mev-net
asked on
Cisco ASA - Remote VPN Clients not able to get IPs from DHCP Server
I setup an ASA 5520 for Remote access VPN. It is working only with the local dhcp pool setup on ASA. I'm trying to use an external dhcp server. The windows dhcp server has the dhcp scope setup. The ASA has the dhcp IP setup in the tunnel-group attributes. The group-policy attributes is setup with the dhcp-network-scope (the same as the scope address on the dhcp server). I verified that the ASA can communicate with the dhcp IP and other servers from inside.
According to the logs the DHCP request is sent to the DHCP server and the DHCP server responds with an offer, but I do not see that the client receives the offer.
The VPN client is getting the following error: Session terminated by peer, code 433 (reason not specified by peer).
Any help will be much appreciated
According to the logs the DHCP request is sent to the DHCP server and the DHCP server responds with an offer, but I do not see that the client receives the offer.
The VPN client is getting the following error: Session terminated by peer, code 433 (reason not specified by peer).
Any help will be much appreciated
ASKER
I have the 'dhcp-server IP' and 'dhcp-network-scope scope' setup exactly as in your configuration.
For 'vpn-addr-assign dhcp' - even if this command is entered, it does not appear in the config.
The issue is still related to the DHCP client not being able to receive the IP from DHCP.
Here is my configuration:
group-policy RA-GROUP internal
group-policy RA-GROUP attributes
wins-server value 192.168.1.1
dns-server value 192.168.1.1 192.168.1.2
dhcp-network-scope 192.168.111.0
vpn-tunnel-protocol IPSec
tunnel-group ITgroup type ipsec-ra
tunnel-group ITgroup general-attributes
authentication-server-grou p RA-AUTH
default-group-policy RA-GROUP
dhcp-server 192.168.1.2
For 'vpn-addr-assign dhcp' - even if this command is entered, it does not appear in the config.
The issue is still related to the DHCP client not being able to receive the IP from DHCP.
Here is my configuration:
group-policy RA-GROUP internal
group-policy RA-GROUP attributes
wins-server value 192.168.1.1
dns-server value 192.168.1.1 192.168.1.2
dhcp-network-scope 192.168.111.0
vpn-tunnel-protocol IPSec
tunnel-group ITgroup type ipsec-ra
tunnel-group ITgroup general-attributes
authentication-server-grou
default-group-policy RA-GROUP
dhcp-server 192.168.1.2
ASKER
Here is the ASA log info related to the DHCP issue:
%ASA-7-609001: Built local-host inside:192.168.1.2
%ASA-6-302015: Built outbound UDP connection 13614 for inside:192.168.1.2/67 (192.168.1.2/67) to NP Identity Ifc:192.168.1.170/68 (192.168.1.170/68)
%ASA-7-713236: IP = 211.X.1.174, IKE_DECODE RECEIVED Message (msgid=a8800426) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 76
%ASA-7-715047: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, processing hash payload
%ASA-7-715047: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, processing notify payload
%ASA-5-713201: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Duplicate Phase 2 packet detected. No last packet to retransmit.
%ASA-5-713201: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Duplicate Phase 2 packet detected. No last packet to retransmit.
%ASA-7-715042: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, IKE received response of type [] to a request from the IP address utility
%ASA-3-713132: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Cannot obtain an IP address for remote peer
%ASA-7-715065: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, IKE TM V6 FSM error history (struct &0x4053100) <state>, <event>: TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
%ASA-7-715065: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, IKE AM Responder FSM error history (struct &0x48229d8) <state>, <event>: AM_DONE, EV_ERROR-->AM_TM_INIT_MODE CFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MO DECFG_V6H, NullEvent-->AM_TM_INIT_MOD ECFG, EV_WAIT-->AM_TM_INIT_XAUTH _V6H, EV_CHECK_QM_MSG-->AM_TM_IN IT_XAUTH_V 6H, EV_TM_XAUTH_OK-->AM_TM_INI T_XAUTH_V6 H, NullEvent-->AM_TM_INIT_XAU TH_V6H, EV_ACTIVATE_NEW_SA
%ASA-7-713906: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, IKE SA AM:4cb2870a terminating: flags 0x0945c001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, sending delete/delete with reason message
%ASA-7-715046: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, constructing blank hash payload
%ASA-7-715046: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, constructing IKE delete payload
%ASA-7-715046: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, constructing qm hash payload
%ASA-7-713236: IP = 211.X.1.174, IKE_DECODE SENDING Message (msgid=af65949b) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
%ASA-3-713902: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Removing peer from peer table failed, no match!
%ASA-4-713903: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Error: Unable to remove PeerTblEntry
192.168.1.2 - DHCP Server
192.168.1.170 - inside interface of the ASA VPN
211.X.1.174 - Public IP of the VPN client
%ASA-7-609001: Built local-host inside:192.168.1.2
%ASA-6-302015: Built outbound UDP connection 13614 for inside:192.168.1.2/67 (192.168.1.2/67) to NP Identity Ifc:192.168.1.170/68 (192.168.1.170/68)
%ASA-7-713236: IP = 211.X.1.174, IKE_DECODE RECEIVED Message (msgid=a8800426) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 76
%ASA-7-715047: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, processing hash payload
%ASA-7-715047: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, processing notify payload
%ASA-5-713201: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Duplicate Phase 2 packet detected. No last packet to retransmit.
%ASA-5-713201: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Duplicate Phase 2 packet detected. No last packet to retransmit.
%ASA-7-715042: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, IKE received response of type [] to a request from the IP address utility
%ASA-3-713132: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Cannot obtain an IP address for remote peer
%ASA-7-715065: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, IKE TM V6 FSM error history (struct &0x4053100) <state>, <event>: TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY,
%ASA-7-715065: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, IKE AM Responder FSM error history (struct &0x48229d8) <state>, <event>: AM_DONE, EV_ERROR-->AM_TM_INIT_MODE
%ASA-7-713906: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, IKE SA AM:4cb2870a terminating: flags 0x0945c001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, sending delete/delete with reason message
%ASA-7-715046: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, constructing blank hash payload
%ASA-7-715046: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, constructing IKE delete payload
%ASA-7-715046: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, constructing qm hash payload
%ASA-7-713236: IP = 211.X.1.174, IKE_DECODE SENDING Message (msgid=af65949b) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
%ASA-3-713902: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Removing peer from peer table failed, no match!
%ASA-4-713903: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Error: Unable to remove PeerTblEntry
192.168.1.2 - DHCP Server
192.168.1.170 - inside interface of the ASA VPN
211.X.1.174 - Public IP of the VPN client
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The issue was not related to the group-policy and tunnel-group attributes configuration.
The DHCP scope and DHCP server were configured correctly.
I found out from other sources that a routing issue was causing the connectivity issue between the
DHCP server and the remote client.
The DHCP scope and DHCP server were configured correctly.
I found out from other sources that a routing issue was causing the connectivity issue between the
DHCP server and the remote client.
Please can you tell me what you mean by ( After redistributing the static routes for RAVPN IP ranges into the routing protocol, the issue was resolved and I’m able to get IP addresses from the external DHCP Server.)
Did you redistribute the dhcp pool range? please can you sepevify. Thanks
Did you redistribute the dhcp pool range? please can you sepevify. Thanks
ASKER
route-map REDISTRIBUTE-STATIC permit 10
match ip route-source prefix-list PL-RAVPN-REVERSEROUTE
prefix-list PL-RAVPN-REVERSEROUTE seq 10 permit 192.168.111.0/24
router ospf 111
redistribute static subnets route-map RM-REDISTRIBUTE-STATIC
192.168.111.0/24 - is the IP range used by VPN clients
match ip route-source prefix-list PL-RAVPN-REVERSEROUTE
prefix-list PL-RAVPN-REVERSEROUTE seq 10 permit 192.168.111.0/24
router ospf 111
redistribute static subnets route-map RM-REDISTRIBUTE-STATIC
192.168.111.0/24 - is the IP range used by VPN clients
Please make sure you have the following in place.
Configuring DHCP Addressing
To use DHCP to assign addresses for VPN clients, you must first configure a DHCP server and the range of IP addresses that the DHCP server can use. Then you define the DHCP server on a tunnel group basis. Optionally, you can also define a DHCP network scope in the group policy associated with the tunnel group or username. This is either an IP network number or IP Address that identifies to the DHCP server which pool of IP addresses to use.
The following examples define the DHCP server at IP address 172.33.44.19 for the tunnel group named firstgroup. They also define a DHCP network scope of 192.86.0.0 for the group policy called remotegroup. (The group policy called remotegroup is associated with the tunnel group called firstgroup). If you do not define a network scope, the DHCP server assigns IP addresses in the order of the address pools configured. It goes through the pools until it identifies an unassigned address.
The following configuration includes more steps than are necessary, in that previously you might have named and defined the tunnel group type as remote access, and named and identified the group policy as internal or external. These steps appear in the following examples as a reminder that you have no access to subsequent tunnel-group and group-policy commands until you set these values.
A summary of the configuration that these examples create follows:
hostname(config)# vpn-addr-assign dhcp
hostname(config)# tunnel-group firstgroup type ipsec-ra
hostname(config)# tunnel-group firstgroup general-attributes
hostname(config-general)# dhcp-server 172.33.44.19
hostname(config-general)# exit
hostname(config)# group-policy remotegroup internal
hostname(config)# group-policy remotegroup attributes
hostname(config-group-poli