Solved

Cisco ASA - Remote VPN Clients not able to get IPs from DHCP Server

Posted on 2010-11-30
7
4,009 Views
Last Modified: 2012-05-10
I setup an ASA 5520 for Remote access VPN. It is working only with the local dhcp pool setup on ASA. I'm trying to use an external dhcp server. The windows dhcp server has the dhcp scope setup. The ASA has the dhcp IP setup in the tunnel-group attributes. The group-policy attributes is setup with the dhcp-network-scope (the same as the scope address on the dhcp server). I verified that the ASA can communicate with the dhcp IP and other servers from inside.
According to the logs the DHCP request is sent to the DHCP server and the DHCP server responds with an offer, but I do not see that the client receives the offer.
The VPN client is getting the following error: Session terminated by peer, code 433 (reason not specified by peer).
Any help will be much appreciated
0
Comment
Question by:mev-net
  • 5
7 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 34244070
Taken from Cisco Config Guide: http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/vpnadd.html#wp998970

Please make sure you have the following in place.

Configuring DHCP Addressing

To use DHCP to assign addresses for VPN clients, you must first configure a DHCP server and the range of IP addresses that the DHCP server can use. Then you define the DHCP server on a tunnel group basis. Optionally, you can also define a DHCP network scope in the group policy associated with the tunnel group or username. This is either an IP network number or IP Address that identifies to the DHCP server which pool of IP addresses to use.

The following examples define the DHCP server at IP address 172.33.44.19 for the tunnel group named firstgroup. They also define a DHCP network scope of 192.86.0.0 for the group policy called remotegroup. (The group policy called remotegroup is associated with the tunnel group called firstgroup). If you do not define a network scope, the DHCP server assigns IP addresses in the order of the address pools configured. It goes through the pools until it identifies an unassigned address.

The following configuration includes more steps than are necessary, in that previously you might have named and defined the tunnel group type as remote access, and named and identified the group policy as internal or external. These steps appear in the following examples as a reminder that you have no access to subsequent tunnel-group and group-policy commands until you set these values.

A summary of the configuration that these examples create follows:

hostname(config)# vpn-addr-assign dhcp

hostname(config)# tunnel-group firstgroup type ipsec-ra

hostname(config)# tunnel-group firstgroup general-attributes

hostname(config-general)# dhcp-server 172.33.44.19

hostname(config-general)# exit

hostname(config)# group-policy remotegroup internal

hostname(config)# group-policy remotegroup attributes

hostname(config-group-policy)# dhcp-network-scope 192.86.0.0

0
 

Author Comment

by:mev-net
ID: 34261774
I have the 'dhcp-server IP' and 'dhcp-network-scope scope' setup exactly as in your configuration.
For 'vpn-addr-assign dhcp' - even if this command is entered, it does not appear in the config.
The issue is still related to the DHCP client not being able to receive the IP from DHCP.

Here is my configuration:
group-policy RA-GROUP internal
group-policy RA-GROUP attributes
 wins-server value 192.168.1.1
 dns-server value 192.168.1.1 192.168.1.2
 dhcp-network-scope 192.168.111.0
 vpn-tunnel-protocol IPSec

tunnel-group ITgroup type ipsec-ra
tunnel-group ITgroup general-attributes
 authentication-server-group RA-AUTH
 default-group-policy RA-GROUP
 dhcp-server 192.168.1.2
0
 

Author Comment

by:mev-net
ID: 34262675
Here is the ASA log info related to the DHCP issue:

%ASA-7-609001: Built local-host inside:192.168.1.2
%ASA-6-302015: Built outbound UDP connection 13614 for inside:192.168.1.2/67 (192.168.1.2/67) to NP Identity Ifc:192.168.1.170/68 (192.168.1.170/68)
%ASA-7-713236: IP = 211.X.1.174, IKE_DECODE RECEIVED Message (msgid=a8800426) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 76
%ASA-7-715047: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, processing hash payload
%ASA-7-715047: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, processing notify payload
%ASA-5-713201: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Duplicate Phase 2 packet detected.  No last packet to retransmit.
%ASA-5-713201: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Duplicate Phase 2 packet detected.  No last packet to retransmit.
%ASA-7-715042: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, IKE received response of type [] to a request from the IP address utility
%ASA-3-713132: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Cannot obtain an IP address for remote peer
%ASA-7-715065: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, IKE TM V6 FSM error history (struct &0x4053100)  <state>, <event>:  TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
%ASA-7-715065: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, IKE AM Responder FSM error history (struct &0x48229d8)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
%ASA-7-713906: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, IKE SA AM:4cb2870a terminating:  flags 0x0945c001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, sending delete/delete with reason message
%ASA-7-715046: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, constructing blank hash payload
%ASA-7-715046: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, constructing IKE delete payload
%ASA-7-715046: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, constructing qm hash payload
%ASA-7-713236: IP = 211.X.1.174, IKE_DECODE SENDING Message (msgid=af65949b) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
%ASA-3-713902: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Removing peer from peer table failed, no match!
%ASA-4-713903: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Error: Unable to remove PeerTblEntry


192.168.1.2 - DHCP Server
192.168.1.170 - inside interface of the ASA VPN
211.X.1.174 - Public IP of the VPN client
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Accepted Solution

by:
mev-net earned 0 total points
ID: 34271361
I found the root of the issue:
The error ‘Duplicate Phase 2 packet detected.  No last packet to retransmit’ was related to a missing route. After redistributing the static routes for RAVPN IP ranges into the routing protocol, the issue was resolved and I’m able to get IP addresses from the external DHCP Server.

Thank you Genius anyways for useful link.
0
 

Author Closing Comment

by:mev-net
ID: 34299469
The issue was not related to the group-policy and tunnel-group attributes configuration.
The DHCP scope and DHCP server were configured correctly.
I found out from other sources that a routing issue was causing the connectivity issue between the
DHCP server and the remote client.
0
 

Expert Comment

by:Network-stuff
ID: 37026337
Please can you tell me what you mean by ( After redistributing the static routes for RAVPN IP ranges into the routing protocol, the issue was resolved and I’m able to get IP addresses from the external DHCP Server.)
Did you redistribute the dhcp pool range? please can you sepevify. Thanks

0
 

Author Comment

by:mev-net
ID: 37027226
route-map REDISTRIBUTE-STATIC permit 10
 match ip route-source prefix-list PL-RAVPN-REVERSEROUTE

prefix-list PL-RAVPN-REVERSEROUTE seq 10 permit 192.168.111.0/24

router ospf 111
redistribute static subnets route-map RM-REDISTRIBUTE-STATIC

192.168.111.0/24 - is the IP range used by VPN clients
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now