Solved: Re: Remote access VPN with ASA 5510 using DHCP server - Cisco Community

2567

Views

9

Helpful

9

Replies

Hi,

Can someone please share your knowledge to help me find why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?

I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:

!

ASA Version 8.2(5)

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.6.0.12 255.255.254.0

!

ip local pool testpool 10.6.240.150-10.6.240.159 mask 255.255.248.0 !(worked with this)

!

route inside 0.0.0.0 0.0.0.0 10.6.0.1 1

!

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set transform-set FirstSet

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface inside

crypto isakmp enable inside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

!

vpn-addr-assign aaa

vpn-addr-assign dhcp

!

group-policy testgroup internal

group-policy testgroup attributes

dhcp-network-scope 10.6.192.1

ipsec-udp enable

ipsec-udp-port 10000

!

username testlay password *********** encrypted

!

tunnel-group testgroup type remote-access

tunnel-group testgroup general-attributes

default-group-policy testgroup

dhcp-server 10.6.20.3

tunnel-group testgroup ipsec-attributes

pre-shared-key *****

!

I got following output when I test connect to ASA with Cisco VPN client 5.0

Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDO

4024 bytesR copied in 3.41 0 secs (1341 by(tes/sec)13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 853

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing SA payload

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ISA_KE payload

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing nonce payload

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ID payload

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received xauth V6 VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received DPD VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Fragmentation VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received NAT-Traversal ver 02 VID

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload

Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Cisco Unity client VID

Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, Connection landed on tunnel_group testgroup

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing IKE SA payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ISAKMP SA payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ke payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing nonce payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for Responder...

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ID payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing hash payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Cisco Unity VID payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing xauth V6 VID payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing dpd vid payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Traversal VID ver 02 payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Fragmentation VID + extended capabilities payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing VID payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440

Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Received Cisco Unity client VID

Jan 16 15:39:21 [IKEv1]: Group = testgroup, I

[OK]

kens-mgmt-012# P = 10.15.200.108, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing blank hash payload

Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing qm hash payload

Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72

Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 87

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): Enter!

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing MODE_CFG Reply attributes.

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = cleared

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = cleared

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary WINS = cleared

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary WINS = cleared

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: IP Compression = disabled

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling Policy = Disabled

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Setting = no-modify

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Bypass Local = disable

Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, User (testlay) authenticated.

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload

Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64

Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!

Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg ACK attributes

Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=49ae1bb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 182

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg Request attributes

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 address!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 net mask!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DNS server address!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for WINS server address!

Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Received unsupported transaction mode attribute: 5

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Banner!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Save PW setting!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Default Domain Name!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split Tunnel List!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split DNS!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for PFS setting!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Browser Proxy Setting!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for backup ip-sec peer list!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Application Version!

Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Client Type: WinNT Client Application Version: 5.0.07.0440

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for FWTYPE!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DHCP hostname for DDNS is: DEC20128!

Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for UDP Port!

Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.

Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=b04e830f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload

Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload

Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE received response of type [] to a request from the IP address utility

Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Cannot obtain an IP address for remote peer

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE TM V6 FSM error history (struct &0xd8030048) <state>, <event>: TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE AM Responder FSM error history (struct &0xd82b6740) <state>, <event>: AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b terminating: flags 0x0945c001, refcnt 0, tuncnt 0

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending delete/delete with reason message

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing IKE delete payload

Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload

Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=9de30522) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Regards,

Lay

1 Accepted Solution

Accepted Solutions

For RADIUS you need a aaa-server-definition:

aaa-server NPS-RADIUS protocol radius

aaa-server NPS-RADIUS (inside) host 10.10.18.12

key *****

authentication-port 1812

accounting-port 1813

and tell your tunnel-group to ask that server:

tunnel-group VPN general-attributes

authentication-server-group NPS-RADIUS LOCAL

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

9 Replies 9

By default, it's not enabled to request an IP by DHCP. You need to configure that:

asa(config)# vpn-addr-assign dhcp

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Sorry, it was not shown in show run. I have already had it in the config. Am I having the correct address in

"dhcp-network-scope 10.6.192.1"? 10.6.192.1 is the gateway address for that Vlan while the DHCP server is 10.6.20.3.

Thanks for your help.

Regards,

Lay

ok, I didn't look at the scope as the missing vpn-address-policy is one of the most common problems ...

I'm not sure if you can use a gateway-address as the scope. Try to use the network from which the client should get an IP.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi, Thanks again. I have also tried with 10.6.192.0 network address (the mask is 255.255.248.0) but is still getting the same error.

Cheers,

Lay

Does the DHCP-request reach the server? Can you enable logging on the server to see if the DHCP-request gets processed?

Sent from Cisco Technical Support iPad App

Thanks, but I can't do this particular logging on DHCP server. I think I can go with local pool for IP address and try have a proper routing. I would actually like to do next is to utilize a radius server (which is configured to check against AD/LDAP). Would you be able to share a sample configuration for such scenario please? We have a Cisco ACS 5.2 and FreeRADIUS which are working fine with the existing remote access VPN on a different platform.

Regards,

Lay

For RADIUS you need a aaa-server-definition:

aaa-server NPS-RADIUS protocol radius

aaa-server NPS-RADIUS (inside) host 10.10.18.12

key *****

authentication-port 1812

accounting-port 1813

and tell your tunnel-group to ask that server:

tunnel-group VPN general-attributes

authentication-server-group NPS-RADIUS LOCAL

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thanks very much for that, Karsten. It works. I suppose there would be a way to have two RADIUS servers, could you please advsie how if there is any such?

Regards,

Lay

You can configure the "aaa-server ... host" block multiple times for your additional RADIUS-servers.

Sent from Cisco Technical Support iPad App

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community