05-06-2010 12:55 AM - edited 02-21-2020 04:38 PM
Dear all expert,
i have configure a remote access ipsec vpn in asa5510 and it is working fine when i configure local dhcp address pool assignment. but not working in dhcp-server
below is my configuration
tunnel-group test type remote-access
tunnel-group test general-attributes
default-group-policy test
dhcp-server 10.1.1.200
tunnel-group test ipsec-attributes
pre-shared-key *
group-policy test internal
group-policy test attributes
dhcp-network-scope 192.168.135.0
ipsec-udp enable
ipsec-udp-port 10000
---snapshot Ping test to DHCP-Server 10.1.1.200----
ciscoasa# ping 10.1.1.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
the DHCP server is working when i assign ip address to the LAN network.
05-06-2010 01:02 AM
Please also check if you have the following configured:
vpn-addr-assign dhcp
05-06-2010 01:06 AM
already done.
ciscoasa# sh run all vpn-addr-assign
no vpn-addr-assign aaa
vpn-addr-assign dhcp
no vpn-addr-assign local
but still not working. error message as below
%ASA-7-737001: IPAA: Received message 'UTL_IP_[IKE_]ADDR_REQ'
%ASA-5-737018: IPAA: DHCP request attempt 1 failed
%ASA-5-737003: IPAA: DHCP configured, no viable servers found for tunnel-group 'GoldCoinVPN'
%ASA-4-737012: IPAA: Address assignment failed
%ASA-7-715042: Group = GoldCoinVPN, Username = test, IP = 120.138.83.233, IKE received response of type [] to a request from the IP address utility
%ASA-3-713132: Group = GoldCoinVPN, Username = test, IP = 120.138.83.233, Cannot obtain an IP address for remote peer
05-06-2010 01:12 AM
Seems like you are trying to connect from "GoldCoinVPN" tunnel-group, however, your DHCP is configured under "test" tunnel-group.
05-06-2010 01:20 AM
sorry, test tunnel-group was just my simulation only.
my production configuration is as below.
tunnel-group GoldCoinVPN type remote-access
tunnel-group GoldCoinVPN general-attributes
default-group-policy GoldCoinVPN
dhcp-server 10.1.1.200
tunnel-group GoldCoinVPN ipsec-attributes
pre-shared-key *
group-policy GoldCoinVPN internal
group-policy GoldCoinVPN attributes
dhcp-network-scope 192.168.135.0
ipsec-udp enable
ipsec-udp-port 10000
i was trying to configure the dhcprelay, but seems not working also.
05-06-2010 01:32 AM
Thanks, please also confirm that there is DHCP scope of 192.168.135.0 configured on the DHCP server.
05-06-2010 01:38 AM
below is my dhcp configuration.
05-10-2010 11:54 AM
I have similar problem. Not solved so far...
vpn-addr-assign dhcp
no vpn-addr-assign aaa
no vpn-addr-assign local
group-policy test-group internal
group-policy test-group attributes
dhcp-network-scope 192.168.100.0
tunnel-group test type remote-access
tunnel-group test general-attributes
authentication-server-group vpn
default-group-policy test-group
dhcp-server 192.168.0.2
tunnel-group test ipsec-attributes
pre-shared-key *
When debugging, I get the followin message
%ASA-7-737001: IPAA: Received message 'UTL_IP_[IKE_]ADDR_REQ'
%ASA-6-737017: IPAA: DHCP request attempt 1 succeeded
%ASA-6-737005: IPAA: DHCP configured, request succeeded for tunnel-group 'test'
%ASA-6-302016: Teardown UDP connection 127 for outside:XX.XX.XX.103/3044 to identity:XX.XX.XX.104/500 duration 0:02:20 bytes 2283
%ASA-7-737001: IPAA: Received message 'UTL_IP_DHCP_INVALID_ADDR'
On the switch 192.168.0.2, I have the following config
ip dhcp pool VPN-test
network 192.168.100.0 255.255.255.0
dns-server 10.1.1.1 10.1.1.2
domain-name vpn.ca
And it assigns addresses when requested, but the ASA does not accept them...
Switch#sh ip dhcp binding
IP address Client-ID/ Lease expiration Type
Hardware address
192.168.100.5 00FF.FFFF.0000.0038. May 10 2010 02:57 PM Automatic
05-10-2010 10:54 PM
i'm not really understand. can i say that,
1.) when you configure dhcp-server setting in your asa and your dhcp-server actually is a cisco switches, then your vpn client able to get the ip address?
2.) when you configure dhcp-server setting in your asa and your dhcp-server acutally is a DHCP server, then is not working?
because i found that your case is abit different from mine, because your debug is showing your dhcp-server is found and attempt successfully.
%ASA-6-737017: IPAA: DHCP request attempt 1 succeeded
but mine is, DHCP-Server is not viable. even i try to turn on the Wireshark in the DHCP-Server, i found no any dhcp request msg to the server also. i'm suspecting the dhcp-server setting is not really function or bugs might be (but i haven't log the TAC case yet). just used ip local address pool as alternative solution.
05-11-2010 04:25 AM
1) The ASA does NOT forward the IP address received from the switch to the VPN Client. It requests successfully, but it does NOT receive successfull.
2) That's it, it is NOT working so far...
05-11-2010 10:47 PM
hi wbarboza,
Have you ever tried configure ip-local pool in the asa. btw it should work. i'm just quite wondering how come your dhcp-server attempt is successful. is it possible you to post your full config?
05-12-2010 04:53 AM
The problem was a lack of a route to the IP address configured in the DHCP range back to the ASA. In spite of the fact that the switch was directly configured, the default gateway was not the ASA, as it used to redistribute the routes over EIGRP.
When I put a static route in the switch pointing to the ASA, it worked right away...
ip route 192.168.100.0 255.255.255.0 192.168.0.1
In my case, the inside IP address was 192.168.0.1/24 and the scope address was 192.168.100.0/24
03-07-2013 01:55 AM
It's working after adding the static route in the core switch pointing to the ASA and
issue this command no vpn-addr-assign local to force the ASA to get the IP address from the DHCP server.
Make sure vpn-addr-assign dhcp is enable.
06-25-2010 02:35 PM
Not trying to take over your post, but I'm having the same issue. The only difference is that I'm authentecating with an internal RADIUS server which works, but I cannot get my internal DHCP server to assign an IP. I keep getting the same message that you were getting:
IPAA: Received message 'UTL_IP_[IKE_]ADDR_REQ'
IPAA: DHCP request attempt 1 succeeded
IPAA: DHCP configured, request succeeded for tunnel-group 'test'
IPAA: Received message 'UTL_IP_DHCP_INVALID_ADDR'
Group = test, Username = testuser, IP = 166.137.139.82, IKE received response of type [] to a request from the IP address utility
Group = test, Username = testuser, IP = 166.137.139.82, Cannot obtain an IP address for remote peer
Here is my config:
interface Ethernet0/0
description Public interface
nameif outside
security-level 0
ip address x.x.x.130 255.255.255.0
ospf cost 10
interface Ethernet0/1
description Internal interface
nameif inside
security-level 100
ip address 10.10.0.1 255.255.255.0
ospf cost 10
aaa-server Radius protocol radius
interim-accounting-update
aaa-server Radius (inside) host RADIUS1
key *
radius-common-pw *
aaa-server Radius (inside) host RADIUS2
key *
radius-common-pw *
group-policy test internal
group-policy test attributes
dns-server value 10.10.0.11 10.10.0.12
dhcp-network-scope 10.10.0.0
vpn-tunnel-protocol IPSec
address-pools none
tunnel-group test type remote-access
tunnel-group test general-attributes
authentication-server-group Radius
accounting-server-group Radius
default-group-policy test
dhcp-server 10.10.0.11
tunnel-group test ipsec-attributes
pre-shared-key *
tunnel-group test ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
06-25-2010 03:07 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide