cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12958
Views
0
Helpful
6
Replies

DHCP relay on ASA 5505 to Windows DHCP Server not working

Dennis Topo Jr
Level 1
Level 1

 

Hello all....

 

I have a simple ASA (v 7.2 (4) base license) dhcp relay that is just not working... I'm not sure I ever set up relaying on an ASA before but there's a first time for everything. 

 

So...as my incredibly basic drawing shows,  I want to DHCP relay requests the MS DHCP server @ 10.30.10.3 (no windows firewall) on the inside network, to the Guest clients sitting on the Guest network (Vlan 997)  10.30.220.0 /24  The Windows server has the appropriate scope setup on it for the clients and obviously the ASA has connectivity via the inside interface.

 

I'm getting these in the relay debugs: DHCPRA: dhcp_relay_agent_receiver:can't find binding) and nothing back from the DHCP server and my pertinent config is as follows:     any help is appreciated ! Thanks...Dennis

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.30.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 2.2.2.2 255.255.255.0
!
interface Vlan997
 no forward interface Vlan1
 nameif Guest-Wireless
 security-level 50
 ip address 10.30.220.1 255.255.255.0

interface Ethernet0/7
 switchport access vlan 997

 

 

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Guest-Wireless) 1 0.0.0.0 0.0.0.0

 

dhcpd auto_config outside
!
dhcprelay server 10.30.10.3 inside
dhcprelay enable Guest-Wireless
dhcprelay setroute Guest-Wireless
dhcprelay timeout 120

 

 

ASA# DHCPD/RA: Punt 10.30.10.3/17152 --> 255.255.255.255/17152 to CP
DHCPRA: Received a BOOTREPLY from interface 1
DHCPRA: dhcp_relay_agent_receiver:can't find binding

 

ASA# show dhcprelay stati
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0

Packets Relayed
BOOTREQUEST          0
DHCPDISCOVER         36
DHCPREQUEST          0
DHCPDECLINE          0
DHCPRELEASE          0
DHCPINFORM           0

BOOTREPLY            0
DHCPOFFER            0
DHCPACK              15
DHCPNAK              0

1 Accepted Solution

Accepted Solutions

Here is your problem:

interface Vlan997
 no forward interface Vlan1
 nameif Guest-Wireless
 security-level 50
 ip address 10.30.220.1 255.255.255.0

You need to upgrade to a security plus license.  Other than that your config looks fine.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

6 Replies 6

Here is your problem:

interface Vlan997
 no forward interface Vlan1
 nameif Guest-Wireless
 security-level 50
 ip address 10.30.220.1 255.255.255.0

You need to upgrade to a security plus license.  Other than that your config looks fine.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

It's what I thought too after submitting. I did take the no forward off to Vlan 1, and in it's place, I added no forward interface vlan 2...the outside....just so the inside and guest-wireless interfaces would have full connectivity - still not working though.

 

Thanks for your response....

Change the command on the Guest-wireless interface to no forward interface outside.

Then test with ping to the DHCP server to make sure that traffic is permitted.  You would also need to allow the DHCP traffic in the ACL from the Guest-wireless to the inside toward the DHCP server.

Make sure connectivity is there for DHCP (and ICMP for testing), and then we can continue with the troubleshooting.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Guys...I went another route- just could not get the relay to work. I would chalk it up to the restricted base license, although I'm not positive. I labbed a similar set up, although not w a base license 5505, and it's super simple. So....I ended up just serving DHCP directly from the ASA for the guest network...and that works .... 

Thanks for the suggestions and input.

rodrigog
Level 1
Level 1

Is that the full output of the debug?

It seems the ASA isn't seeing the request from the clients since you don't see the next log

dhcpd_forward_request: request from 000c.291c.34b5 forwarded to x.x.x.x

It seems the ASA is getting the binding from the server but not the request from the users so he can't asociate a session  so the issue may reside in the switch

Do you have IP helper on the switch?

Try getting the full debug output of the next 2 commands during the testing

  • debug dhcprelay packet
  • debug dhcprelay event

 

 

That is the full output of debug dhcprelay packet.  That's as far as it gets. I don't have access now to the switch or ASA, but I believe there was no ip helper on it. Just all layer 2 in fact.

 

I will debug events also come Monday. It's frustrating because it's so simple it should just work !

 

ASA# DHCPD/RA: Punt 10.30.10.3/17152 --> 255.255.255.255/17152 to CP
DHCPRA: Received a BOOTREPLY from interface 1
DHCPRA: dhcp_relay_agent_receiver:can't find binding

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: