03-01-2011 09:26 AM
We're setting up DHCP to a central DHCP server for SSLVPN clients on our ASA running 8.2, and it's not working yet.
I've defined the DHCP server for the tunnel profile to use, and set the dhcp network scope for the group- which seems to be all that is needed.
Right now the issue is that I'm having trouble finding any debug commands that will give detailed information on what's going on with the DHCP requests.
The only DHCP-related debug commands seem to be:
dhcpc DHCP Client information
dhcpd DHCPD information, and
dhcprelay DHCP Relay information
I"ve tried the client and relay debugs and all I see is that the client is not getting offered a valid IP address; 0.0.0.0/0.0.0.0
The DHCP server does not see any requests from this ASA for the network defined in the dhcp-network-scope for the group, and we see nothing about the DHCP server in the debug results.
Any suggestions would be welcome.
Lynne
Solved! Go to Solution.
03-09-2011 05:18 PM
you will see a button as "mark as answered"
you can also rate the usefull replies.
Regards
Ashish
03-08-2011 04:52 AM
Hello Lynne,
Hope you are doing good
could you please attach show tech of the ASA in question along with the ip address of the DHCP server.
Could you also run wireshark captures on the DHCP server . you may not see request coming to the dhcp server from the ip address of ASA.
Discover packet which gets forwarded by asa to dhcp server will have asa's interface ip address in the relay agent field or giaddr
Regards
Ashish
03-08-2011 07:05 AM
Thanks for the office Ashish; I'd rather not post the entire sho tech,
but here's the tunnel-group and group-policy that we are trying to use
DHCP with:
tunnel-group TestDHCP type remote-access
tunnel-group TestDHCP general-attributes
authentication-server-group UVM_LDAP
default-group-policy TestDHCP_Policy
dhcp-server x.y.201.21
tunnel-group TestDHCP webvpn-attributes
group-alias TestDHCP enable
group-url https://sslvpn.uvm.edu/TestDHCP enable
group-policy TestDHCP_Policy internal
group-policy TestDHCP_Policy attributes
dhcp-network-scope x.y.23.0
I don't have a wireshark capture from the DHCP server but I can tell you
that it does not see any DHCP requests for the x.y.23.0 network.
When I've set up DHCP previously, the VPN client pool was in the same
subnet as the inside of the VPN, which is not true in this case- so I
wonder if the dhcp-network-scope is not working properly. Or have I
missed setting something up?
Lynne
03-08-2011 05:05 PM
Hello Lynne,
Under "group-policy TestDHCP_Policy attributes". Change the "dhcp-network-scope" to a specific ip address instead of network
For ex - "x.x.23.1" in place of "x.x.23.0"
Regards
Ashish
03-09-2011 07:20 AM
Thanks Ashish for the suggestion.
Unfortunately that did not fix the problem.
Here's what I see is the DHCP debugs
DHCP: Adding x.y.201.21 as DHCP server
DHCP: SDiscover attempt # 1 for entry:
DHCP: SDiscover unicast 356 bytes on interface 2
DHCP Unicast to x.y.201.21 from x.y.92.4
DHCP: SDiscover attempt # 2 for entry:
DHCP: SDiscover unicast 356 bytes on interface 2
DHCP Unicast to x.y.201.21 from x.y.92.4
DHCP: SDiscover attempt # 3 for entry:
DHCP: SDiscover unicast 356 bytes on interface 2
DHCP Unicast to x.y.201.21 from x.y.92.4
DHCP: SDiscover attempt # 4 for entry:
DHCP: SDiscover unicast 356 bytes on interface 2
DHCP Unicast to x.y.201.21 from x.y.92.4
%Unknown DHCP problem.. No allocation possible
DHCP: Removing route for x.y.23.1
DHCP: Removing rule -1181046848 for interface inside for addr x.y.23.1
DHCP Proxy command failed
UTL_ProcIpAddrQEvent DHCP Failed - trying local pool
03-09-2011 07:48 AM
it seems that ASA is relaying the dhcp discover packet which client is sending
Here in this case x.y.92.4 should be the ip address of the interface which is connected to DHCP server.
Debugs shows that ASA is sending unicase dhcp discover packet but there is no reply from the server
If there is a router between dhcp server and asa. it should have a route for x.y.23.0 network pointing it to ASA
Could you take wireshark captures on the server , first we need to make sure that the discover packets are reaching to the server and its responding.
Regards
Ashish
03-09-2011 08:51 AM
Ashish,
FIgured it out; there was a routing interface that was snatching the
DHCP replies before they got to the ASA.
Turned down the routing interface and bingo!
Thanks so much for your help.
Lynne
03-09-2011 09:07 AM
I am glad to know that the issue is resolved.
please rate all usefull replies given by me and mark this thread as answered if everything is working fine.
Regards
Ashish.
03-09-2011 09:23 AM
Hmm, can't figure out how to mark the thread as answered...
03-09-2011 05:18 PM
you will see a button as "mark as answered"
you can also rate the usefull replies.
Regards
Ashish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide