Solved: VPN address pool not releasing IPs?

matthew.elliott · ‎04-02-2008

Hi,

I have a Cisco ASA 5520 (8.0(3)).

I have remote access VPN set up for users to VPN into the network. Everything is working fine.

I am using a class C address pool of 192.168.10.x /24 for authenticated users (this is a different subnet from the internal network). This is working fine. However... when the user disconnects from their session... it appears that the IP address does not get released back into the address pool and the next user who connects will get the NEXT IP address in the pool and so on and so forth. Although i can't pin point the cause of the problem because 'sometimes' one user will get an address which was previously in use. It is inconsistent as far as i can see.

We don't have a large number of users but the IP pool is already half depleted because of this. It is slowly but surely getting up into assigning 192.168.10.150 when there are no other users connected. (opposed to it assigning 192.168.10.1)

I have the default idle timeout of 30 set. (Which doens't actually do anything as far as i can see because keepalives are enabled)

I have the max session time of 8 hours.

I have the 'release IP into pool after a certain number of minutes set to the default 0' so they should be released immediately (from what i understand). I did change this to be 20 minutes and the problem got even worse.

Perhaps this is normal behaviour and when the pool reaches the end it starts from the beginning?

Can someone point me into the right direction of what setting i should be looking at or guide me in the right general direction?

Appreciate any help.

Thanks.

sundar.palaniappan · ‎04-02-2008

I am not able to find any documentation on what order the addresses are assigned to the remote access clients. As long as it's showing the addresses are being released back to the pool, as it supposed to, I would think once it hits the end of the pool it should start reusing those released addresses.

HTH

Sundar

View solution in original post

sundar.palaniappan · ‎04-02-2008

Setting the value to 0 should have caused the address to be released right away.

Can you do a show ip local pool and it should give you information on available addresses.

pixfirewall# show ip local pool ?

Current available IP pool(s):

cisco

pixfirewall# show ip local pool cisco

Begin End Mask Free In use

1.1.1.1 1.1.1.1 255.255.255.0 1 0

Available Addresses:

1.1.1.1

HTH

Sundar

matthew.elliott · ‎04-02-2008

Thanks for the speedy response.

That is a handy command. Thanks for sharing.

Begin End Mask Free Held In use

192.168.0.1 192.168.0.254 255.255.255.0 252 0 2

It appears that the IPs are being released... however they are not being assigned in that order. This reassures me to some extent. That if it reaches the end of the pool it will start selecting other ones (hopefully).

Is this behaviour normal for the ASA? On our previous Concentrator addresses would be assigned from the lowest available IP.

sundar.palaniappan · ‎04-02-2008

I am not able to find any documentation on what order the addresses are assigned to the remote access clients. As long as it's showing the addresses are being released back to the pool, as it supposed to, I would think once it hits the end of the pool it should start reusing those released addresses.

HTH

Sundar