DHCP problem on the ASA

Lance Wendel · ‎08-06-2012

I have a strange situation,

one of my customer is experiencing an issue which relates to DHCP on an ASA

The ASA is currently on 8.4.(4), problem he is facing is when a Client (I Phone or IPAD)

try to connect, intermittent they doesn’t get the IP address assign from the DHCP server.

Only the wlan controller receives an address

Unfortunately I cannot provide lot of details regarding the Pcaps or show run.

Anyone had same kind of issue previously

Adrian Martinez · ‎08-06-2012

I upgraded three ASAs (1 5505 and two 5510) to 8.4(4)3 and on all three ASAs which were providing DHCP services to connected networks stopped working. Users could not get DHCP addresses from the ASAs running 8.4.4.3.

I did packet captures from the desktop, basically I see the DHCP requests leaving the desktop, but no replies from the ASA.

I downgraded the ASA to 8.4(4)1 and DHCP immediately starting working again.

I rolled back to 8.4.4.3. DHCP failed again. Downgraded the ASA to 8.4.4.1, then DHCP started working again.

Looks like a bug with ASA 8.4.4.3 and DHCP.

So I'm sticking with 8.4.4.1 for now.

Sent from Cisco Technical Support iPhone App

Lance Wendel · ‎08-07-2012

Hi Martinez-adrina

Thanks for the reply, unfortunately my customer is also on the 8.4(4).1

So no luck there either. But thank you for your reply.

With kind regards,

lancellot

jlkeys · ‎12-20-2012

I had a similar problem with VPN clients not receiving an IP address from DHCP after upgrading from 8.4(2) to 8.4(5). I went back and forth with TAC for a few weeks and we narrowed it down to an identity NAT (nat exemption) statement for the VPN clients that required the route-lookup option to be checked.

joe.kowalewski · ‎03-17-2013

I had the same issue when upgradeing from 8.4(2) to 8.4(5). I had to add the route-lookup AND disable proxy-arp on my identity NATs to resovle the issue.

joan.ballaud · ‎06-03-2013

I have an issue which may be related.

After having changed the internal gateway equipment, the DHCP requests emitted by the ASA remain to the removed gateway interface MAC address whereas the ASA makes ARP requests and gets the new GW interface MAC address correctly.

Anders Aa. Jepsen · ‎07-04-2013

Hi Joan

Did you get the dhcp issue fixed?

We are having the excact same problem on version 8.3(2)4.

The ASA's are connected to a gateway cluster. When a fail over occurs in the cluster, all arp tables are updated on the ASA's. DHCP requests from vpn clients to an internal DHCP server, are still being sent to the mac address of the old gateway interface, even though the arp tables has been updated with the new mac address.

It seems that the dhcp realy/proxy function is using old cashed information instead of the arp table.

Regards

Anders

joan.ballaud · ‎07-05-2013

Hi Anders,

Here is the link to the BugID:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty13865

Still not fixed for the moment.

The work-arounds are:

- disconnect all the remote access sessions issuing the command 'vpn-sessiondb logoff'

or

- reboot the ASA.

For my part, as I am working with ASA in failover, I have failed over to the standby (secondary) unit, then I have rebooted the primary unit.

Regards,

Joan