12-01-2020 08:05 AM - edited 12-01-2020 09:37 AM
,
I am trying to configure infoblox as dhcp server for vpn users on Cisco asa. However, the problem is whenever user disconnects and reconnects immediately he gets new IP.
Packet capture shows cisco is using only inside interface mac in dhcp packets (client identifier : "cisco-aaaa.bbbb.cccc-localhost10-inside" in option 61) but not the actual vpn client mac address. Also, client mac mentioned is its own mac and not the client's mac. However, hostname of vpn client is correctly taken.
Existing ios is 9.13(1)7
How to resolve this issue?
12-01-2020 10:42 AM
I am trying to configure infoblox as dhcp server for vpn users on Cisco asa. However, the problem is whenever user disconnects and reconnects immediately he gets new IP.
BB - this is normally based on the DHCP release from ASA - what are you looking get same IP for the user all time ? or any time to release you looking - keep in mind that if you block the IP for longer you will DHCP full issue ?
12-04-2020 01:54 AM
Thanks for reply bala..
I verified that the ip is released and marked as free on dhcp server before it assigns new ip the client. So i guess multiple ip assignmet is ok.
I am seeing now problem as the vpn client is unable to update its hostname on dns server. Ddns not working. Any clue on that.
Asa has bug that do not forward certain dhcp options from dhcp server to vpn client and vice versa.
12-04-2020 02:45 AM
Its been long worked infoblox - but looking below thread you can tweak - check if that solves your problem.
https://community.infoblox.com/t5/DNS-DHCP-IPAM/Windows-Client-DHCP-and-DNS-Registration/td-p/13153
12-01-2020 11:20 AM
I don't think you can fix this issue as the AnyConnect clients are not L2 adjacent to the ASA, so the ASA has no idea of their own MAC addresses. When the ASA proxy for the DHCP traffic, as you said, it will injects its own MAC address of the interface facing to the DHCP server. In these cases, the ASA would have no control at all of the DHCP lease as the ASA just relays those DHCP messages coming from the clients to the defined DHCP server. From the DHCP server perspective, the clients identifiers are unique, but they are not based on client MAC addresses, and those unique identifiers would not be supported to do any reservation. Also, any DHCP lease configured on the DHCP server would not have any effect on the AnyConnect clients, in fact, if I remember correctly, when you disconnect AnyConnect client its assigned IP gets released from the pool straightaway.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide