- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2022 03:20 AM
The systems team are unable to track the ip and DNS addresses if we use the ip pool on the ASA for our vpn l2pt remote users. I've been trying without much success to have the ip address provided by our dhcp windows 2012 server. I have a packet trace to indicate that the dhcp server is providing the ip address to the firewall but the clients don't get them. I receive the following error. It works fine with ASA address pool. It is a ASA 5525 with the latest firmware. Any advice or tips would be much appreciated. I'm using the built-in windows 10 l2pt client for remote users.
Thanks
%ASA-4-4031722: PPP virtual interface interface_name rcvd pkt with
invalid protocol: protocol, reason: reason.
The module received an XGRE encapsulated PPP packet with an invalid protocol field.
Tunnel group information provided below.
tunnel-group DefaultWEBVPNGroup general-attributes
dhcp-server 172.16.128.20
tunnel-group DefaultRAGroup general-attributes
authentication-server-group ISE
authorization-server-group ISE
dhcp-server 172.16.128.20
tunnel-group DR-VPN-PN general-attributes
authentication-server-group ISE
authorization-server-group ISE
dhcp-server 172.16.128.20
group-policy DfltGrpPolicy attributes
dns-server value 172.16.128.1
dhcp-network-scope 172.17.128.0
vpn-addr-assign local reuse-delay 1
interface GigabitEthernet0/0
description OUTSIDE
nameif OUTSIDE
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet0/1
description INSIDE
nameif INSIDE
security-level 100
ip address 10.0.0.5 255.255.255.252
nat (INSIDE,OUTSIDE) source static Internal_Networks Internal_Networks destination static VPN-CLIENTS VPN-CLIENTS
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
Solved! Go to Solution.
- Labels:
-
Remote Access
-
VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2022 07:16 AM
This was the solution route-lookup at end of the NAT Thanks to
chanthanongsy
ASA AnyConnect client fails to get IP from remote DHCP Server
Add the following to your tunnel-group policy
dhcp-server subnet-selection x.x.x.x
x.x.x.x would be the internal DHCP-SERVER's IP address.
If you do not have a RFC 3011/3527 DHCP-SERVER please ensure that your have the "route-lookup" option added to your NAT statement for the vpn subnet ...
Example: nat (inside,outside) source static obj-inside obj-inside destination static obj-vpnsubnet obj-vpnsubnet no-proxy-arp route-lookup
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2022 03:25 AM
@unclejester is the command vpn-addr-assign dhcp configured? Use show run all | inc vpn-addr to confirm.
Turn on some debugs on the ASA such as debug webvpn anyconnect 255
Here is a useful post that maybe of some help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2022 04:17 AM
Hello,
show run all | inc vpn-addr
vpn-addr-assign aaa
vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 1
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
I'm not using anyconnect as the vpn client is there another debug for I can try.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2022 06:10 AM
show vpn-sessiondb detail
share the output here after hidden the public IP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2022 06:40 AM
I've rebooted a few times, I've moved the remote users to secondary link while I try and get this up and running. It never connects properly when using dhcp.
Thanks
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
IKEv1 IPsec/L2TP IPsec : 0 : 7 : 1
---------------------------------------------------------------------------
Total Active and Inactive : 0 Total Cumulative : 7
Device Total VPN Capacity : 750
Device Load : 0%
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concurrent
----------------------------------------------
IKEv1 : 0 : 7 : 1
IPsecOverNatT : 0 : 7 : 1
---------------------------------------------------------------------------
Totals : 0 : 14
---------------------------------------------------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2022 07:26 AM - edited 02-22-2022 07:38 AM
Is dhcp directly connect to asa ?
The asa send unicast dhcp request to server,
The source is first ip in scope, destiantion is server ip.
Check if server direct connect if any acl deny traffic
Check if server not direct connect the return from dhcp to asa client scope.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2022 09:29 AM
Yes I can see dhcp requests from the windows server back to the firewall, see attached, on port 67 it isn't blocked and the trace indicates success.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2022 11:30 AM
may be we go in wrong direction,
can you config new tunnel group for L2TP/IPsec and group-policy and use DHCP server but this time without the ISE for auth and auth.
you can config only for test.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2022 07:16 AM
This was the solution route-lookup at end of the NAT Thanks to
chanthanongsy
ASA AnyConnect client fails to get IP from remote DHCP Server
Add the following to your tunnel-group policy
dhcp-server subnet-selection x.x.x.x
x.x.x.x would be the internal DHCP-SERVER's IP address.
If you do not have a RFC 3011/3527 DHCP-SERVER please ensure that your have the "route-lookup" option added to your NAT statement for the vpn subnet ...
Example: nat (inside,outside) source static obj-inside obj-inside destination static obj-vpnsubnet obj-vpnsubnet no-proxy-arp route-lookup
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2022 07:57 AM
Thanks for sharing
