cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18686
Views
5
Helpful
22
Replies

Remote IPsec VPN DHCP-Server IP assignment problem?

frankie_sky
Level 1
Level 1

Dear all expert,

i have configure a remote access ipsec vpn in asa5510 and it is working fine when i configure local dhcp address pool assignment. but not working in dhcp-server

below is my configuration

tunnel-group test type remote-access
tunnel-group test general-attributes
default-group-policy test
dhcp-server 10.1.1.200
tunnel-group test ipsec-attributes
pre-shared-key *

group-policy test internal
group-policy test attributes
dhcp-network-scope 192.168.135.0
ipsec-udp enable
ipsec-udp-port 10000

---snapshot Ping test to DHCP-Server 10.1.1.200----

ciscoasa# ping 10.1.1.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

the DHCP server is working when i assign ip address to the LAN network.

22 Replies 22

Jennifer Halim
Cisco Employee
Cisco Employee

Please also check if you have the following configured:

vpn-addr-assign dhcp

already done.

ciscoasa# sh run all vpn-addr-assign
no vpn-addr-assign aaa
vpn-addr-assign dhcp
no vpn-addr-assign local

but still not working. error message as below

%ASA-7-737001: IPAA: Received message 'UTL_IP_[IKE_]ADDR_REQ'
%ASA-5-737018: IPAA: DHCP request attempt 1 failed
%ASA-5-737003: IPAA: DHCP configured, no viable servers found for tunnel-group 'GoldCoinVPN'
%ASA-4-737012: IPAA: Address assignment failed
%ASA-7-715042: Group = GoldCoinVPN, Username = test, IP = 120.138.83.233, IKE received response of type [] to a request from the IP address utility
%ASA-3-713132: Group = GoldCoinVPN, Username = test, IP = 120.138.83.233, Cannot obtain an IP address for remote peer

Seems like you are trying to connect from "GoldCoinVPN" tunnel-group, however, your DHCP is configured under "test" tunnel-group.

sorry, test tunnel-group was just my simulation only.

my production configuration is as below.

tunnel-group GoldCoinVPN type remote-access
tunnel-group GoldCoinVPN general-attributes
default-group-policy GoldCoinVPN
dhcp-server 10.1.1.200
tunnel-group GoldCoinVPN ipsec-attributes
pre-shared-key *

group-policy GoldCoinVPN internal
group-policy GoldCoinVPN attributes
dhcp-network-scope 192.168.135.0
ipsec-udp enable
ipsec-udp-port 10000

i was trying to configure the dhcprelay, but seems not working also.

Thanks, please also confirm that there is DHCP scope of 192.168.135.0 configured on the DHCP server.

below is my dhcp configuration.

I have similar problem. Not solved so far...

vpn-addr-assign dhcp
no vpn-addr-assign aaa
no vpn-addr-assign local

group-policy test-group internal
group-policy test-group attributes
dhcp-network-scope 192.168.100.0

tunnel-group test type remote-access
tunnel-group test general-attributes
authentication-server-group vpn
default-group-policy test-group
dhcp-server 192.168.0.2
tunnel-group test ipsec-attributes
pre-shared-key *

When debugging, I get the followin message

%ASA-7-737001: IPAA: Received message 'UTL_IP_[IKE_]ADDR_REQ'
%ASA-6-737017: IPAA: DHCP request attempt 1 succeeded
%ASA-6-737005: IPAA: DHCP configured, request succeeded for tunnel-group 'test'
%ASA-6-302016: Teardown UDP connection 127 for outside:XX.XX.XX.103/3044 to identity:XX.XX.XX.104/500 duration 0:02:20 bytes 2283
%ASA-7-737001: IPAA: Received message 'UTL_IP_DHCP_INVALID_ADDR'

On the switch 192.168.0.2, I have the following config

ip dhcp pool VPN-test
   network 192.168.100.0 255.255.255.0
   dns-server 10.1.1.1 10.1.1.2
   domain-name vpn.ca

And it assigns addresses when requested, but the ASA does not accept them...

Switch#sh ip dhcp binding
IP address       Client-ID/              Lease expiration        Type
                 Hardware address
192.168.100.5    00FF.FFFF.0000.0038.    May 10 2010 02:57 PM    Automatic

Hi wbarboza,

i'm not really understand. can i say that,

1.) when you configure dhcp-server setting in your asa and your dhcp-server actually is a cisco switches, then your vpn client able to get the ip address?

2.) when you configure dhcp-server setting in your asa and your dhcp-server acutally is a DHCP server, then is not working?

because i found that your case is abit different from mine, because your debug is showing your dhcp-server is found and attempt successfully.

%ASA-6-737017: IPAA: DHCP request attempt 1 succeeded

but mine is, DHCP-Server is not viable. even i try to turn on the Wireshark in the DHCP-Server, i found no any dhcp request msg to the server also. i'm suspecting the dhcp-server setting is not really function or bugs might be (but i haven't log the TAC case yet). just used ip local address pool as alternative solution.

1) The ASA does NOT forward the IP address received from the switch to the VPN Client. It requests successfully, but it does NOT receive successfull.

2) That's it, it is NOT working so far...

hi wbarboza,

Have you ever tried configure ip-local pool in the asa. btw it should work. i'm just quite wondering how come your dhcp-server attempt is successful. is it possible you to post your full config?

The problem was a lack of a route to the IP address configured in the DHCP range back to the ASA. In spite of the fact that the switch was directly configured, the default gateway was not the ASA, as it used to redistribute the routes over EIGRP.

When I put a static route in the switch pointing to the ASA, it worked right away...

ip route 192.168.100.0 255.255.255.0 192.168.0.1

In my case, the inside IP address was 192.168.0.1/24 and the scope address was 192.168.100.0/24

It's working after adding the static route in the core switch pointing to the ASA and

issue this command no vpn-addr-assign local to force the ASA to get the IP address from the DHCP server.

Make sure vpn-addr-assign dhcp is enable.

roxysbrian
Level 1
Level 1

Not trying to take over your post, but I'm having the same issue. The only difference is that I'm authentecating with an internal RADIUS server which works, but I cannot get my internal DHCP server to assign an IP. I keep getting the same message that you were getting:

IPAA: Received message 'UTL_IP_[IKE_]ADDR_REQ'
IPAA: DHCP request attempt 1 succeeded
IPAA: DHCP configured, request succeeded for tunnel-group 'test'

IPAA: Received message 'UTL_IP_DHCP_INVALID_ADDR'
Group = test, Username = testuser, IP = 166.137.139.82, IKE received response of type [] to a request from the IP address utility

Group = test, Username = testuser, IP = 166.137.139.82, Cannot obtain an IP address for remote peer

Here is my config:

interface Ethernet0/0
description Public interface
nameif outside
security-level 0
ip address x.x.x.130 255.255.255.0
ospf cost 10

interface Ethernet0/1
description Internal interface
nameif inside
security-level 100
ip address 10.10.0.1 255.255.255.0
ospf cost 10

aaa-server Radius protocol radius
interim-accounting-update
aaa-server Radius (inside) host RADIUS1
key *
radius-common-pw *
aaa-server Radius (inside) host RADIUS2
key *
radius-common-pw *


group-policy test internal
group-policy test attributes
dns-server value 10.10.0.11 10.10.0.12
dhcp-network-scope 10.10.0.0
vpn-tunnel-protocol IPSec
address-pools none

tunnel-group test type remote-access
tunnel-group test general-attributes
authentication-server-group Radius
accounting-server-group Radius
default-group-policy test
dhcp-server 10.10.0.11
tunnel-group test ipsec-attributes
pre-shared-key *
tunnel-group test ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy

I am currently testing this using my iPhone but get the same result when I use the Cisco VPN client on my laptop. Attached is the full syslog copy of my connection attempt.