cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18687
Views
5
Helpful
22
Replies

Remote IPsec VPN DHCP-Server IP assignment problem?

frankie_sky
Level 1
Level 1

Dear all expert,

i have configure a remote access ipsec vpn in asa5510 and it is working fine when i configure local dhcp address pool assignment. but not working in dhcp-server

below is my configuration

tunnel-group test type remote-access
tunnel-group test general-attributes
default-group-policy test
dhcp-server 10.1.1.200
tunnel-group test ipsec-attributes
pre-shared-key *

group-policy test internal
group-policy test attributes
dhcp-network-scope 192.168.135.0
ipsec-udp enable
ipsec-udp-port 10000

---snapshot Ping test to DHCP-Server 10.1.1.200----

ciscoasa# ping 10.1.1.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

the DHCP server is working when i assign ip address to the LAN network.

22 Replies 22

Your mistake is here

dhcp-network-scope 10.10.0.0

You must use a valid IP address and not the network address. Try, for example.

dhcp-network-scope 10.10.0.254

After, make sure your internal routing sends packets to this address back to the ASA IP address (like if it were a loopback address).

Tried that but it no worky.

The network I'm trying to connect to is 10.10.0.0 255.255.248.0, so I put in 10.10.7.254 255.255.255.255 as a route back to my ASA and then changed 10.10.7.254 as the network scope. My default route is 0.0.0.0 0.0.0.0 to my ASA, so I really shouldn't have to put the 10.10.7.254 route in right?

I recommend you to do a packet capture to check if the packets are reaching

the ASA... Then you can check with Wireshark what is going on..

Wireshark shows me that I'm making DHCP Discoveries on port 67 to my internal DHCP server but I never receive a response from the DHCP server.

Alright, finally got it. I had to put the DHCP Scope as my router IP and it was then able to relay back to my ASA.

Thanks for the help wbarboza!

@wbarboza

 Actually you can still use the network address. We just upgraded to 9.16 on our ASA and we are using the network address for the DHCP network scope and it still works.

thoulihan
Level 1
Level 1

Can you clarify this statement:

I had to put the DHCP Scope as my router IP and it was  then able to relay back to my ASA.

I have an ASA inside interface, ex. 10.10.10.1 /29

My client DHCP scope, ex.  10.200.10.51   to 10.200.10.254

DHCP Network defined:  10.200.10.0 /24

I see the request go from the ASA to the DHCP server.  I see the DHCP server reply to the inside ASA interface, 10.10.10.1 (mac), but it fails.

tmesias
Level 1
Level 1

I am just going to add this here for others, for me my problem was solved by removing an erroneous dhcp relay configuration from the firewall which pointed to a decommissioned server.