How to assign addresses using dhcp to vpn-clients?

afredriksson · ‎03-11-2010

Hi all!

I’m trying to configure DHCP for an IPSec VPN on an ASA5510 8.2(1), but just can’t get it to work.

On the same ASA5510, I have about 20 working IPSec peers, using either EasyVPN (with nem) or local pool addresses. The new tunnel -group I’m configuring is the first that must use DHCP because I’ll have to provide clients (IP Phones) with more information than just an address.

The server is used by other systems as well so I’m certain it’s working properly. In fact, ASA5510 uses it for radius which rules out any internal communication issues.

CONFIG:

vpn-addr-assign dhcp

tunnel-group vpnphone general-attributes

default-group-policy vpnphone-policy

dhcp-server X.X.X.X

group-policy vpnphone-policy attributes

dhcp-network-scope 10.0.98.0

CONSOLE:

<132>:Mar 11 10:26:54 CEST: %ASA-ipaa-4-737019: IPAA: Unable to get address from group-policy or tunnel-group local pools

<132>:Mar 11 10:26:54 CEST: %ASA-ipaa-4-737012: IPAA: Address assignment failed

<131>:Mar 11 10:26:54 CEST: %ASA-vpn-3-713132: Group = vpnphone, Username = secpeph000, IP = X.X.X.X, Cannot obtain an IP address for remote peer

There’s no log at all on the DHCP server because ASA5510 is not even trying to use it.

Can anyone point me in the right direction on this one?

Regards,

Anders

slmansfield · ‎03-11-2010

Is your tunnel group an internal or external group?

afredriksson · ‎03-11-2010

It’s an internal group.

Anyway, it seems like the problem solved itself a few minutes ago. There was an old unused dhcp-server in the configuration that used to be dhcp-relay target. When I removed the server definition, dhcp immediately began to work. This is obviously a bug.

Nevertheless, thank you for taking time looking into my problem.

/Anders