ASA VPN and QIP DHCP

Dave Henderson
Dave Henderson used Ask the Experts™
on
I have a Cisco ASA based VPN currently deployed in a customer data centre.  The project is an upgrade from a local VPN3000 Series Concentrator.  The final service will handle a lot more clients than the previous local one, so a scalable DHCP service is required for end clients.

The data centre is using Lucent QIP for DNS & DHCP Services which is working fine for other servers & services.

When my VPN client session is built, authentication is successful and a tunnel through the ASA to the DHCP Server is built.

In successive capture files using bi-directional access-lists placed strategically in the data centre, I see the DHCP request traffic reaching the VLAN that the QIP Server is on.  The QIP Server logs see the requests and -allegedly- respond.  But I never recieve the DHCP response.

Has anybody had the same issues?  Is there a known good fix for this?  I am also raising a TAC Case for this problem and will share any information I recieve - but would rather solve the issue here first!! :)

Cheers
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Have you enabled DHCP relay on the ASA?

dhcprelay server x.x.x.x inside
dhcprelay enable inside
dhcprelay setroute inside






Commented:
Hey I think that TAC will say something like this:
Can you explain the issue again?

I mean what are you trying to do? I guess that you are trying to use DHCP to give an ip address to the vpn clients instead of using a pool, right?

If so please check:
http://preview.tinyurl.com/dbqkgo

You should create a new scope on the server for example:  192.168.5.0/24

According to the example in the ASA do not use the line
dhcp-network-scope 192.168.5.0
Changed that to:
dhcp-network-scope 192.168.5.1

And then update your internal routing to let know that the network 192.168.5.0/24 is reachable only through the inside IP of the ASA. (routing)

When the Cisco VPN Client is connecting to the concentrator /ASA and using a DHCP
server to assign the IP addresses to the clients. The device will work as a DHCP proxy.

The device will use the DHCP relay agent field that is mentioned by the RFC: http://www.faqs.org/rfcs/rfc3046.html

Dave HendersonSolution Architect

Author

Commented:
I tried the dhcprelay command but an error about the ASA being in DHCP Proxy mode.  However, I did have the dhcp-network-scope set to 10.10.10.0 so I can try to change that.  I will look at both of these possibilities tomorrow.
There is a listed bug on the Cisco ASA site that I discovered (late Friday evening) that Lucent QIP actually does have a problem with an ASA acting as a proxy.  Because it sees many requests from the same source IP and mac pair the server categorises it as a DDOS attack and black lists the ASA IP.  I have raised this with Lucent who are reviewing.
I will feedback any suggestions/information that I receive.
Cheers
Solution Architect
Commented:
My colleague received this reply from Lucent who are the vendors of QIP:

“You can use the LDHCP 5.6 with SupportClientID policy to resolve this problem.
 
In Lucent DHCP versions previous to 5.6, DHCP clients are distinguished purely by MAC address. Hostnames are considered impermanent, since most types of devices can be renamed. Routers are supposed to pass through the MAC address of the end device when they forward DHCP packets to the DHCP server. In theory VPN devices should work like routers and be transparent to VitalQIP, but in practice many VPNs or other network devices do not pass the client MAC address.
 
DHCP 5.6 has a new feature, of allowing identification of client by the value of Option 61 Client Identifier in the DHCP-Discover and DHCP-Request. If the packet does not have any option 61 value or if the SupportClientID policy is set to False, then MAC addresses will be used.
 
DHCP 5.6 requires VitalQIP 7.2PR1 on both the E/S and the DHCP remote server, and cannot work with older VitalQIP versions.
(Make sure that VitalQIP is 7.2PR1 or higher and make sure that the Lucent DHCP is 5.6 or higher. )”
We will upgrade our QIP Server and test.
Cheers
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial