : "cisco-aaaa.bbbb.cccc-localhost10-inside" in option 61) but not the actual vpn client mac address. Also, client mac mentioned is its own mac and not the client's mac. However, hostname of vpn client is correctly taken.

Existing ios is 9.13(1)7

 

How to resolve this issue? 

 

4 REPLIES 4
Highlighted
VIP Expert

I am trying to configure infoblox as dhcp server for vpn users on Cisco asa. However, the problem is whenever user disconnects and reconnects immediately he gets new IP.

 

BB - this is normally based on the DHCP release from ASA - what are you looking get same IP for the user all time ?  or any time to release you looking - keep in mind that if you block the IP for longer you will DHCP full issue ?

 



BB


*** Rate All Helpful Responses ***

Highlighted

Thanks for reply bala..

I verified that the ip is released and marked as free on dhcp server before it assigns new ip the client. So i guess multiple ip assignmet is ok.

 

I am seeing now problem as the vpn client is unable to update its hostname on dns server. Ddns not working. Any clue on that.  

 

Asa has bug that do not forward certain dhcp options from dhcp server to vpn client and vice versa.

Highlighted

Its been long worked infoblox - but looking below thread you can tweak - check if that solves your problem.

 

https://community.infoblox.com/t5/DNS-DHCP-IPAM/Windows-Client-DHCP-and-DNS-Registration/td-p/13153



BB


*** Rate All Helpful Responses ***

Highlighted
VIP Rising star

I don't think you can fix this issue as the AnyConnect clients are not L2 adjacent to the ASA, so the ASA has no idea of their own MAC addresses. When the ASA proxy for the DHCP traffic, as you said, it will injects its own MAC address of the interface facing to the DHCP server. In these cases, the ASA would have no control at all of the DHCP lease as the ASA just relays those DHCP messages coming from the clients to the defined DHCP server. From the DHCP server perspective, the clients identifiers are unique, but they are not based on client MAC addresses, and those unique identifiers would not be supported to do any reservation. Also, any DHCP lease configured on the DHCP server would not have any effect on the AnyConnect clients, in fact, if I remember correctly, when you disconnect AnyConnect client its assigned IP gets released from the pool straightaway.

Content for Community-Ad