Solved

Cisco ASA - Remote VPN Clients not able to get IPs from DHCP Server

Posted on 2010-11-30
7
4,134 Views
Last Modified: 2012-05-10
I setup an ASA 5520 for Remote access VPN. It is working only with the local dhcp pool setup on ASA. I'm trying to use an external dhcp server. The windows dhcp server has the dhcp scope setup. The ASA has the dhcp IP setup in the tunnel-group attributes. The group-policy attributes is setup with the dhcp-network-scope (the same as the scope address on the dhcp server). I verified that the ASA can communicate with the dhcp IP and other servers from inside.
According to the logs the DHCP request is sent to the DHCP server and the DHCP server responds with an offer, but I do not see that the client receives the offer.
The VPN client is getting the following error: Session terminated by peer, code 433 (reason not specified by peer).
Any help will be much appreciated
0
Comment
Question by:mev-net
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
7 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 34244070
Taken from Cisco Config Guide: http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/vpnadd.html#wp998970

Please make sure you have the following in place.

Configuring DHCP Addressing

To use DHCP to assign addresses for VPN clients, you must first configure a DHCP server and the range of IP addresses that the DHCP server can use. Then you define the DHCP server on a tunnel group basis. Optionally, you can also define a DHCP network scope in the group policy associated with the tunnel group or username. This is either an IP network number or IP Address that identifies to the DHCP server which pool of IP addresses to use.

The following examples define the DHCP server at IP address 172.33.44.19 for the tunnel group named firstgroup. They also define a DHCP network scope of 192.86.0.0 for the group policy called remotegroup. (The group policy called remotegroup is associated with the tunnel group called firstgroup). If you do not define a network scope, the DHCP server assigns IP addresses in the order of the address pools configured. It goes through the pools until it identifies an unassigned address.

The following configuration includes more steps than are necessary, in that previously you might have named and defined the tunnel group type as remote access, and named and identified the group policy as internal or external. These steps appear in the following examples as a reminder that you have no access to subsequent tunnel-group and group-policy commands until you set these values.

A summary of the configuration that these examples create follows:

hostname(config)# vpn-addr-assign dhcp

hostname(config)# tunnel-group firstgroup type ipsec-ra

hostname(config)# tunnel-group firstgroup general-attributes

hostname(config-general)# dhcp-server 172.33.44.19

hostname(config-general)# exit

hostname(config)# group-policy remotegroup internal

hostname(config)# group-policy remotegroup attributes

hostname(config-group-policy)# dhcp-network-scope 192.86.0.0

0
 

Author Comment

by:mev-net
ID: 34261774
I have the 'dhcp-server IP' and 'dhcp-network-scope scope' setup exactly as in your configuration.
For 'vpn-addr-assign dhcp' - even if this command is entered, it does not appear in the config.
The issue is still related to the DHCP client not being able to receive the IP from DHCP.

Here is my configuration:
group-policy RA-GROUP internal
group-policy RA-GROUP attributes
 wins-server value 192.168.1.1
 dns-server value 192.168.1.1 192.168.1.2
 dhcp-network-scope 192.168.111.0
 vpn-tunnel-protocol IPSec

tunnel-group ITgroup type ipsec-ra
tunnel-group ITgroup general-attributes
 authentication-server-group RA-AUTH
 default-group-policy RA-GROUP
 dhcp-server 192.168.1.2
0
 

Author Comment

by:mev-net
ID: 34262675
Here is the ASA log info related to the DHCP issue:

%ASA-7-609001: Built local-host inside:192.168.1.2
%ASA-6-302015: Built outbound UDP connection 13614 for inside:192.168.1.2/67 (192.168.1.2/67) to NP Identity Ifc:192.168.1.170/68 (192.168.1.170/68)
%ASA-7-713236: IP = 211.X.1.174, IKE_DECODE RECEIVED Message (msgid=a8800426) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 76
%ASA-7-715047: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, processing hash payload
%ASA-7-715047: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, processing notify payload
%ASA-5-713201: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Duplicate Phase 2 packet detected.  No last packet to retransmit.
%ASA-5-713201: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Duplicate Phase 2 packet detected.  No last packet to retransmit.
%ASA-7-715042: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, IKE received response of type [] to a request from the IP address utility
%ASA-3-713132: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Cannot obtain an IP address for remote peer
%ASA-7-715065: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, IKE TM V6 FSM error history (struct &0x4053100)  <state>, <event>:  TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
%ASA-7-715065: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, IKE AM Responder FSM error history (struct &0x48229d8)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
%ASA-7-713906: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, IKE SA AM:4cb2870a terminating:  flags 0x0945c001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, sending delete/delete with reason message
%ASA-7-715046: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, constructing blank hash payload
%ASA-7-715046: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, constructing IKE delete payload
%ASA-7-715046: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, constructing qm hash payload
%ASA-7-713236: IP = 211.X.1.174, IKE_DECODE SENDING Message (msgid=af65949b) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
%ASA-3-713902: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Removing peer from peer table failed, no match!
%ASA-4-713903: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Error: Unable to remove PeerTblEntry


192.168.1.2 - DHCP Server
192.168.1.170 - inside interface of the ASA VPN
211.X.1.174 - Public IP of the VPN client
0
Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

 

Accepted Solution

by:
mev-net earned 0 total points
ID: 34271361
I found the root of the issue:
The error ‘Duplicate Phase 2 packet detected.  No last packet to retransmit’ was related to a missing route. After redistributing the static routes for RAVPN IP ranges into the routing protocol, the issue was resolved and I’m able to get IP addresses from the external DHCP Server.

Thank you Genius anyways for useful link.
0
 

Author Closing Comment

by:mev-net
ID: 34299469
The issue was not related to the group-policy and tunnel-group attributes configuration.
The DHCP scope and DHCP server were configured correctly.
I found out from other sources that a routing issue was causing the connectivity issue between the
DHCP server and the remote client.
0
 

Expert Comment

by:Network-stuff
ID: 37026337
Please can you tell me what you mean by ( After redistributing the static routes for RAVPN IP ranges into the routing protocol, the issue was resolved and I’m able to get IP addresses from the external DHCP Server.)
Did you redistribute the dhcp pool range? please can you sepevify. Thanks

0
 

Author Comment

by:mev-net
ID: 37027226
route-map REDISTRIBUTE-STATIC permit 10
 match ip route-source prefix-list PL-RAVPN-REVERSEROUTE

prefix-list PL-RAVPN-REVERSEROUTE seq 10 permit 192.168.111.0/24

router ospf 111
redistribute static subnets route-map RM-REDISTRIBUTE-STATIC

192.168.111.0/24 - is the IP range used by VPN clients
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question