cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2044
Views
11
Helpful
4
Replies

FTD 6.6.0 RA VPN - DHCP Server configuration not working

doukkalli
Level 1
Level 1

Problem Description:

We cannot get AnyConnect VPN clients to retrieve an IP address from our primary DHCP server.

 

I face exactly the same issue here: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo12057/?rfs=iqvred

 

If we setup a local pool in the VPN profile the client can connect and gets an IP address fine. I've looked at multiple articles addressing this issue including documentation from Cisco on configuring the VPN to use a remote DHCP server but nothing seems to work.

I feel like it might have something to do with a NAT or an ACL blocking the response coming from the DHCP server.

The FTD doesn't have an issue communicating with that server though because it's also using it for RADIUS authentication which is working fine.

My DHCP server is getting the discover request form the FTD firewall but at the IP address that the FTD is presenting (10.44.96.20) it is not it’s inside IP address!

It’s the address that you put in the group-policy to set the dhcp-network-scope , that the firewall presents to the DHCP server.
DHCP servers has the correct route to the DHCP scope IP defined in VPN Policy.

DHCP Capture packets:

In Firepower 2130 with FTD 6.6.0 I got the same issue. Same issue with DHCP server:

1 0.000000 10.45.30.2 10.52.10.8 DHCP 590 DHCP Discover - Transaction ID 0x8c9cf9a
2 0.000565 10.52.10.8 10.44.96.20 DHCP 342 DHCP Offer - Transaction ID 0x8c9cf9a
3 2.988343 10.45.30.2 10.52.10.8 DHCP 590 DHCP Discover - Transaction ID 0x8c9cf9a
4 2.988740 10.52.10.8 10.44.96.20 DHCP 342 DHCP Offer - Transaction ID 0x8c9cf9a
5 6.988328 10.45.30.2 10.52.10.8 DHCP 590 DHCP Discover - Transaction ID 0x8c9cf9a
6 6.988770 10.52.10.8 10.44.96.20 DHCP 342 DHCP Offer - Transaction ID 0x8c9cf9a
7 11.990678 10.45.30.2 10.52.10.8 DHCP 590 DHCP Discover - Transaction ID 0x8c9cf9a
8 11.991105 10.52.10.8 10.44.96.20 DHCP 342 DHCP Offer - Transaction ID 0x8c9cf9a
9 17.988328 10.45.30.2 10.52.10.8 DHCP 590 DHCP Discover - Transaction ID 0x8c9cf9a
10 17.988679 10.52.10.8 10.44.96.20 DHCP 342 DHCP Offer - Transaction ID 0x8c9cf9a


FTD version

> show version
-------------------[ XXXXXXX ]-------------------
Model : Cisco Firepower 2130 Threat Defense (77) Version 6.6.0 (Build 90)
UUID : 683790b6-6a6d-11ea-b41c-cf22c718391e
Rules update version : 2020-01-16-001-vrt
VDB version : 333
----------------------------------------------------

RA VPN configuration:

> show running-config all vpn-addr-assign
no vpn-addr-assign aaa
vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 0
>


Policies:

Access-list capin permit ip host <FTD's inside intf ip> host <dhcp server ip>
Access-list capin permit ip host <dhcp server ip> host <FTD's inside intf ip>


> show running-config group-policy
group-policy DfltGrpPolicy attributes
dns-server value 10.XX.YY.B 10.XX.YY.A
dhcp-network-scope 10.44.96.20
vpn-tunnel-protocol ikev2 ssl-client
default-domain value acme.com
user-authentication-idle-timeout none
address-pools value VPN_POOL
webvpn
anyconnect keep-installer none
anyconnect modules value dart
anyconnect ask none default anyconnect
http-comp none
activex-relay disable
file-entry disable
file-browsing disable
url-entry disable
deny-message none
>

 

> show running-config tunnel-group
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool VPN_POOL
authentication-server-group MFA_Radius_Group
dhcp-server 10.52.10.8
tunnel-group VPN webvpn-attributes
group-alias VPN enable

3 Accepted Solutions

Accepted Solutions

Hi,
Append route-lookup to your NAT exempt rule from LAN network(s) to RAVPN (DHCP scope) network. You may need to "clear conn".

HTH

View solution in original post

Thanks RJI.

I added route-lookup  and DHCP is now working with RA VPN.

Good advice.


@Rob Ingram wrote:
Hi,
Append route-lookup to your NAT exempt rule from LAN network(s) to RAVPN (DHCP scope) network. You may need to "clear conn".

HTH

 

View solution in original post

Solution found:

 

DHCP Scope in RA VPN in must a subnet like 10.44.96.0 and not IPv4 addresse like 10.44.96.20 like stated in Cisco FTD documentation. I hope Cisco will add theses steps in the RA VPN setup:

- DHCP Scope must be the network subnet like 10.44.96.0

- NAT Exempt must include  "route-lookup"

View solution in original post

4 Replies 4

Hi,
Append route-lookup to your NAT exempt rule from LAN network(s) to RAVPN (DHCP scope) network. You may need to "clear conn".

HTH

Thanks RJI.

I added route-lookup  and DHCP is now working with RA VPN.

Good advice.


@Rob Ingram wrote:
Hi,
Append route-lookup to your NAT exempt rule from LAN network(s) to RAVPN (DHCP scope) network. You may need to "clear conn".

HTH

 

Hi,

Today I tried to connect but DHCP didn't give a lease to FTD. When I add in the NAT exempt rule from LAN network(s) to RAVPN (DHCP scope) network, and I "clear conn", yesterday it's worked.

Today no DHCP lease and RA VPN cannot receive an IP address and then cannot establish tunnel.

 

I got this in a loop:

1: 10:05:23.338224 10.45.30.2.67 > 10.52.10.8.67: udp 548
2: 10:05:23.338636 10.52.10.8.67 > 10.44.96.20.67: udp 300
3: 10:05:29.338391 10.45.30.2.67 > 10.52.10.8.67: udp 548
4: 10:05:29.338773 10.52.10.8.67 > 10.44.96.20.67: udp 300

 

 

What happened? Is there ant cli command to troubelshoot this issue.

Solution found:

 

DHCP Scope in RA VPN in must a subnet like 10.44.96.0 and not IPv4 addresse like 10.44.96.20 like stated in Cisco FTD documentation. I hope Cisco will add theses steps in the RA VPN setup:

- DHCP Scope must be the network subnet like 10.44.96.0

- NAT Exempt must include  "route-lookup"