cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1761
Views
0
Helpful
10
Replies

External DHCP server

elecorbalan
Level 1
Level 1

Hello,

I have configured a VPN with a DHCP server from the inside subnet. But messages from DHCP server don't arrive to VPN Client.

Do I have to confgure the ASA as a DHCP relay?

Thanks

10 Replies 10

andrew.prince
Level 10
Level 10

Now I can't pass first IKE phase.

The logs are:

Nov 25 12:20:53 [IKEv1 DEBUG]: IP = --.176.85, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False

Nov 25 12:20:53 [IKEv1]: IP = --.176.85, Connection landed on tunnel_group TunelVPN

Nov 25 12:20:58 [IKEv1]: Group = TunelVPN, IP = --.176.85, Duplicate Phase 1 packet detected. Retransmitting last packet.

Nov 25 12:20:58 [IKEv1]: Group = TunelVPN, IP = --.176.85, P1 Retransmit msg dispatched to AM FSM

Nov 25 12:21:22 [IKEv1]: Group = TunelVPN, IP = --.176.85, Removing peer from peer table failed, no match!

Nov 25 12:21:22 [IKEv1]: Group = TunelVPN, IP = --.176.85, Error: Unable to remove PeerTblEntry

The config is:

access-list inside_nat0_outbound_2 extended permit ip any 10.0.0.0 255.255.255.192

nat-control

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound_2

nat (inside) 101 0.0.0.0 0.0.0.0

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

access-list inside_access_in extended permit tcp 10.0.0.0 255.255.255.0 any object-group DM_INLINE_TCP_1

access-list inside_access_in extended permit icmp any any echo

access-list inside_access_in extended permit icmp any any echo-reply

access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 --.89.192 255.255.255.192 log warnings

access-list inside_access_in extended deny ip any any log warnings

access-list outside_access_in extended permit icmp any --.74.48 255.255.255.252 echo-reply

access-list outside_access_in extended permit icmp 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list outside_access_in extended permit udp 10.0.0.0 255.255.255.0 any eq domain

group-policy TunelVPN internal

group-policy TunelVPN attributes

dns-server value 10.0.0.9 --.89.253

vpn-tunnel-protocol IPSec

default-domain value --.es

What did you change?

I have change nonat rules but maybe something else. I'm not sure.

The messages isakmp are

pucca(config)# deNov 25 13:01:57 [IKEv1]: Group = TunelVPN, IP = --.176.85, Removing peer from peer table failed, no match!

Nov 25 13:01:57 [IKEv1]: Group = TunelVPN, IP = --.176.85, Error: Unable to remove PeerTblEntry

bug crypto isakmp 7

pucca(config)# Nov 25 13:02:22 [IKEv1]: IP = --.176.85, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 852

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, processing SA payload

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, processing ke payload

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, processing ISA_KE payload

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, processing nonce payload

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, processing ID payload

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, processing VID payload

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, Received xauth V6 VID

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, processing VID payload

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, Received DPD VID

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, processing VID payload

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, Received Fragmentation VID

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, processing VID payload

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, Received NAT-Traversal ver 02 VID

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, processing VID payload

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, Received Cisco Unity client VID

Nov 25 13:02:22 [IKEv1]: IP = --.176.85, Connection landed on tunnel_group TunelVPN

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, processing IKE SA payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing ISAKMP SA payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --176.85, constructing ke payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing nonce payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, Generating keys for Responder...

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing ID payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing hash payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, Computing hash for ISAKMP

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing Cisco Unity VID payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing xauth V6 VID payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing dpd vid payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing NAT-Traversal VID ver 02 payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing NAT-Discovery payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, computing NAT Discovery hash

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing NAT-Discovery payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, computing NAT Discovery hash

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing Fragmentation VID + extended capabilities payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing VID payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Nov 25 13:02:22 [IKEv1]: IP = --.176.85, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440

Nov 25 13:02:26 [IKEv1]: Group = TunelVPN, IP = --.176.85, Duplicate Phase 1 packet detected. Retransmitting last packet.

Nov 25 13:02:26 [IKEv1]: Group = TunelVPN, IP = --.176.85, P1 Retransmit msg dispatched to AM FSM

Nov 25 13:02:36 [IKEv1]: Group = TunelVPN, IP = --.176.85, Duplicate Phase 1 packet detected. Retransmitting last packet.

Nov 25 13:02:36 [IKEv1]: Group = TunelVPN, IP = --.176.85, P1 Retransmit msg dispatched to AM FSM

Nov 25 13:02:44 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, IKE AM Responder FSM error history (struct &0xd5a8ef30) , : AM_DONE, EV_ERROR-->AM_WAIT_MSG3, EV_PROB_AUTH_FAIL-->AM_WAIT_MSG3, EV_TIMEOUT-->AM_WAIT_MSG3, NullEvent-->AM_SND_MSG2, EV_CRYPTO_ACTIVE-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_SND_MSG2, EV_RESEND_MSG

Nov 25 13:02:44 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, IKE SA AM:075789aa terminating: flags 0x0104c001, refcnt 0, tuncnt 0

Nov 25 13:02:44 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, sending delete/delete with reason message

Nov 25 13:02:44 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing blank hash payload

Nov 25 13:02:44 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing IKE delete payload

Nov 25 13:02:44 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing qm hash payload

Nov 25 13:02:44 [IKEv1]: IP = --176.85, IKE_DECODE SENDING Message (msgid=b12c3627) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Nov 25 13:02:44 [IKEv1]: Group = TunelVPN, IP = --.176.85, Removing peer from peer table failed, no match!

Nov 25 13:02:44 [IKEv1]: Group = TunelVPN, IP = --.176.85, Error: Unable to remove PeerTblEntry

I suggest you roll back your changes.

You should never make a change on a production system in working hours

You should think thru your changes

You should only make one change at a time

Jason Gervia
Cisco Employee
Cisco Employee

Hello,

You don't need to configure the ASA as a DHCP relay in order for this to work. Remove the DHCP relay, and then configure a DHCP server under the tunnel-group, and the scope under the group-policy.

1) Create a DHCP scope on your DHCP server

2) Exclude one address from the scope

3) Make your ASA's scope the address you just excluded

4) Route that IP address (the one excluded from the scope) through your network such that packets destined to it will reach the ASA

This is because the ASA/pix will set the relay IP address to whatever you set in the scope on the pix/asa, so your DHCP server will respond to that address.

Ok, but now I have a worse problem, and it is that I can't finish IKE phase 1 because any fault in the config. You can see this in the logs I have posted before. Do you see anything missing in the config?

Finally, I have restored an ancient configuration and VPN ISAKMP works. I will open a new item for the problem with the DHCP server.

Thanks for all