Solved: Re: L2pt ASA DHCP clients

unclejester · ‎02-22-2022

The systems team are unable to track the ip and DNS addresses if we use the ip pool on the ASA for our vpn l2pt remote users. I've been trying without much success to have the ip address provided by our dhcp windows 2012 server. I have a packet trace to indicate that the dhcp server is providing the ip address to the firewall but the clients don't get them. I receive the following error. It works fine with ASA address pool. It is a ASA 5525 with the latest firmware. Any advice or tips would be much appreciated. I'm using the built-in windows 10 l2pt client for remote users.

Thanks

%ASA-4-4031722: PPP virtual interface interface_name rcvd pkt with
invalid protocol: protocol, reason: reason.
The module received an XGRE encapsulated PPP packet with an invalid protocol field.

Tunnel group information provided below.

tunnel-group DefaultWEBVPNGroup general-attributes
dhcp-server 172.16.128.20

tunnel-group DefaultRAGroup general-attributes
authentication-server-group ISE
authorization-server-group ISE
dhcp-server 172.16.128.20

tunnel-group DR-VPN-PN general-attributes
authentication-server-group ISE
authorization-server-group ISE
dhcp-server 172.16.128.20

group-policy DfltGrpPolicy attributes
dns-server value 172.16.128.1
dhcp-network-scope 172.17.128.0

vpn-addr-assign local reuse-delay 1

interface GigabitEthernet0/0
description OUTSIDE
nameif OUTSIDE
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet0/1
description INSIDE
nameif INSIDE
security-level 100
ip address 10.0.0.5 255.255.255.252

nat (INSIDE,OUTSIDE) source static Internal_Networks Internal_Networks destination static VPN-CLIENTS VPN-CLIENTS
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE

unclejester · ‎03-01-2022

This was the solution route-lookup at end of the NAT Thanks to

chanthanongsy

ASA AnyConnect client fails to get IP from remote DHCP Server

Add the following to your tunnel-group policy

dhcp-server subnet-selection x.x.x.x

x.x.x.x would be the internal DHCP-SERVER's IP address.

If you do not have a RFC 3011/3527 DHCP-SERVER please ensure that your have the "route-lookup" option added to your NAT statement for the vpn subnet ...

Example: nat (inside,outside) source static obj-inside obj-inside destination static obj-vpnsubnet obj-vpnsubnet no-proxy-arp route-lookup

View solution in original post

Rob Ingram · ‎02-22-2022

@unclejester is the command vpn-addr-assign dhcp configured? Use show run all | inc vpn-addr to confirm.

Turn on some debugs on the ASA such as debug webvpn anyconnect 255

Here is a useful post that maybe of some help.

unclejester · ‎02-22-2022

Hello,

show run all | inc vpn-addr

vpn-addr-assign aaa
vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 1
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local

I'm not using anyconnect as the vpn client is there another debug for I can try.

Thanks

MHM Cisco World · ‎02-22-2022

show vpn-sessiondb detail

share the output here after hidden the public IP.

unclejester · ‎02-22-2022

I've rebooted a few times, I've moved the remote users to secondary link while I try and get this up and running. It never connects properly when using dhcp.

Thanks

---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
IKEv1 IPsec/L2TP IPsec : 0 : 7 : 1
---------------------------------------------------------------------------
Total Active and Inactive : 0 Total Cumulative : 7
Device Total VPN Capacity : 750
Device Load : 0%
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concurrent
----------------------------------------------
IKEv1 : 0 : 7 : 1
IPsecOverNatT : 0 : 7 : 1
---------------------------------------------------------------------------
Totals : 0 : 14
---------------------------------------------------------------------------

MHM Cisco World · ‎02-22-2022

Is dhcp directly connect to asa ?

The asa send unicast dhcp request to server,

The source is first ip in scope, destiantion is server ip.

Check if server direct connect if any acl deny traffic

Check if server not direct connect the return from dhcp to asa client scope.

unclejester · ‎02-22-2022

Yes I can see dhcp requests from the windows server back to the firewall, see attached, on port 67 it isn't blocked and the trace indicates success.

MHM Cisco World · ‎02-22-2022

may be we go in wrong direction,
can you config new tunnel group for L2TP/IPsec and group-policy and use DHCP server but this time without the ISE for auth and auth.
you can config only for test.

unclejester · ‎03-01-2022

This was the solution route-lookup at end of the NAT Thanks to

chanthanongsy

ASA AnyConnect client fails to get IP from remote DHCP Server

Add the following to your tunnel-group policy

dhcp-server subnet-selection x.x.x.x

x.x.x.x would be the internal DHCP-SERVER's IP address.

If you do not have a RFC 3011/3527 DHCP-SERVER please ensure that your have the "route-lookup" option added to your NAT statement for the vpn subnet ...

Example: nat (inside,outside) source static obj-inside obj-inside destination static obj-vpnsubnet obj-vpnsubnet no-proxy-arp route-lookup

MHM Cisco World · ‎03-01-2022

Thanks for sharing