Remote IPsec VPN DHCP-Server IP assignment problem? - Page 2

frankie_sky · ‎05-06-2010

Dear all expert,

i have configure a remote access ipsec vpn in asa5510 and it is working fine when i configure local dhcp address pool assignment. but not working in dhcp-server

below is my configuration

tunnel-group test type remote-access
tunnel-group test general-attributes
default-group-policy test
dhcp-server 10.1.1.200
tunnel-group test ipsec-attributes
pre-shared-key *

group-policy test internal
group-policy test attributes
dhcp-network-scope 192.168.135.0
ipsec-udp enable
ipsec-udp-port 10000

---snapshot Ping test to DHCP-Server 10.1.1.200----

ciscoasa# ping 10.1.1.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

the DHCP server is working when i assign ip address to the LAN network.

wbarboza · ‎06-25-2010

Your mistake is here

dhcp-network-scope 10.10.0.0

You must use a valid IP address and not the network address. Try, for example.

dhcp-network-scope 10.10.0.254

After, make sure your internal routing sends packets to this address back to the ASA IP address (like if it were a loopback address).

roxysbrian · ‎06-28-2010

Tried that but it no worky.

The network I'm trying to connect to is 10.10.0.0 255.255.248.0, so I put in 10.10.7.254 255.255.255.255 as a route back to my ASA and then changed 10.10.7.254 as the network scope. My default route is 0.0.0.0 0.0.0.0 to my ASA, so I really shouldn't have to put the 10.10.7.254 route in right?

wbarboza · ‎06-28-2010

I recommend you to do a packet capture to check if the packets are reaching

the ASA... Then you can check with Wireshark what is going on..

roxysbrian · ‎06-28-2010

Wireshark shows me that I'm making DHCP Discoveries on port 67 to my internal DHCP server but I never receive a response from the DHCP server.

roxysbrian · ‎06-29-2010

Alright, finally got it. I had to put the DHCP Scope as my router IP and it was then able to relay back to my ASA.

Thanks for the help wbarboza!

rafaelti1 · ‎07-06-2015

@wbarboza

Actually you can still use the network address. We just upgraded to 9.16 on our ASA and we are using the network address for the DHCP network scope and it still works.

thoulihan · ‎11-15-2011

Can you clarify this statement:

I had to put the DHCP Scope as my router IP and it was then able to relay back to my ASA.

I have an ASA inside interface, ex. 10.10.10.1 /29

My client DHCP scope, ex. 10.200.10.51 to 10.200.10.254

DHCP Network defined: 10.200.10.0 /24

I see the request go from the ASA to the DHCP server. I see the DHCP server reply to the inside ASA interface, 10.10.10.1 (mac), but it fails.

tmesias · ‎10-20-2017

I am just going to add this here for others, for me my problem was solved by removing an erroneous dhcp relay configuration from the firewall which pointed to a decommissioned server.