Solved

Cisco ASA - Remote VPN Clients not able to get IPs from DHCP Server

Posted on 2010-11-30
7
4,057 Views
Last Modified: 2012-05-10
I setup an ASA 5520 for Remote access VPN. It is working only with the local dhcp pool setup on ASA. I'm trying to use an external dhcp server. The windows dhcp server has the dhcp scope setup. The ASA has the dhcp IP setup in the tunnel-group attributes. The group-policy attributes is setup with the dhcp-network-scope (the same as the scope address on the dhcp server). I verified that the ASA can communicate with the dhcp IP and other servers from inside.
According to the logs the DHCP request is sent to the DHCP server and the DHCP server responds with an offer, but I do not see that the client receives the offer.
The VPN client is getting the following error: Session terminated by peer, code 433 (reason not specified by peer).
Any help will be much appreciated
0
Comment
Question by:mev-net
  • 5
7 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 34244070
Taken from Cisco Config Guide: http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/vpnadd.html#wp998970

Please make sure you have the following in place.

Configuring DHCP Addressing

To use DHCP to assign addresses for VPN clients, you must first configure a DHCP server and the range of IP addresses that the DHCP server can use. Then you define the DHCP server on a tunnel group basis. Optionally, you can also define a DHCP network scope in the group policy associated with the tunnel group or username. This is either an IP network number or IP Address that identifies to the DHCP server which pool of IP addresses to use.

The following examples define the DHCP server at IP address 172.33.44.19 for the tunnel group named firstgroup. They also define a DHCP network scope of 192.86.0.0 for the group policy called remotegroup. (The group policy called remotegroup is associated with the tunnel group called firstgroup). If you do not define a network scope, the DHCP server assigns IP addresses in the order of the address pools configured. It goes through the pools until it identifies an unassigned address.

The following configuration includes more steps than are necessary, in that previously you might have named and defined the tunnel group type as remote access, and named and identified the group policy as internal or external. These steps appear in the following examples as a reminder that you have no access to subsequent tunnel-group and group-policy commands until you set these values.

A summary of the configuration that these examples create follows:

hostname(config)# vpn-addr-assign dhcp

hostname(config)# tunnel-group firstgroup type ipsec-ra

hostname(config)# tunnel-group firstgroup general-attributes

hostname(config-general)# dhcp-server 172.33.44.19

hostname(config-general)# exit

hostname(config)# group-policy remotegroup internal

hostname(config)# group-policy remotegroup attributes

hostname(config-group-policy)# dhcp-network-scope 192.86.0.0

0
 

Author Comment

by:mev-net
ID: 34261774
I have the 'dhcp-server IP' and 'dhcp-network-scope scope' setup exactly as in your configuration.
For 'vpn-addr-assign dhcp' - even if this command is entered, it does not appear in the config.
The issue is still related to the DHCP client not being able to receive the IP from DHCP.

Here is my configuration:
group-policy RA-GROUP internal
group-policy RA-GROUP attributes
 wins-server value 192.168.1.1
 dns-server value 192.168.1.1 192.168.1.2
 dhcp-network-scope 192.168.111.0
 vpn-tunnel-protocol IPSec

tunnel-group ITgroup type ipsec-ra
tunnel-group ITgroup general-attributes
 authentication-server-group RA-AUTH
 default-group-policy RA-GROUP
 dhcp-server 192.168.1.2
0
 

Author Comment

by:mev-net
ID: 34262675
Here is the ASA log info related to the DHCP issue:

%ASA-7-609001: Built local-host inside:192.168.1.2
%ASA-6-302015: Built outbound UDP connection 13614 for inside:192.168.1.2/67 (192.168.1.2/67) to NP Identity Ifc:192.168.1.170/68 (192.168.1.170/68)
%ASA-7-713236: IP = 211.X.1.174, IKE_DECODE RECEIVED Message (msgid=a8800426) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 76
%ASA-7-715047: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, processing hash payload
%ASA-7-715047: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, processing notify payload
%ASA-5-713201: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Duplicate Phase 2 packet detected.  No last packet to retransmit.
%ASA-5-713201: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Duplicate Phase 2 packet detected.  No last packet to retransmit.
%ASA-7-715042: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, IKE received response of type [] to a request from the IP address utility
%ASA-3-713132: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Cannot obtain an IP address for remote peer
%ASA-7-715065: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, IKE TM V6 FSM error history (struct &0x4053100)  <state>, <event>:  TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
%ASA-7-715065: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, IKE AM Responder FSM error history (struct &0x48229d8)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
%ASA-7-713906: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, IKE SA AM:4cb2870a terminating:  flags 0x0945c001, refcnt 0, tuncnt 0
%ASA-7-713906: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, sending delete/delete with reason message
%ASA-7-715046: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, constructing blank hash payload
%ASA-7-715046: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, constructing IKE delete payload
%ASA-7-715046: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, constructing qm hash payload
%ASA-7-713236: IP = 211.X.1.174, IKE_DECODE SENDING Message (msgid=af65949b) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
%ASA-3-713902: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Removing peer from peer table failed, no match!
%ASA-4-713903: Group = ITgroup, Username = dom\user1, IP = 211.X.1.174, Error: Unable to remove PeerTblEntry


192.168.1.2 - DHCP Server
192.168.1.170 - inside interface of the ASA VPN
211.X.1.174 - Public IP of the VPN client
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Accepted Solution

by:
mev-net earned 0 total points
ID: 34271361
I found the root of the issue:
The error ‘Duplicate Phase 2 packet detected.  No last packet to retransmit’ was related to a missing route. After redistributing the static routes for RAVPN IP ranges into the routing protocol, the issue was resolved and I’m able to get IP addresses from the external DHCP Server.

Thank you Genius anyways for useful link.
0
 

Author Closing Comment

by:mev-net
ID: 34299469
The issue was not related to the group-policy and tunnel-group attributes configuration.
The DHCP scope and DHCP server were configured correctly.
I found out from other sources that a routing issue was causing the connectivity issue between the
DHCP server and the remote client.
0
 

Expert Comment

by:Network-stuff
ID: 37026337
Please can you tell me what you mean by ( After redistributing the static routes for RAVPN IP ranges into the routing protocol, the issue was resolved and I’m able to get IP addresses from the external DHCP Server.)
Did you redistribute the dhcp pool range? please can you sepevify. Thanks

0
 

Author Comment

by:mev-net
ID: 37027226
route-map REDISTRIBUTE-STATIC permit 10
 match ip route-source prefix-list PL-RAVPN-REVERSEROUTE

prefix-list PL-RAVPN-REVERSEROUTE seq 10 permit 192.168.111.0/24

router ospf 111
redistribute static subnets route-map RM-REDISTRIBUTE-STATIC

192.168.111.0/24 - is the IP range used by VPN clients
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SSL VPN 3 31
DNS and NSLOOKUP 21 74
How to list which IP address is the managed switch in my company ? 13 130
Cisco ASA and Watchguard firewall 2 38
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question