Link to home
Start Free TrialLog in
Avatar of Tercestisi
TercestisiFlag for United States of America

asked on

Cisco ASA 5505 no longer pickup up DHCP lease from ISP

Cisco ASA 5505 running 8.5(5)

This is at a remote site about 9 hours away, so no physical access other than telling someone to do something there. I however have remote access to device via SSH or ASDM due the employee having a Verizon WWAN device there to connect to his laptop with.

Problem: Last week employee called ISP to tell them Internet didn't work; problem has remained since then. Somehow NetINS got a request from them to change the MAC address they use to authenticate for ISP services, and supposedly they did some rewiring at his premise. We went through multiple steps of getting NetINS to use the correct MAC address (eth0/0 on ASA) and we are now back on track there (assigning eth0/0 MAC address directly to W7 PC via registry, and plugging directly into wall where link comes from ISP, now gives us the correct static reservation and routing).

However, the issue is that I cannot get the ASA to pick up a DHCP lease. In fact, I do not even see it giving out requests for one. I currently am mirroring the WAN port on the ASA and capturing with Wireshark, however I have not seen a single request come from the ASA (filtering on bootp protocol). I have disabled, renabled, redid dhcp global configs, etc. reboot reboot yada yada yada... nothing; she seems a bit dead.

Any ideas here? What is my next logical step here?
Avatar of SebastianAbbinanti
SebastianAbbinanti
Flag of United States of America image

Can we see your config (sanitized)?

Thanks,
S.
Avatar of Tercestisi

ASKER

Working on a scrubbed-config; got a little tied up elsewhere and lost the connection as well.

While I scrub the config, I am now seeing DHCP discover coming out of the ASA (I had switched the outside interface to eth0/3 earlier and had not switched it back). However, I'm seeing that the source address is the int. MAC address assigned to eth0, not the ext. MAC address assigned to eth0/0. The ISP is also seeing requests originating from the int. MAC address on their end.
Using ASDM, select the interface you want, click edit.
Under the "Advanced" Tab. Set the active MAC address to what ever it should be.

Apply.

Unplug the interface, and plug it back in.

That should do it.

Thanks,
S.
ASA Version 8.2(5) 
!
hostname XXXXXX
domain-name XXXXXX
enable password XXXXXX
passwd XXXXXX

!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport monitor Ethernet0/0 
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.12.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
ftp mode passive
dns server-group DefaultDNS
 domain-name XXXXXX
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
 network-object XXXXXX
 network-object XXXXXX
 network-object XXXXXX
 network-object XXXXXX
 network-object XXXXXX
object-group network DM_INLINE_NETWORK_2
 network-object XXXXXX
 network-object XXXXXX
 network-object XXXXXX
 network-object XXXXXX
 network-object XXXXXX
 network-object XXXXXX
access-list outside_cryptomap_1 extended permit ip XXXXXX 255.255.255.0 XXXXXX 255.255.255.0 
access-list outside_cryptomap extended permit ip XXXXXX 255.255.255.0 object-group DM_INLINE_NETWORK_1 
access-list inside_nat0_outbound extended permit ip any object-group DM_INLINE_NETWORK_2 
access-list outside_access_in extended permit tcp any any eq 3389 
access-list outside_access_in_1 extended permit tcp any any eq 3389 
pager lines 24
logging enable
logging asdm notifications
mtu inside 1500
mtu outside 1500
ip local pool VPN_DHCP 192.168.110.200-192.168.110.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 Personal 3389 netmask 255.255.255.255 
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http XXXXXX inside
http XXXXXX inside
http XXXXXX inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map5 1 match address outside_cryptomap
crypto map outside_map5 1 set peer XXXXXX 
crypto map outside_map5 1 set transform-set ESP-AES-256-SHA
crypto map outside_map5 2 match address outside_cryptomap_1
crypto map outside_map5 2 set peer XXXXXX
crypto map outside_map5 2 set transform-set ESP-AES-256-SHA
crypto map outside_map5 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map5 interface outside
crypto isakmp enable outside
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh XXXXXX inside
ssh XXXXXX inside
ssh XXXXXX inside
ssh timeout 5
console timeout 0
management-access inside
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address XXXXXX inside
dhcpd dns XXXXXX interface inside
dhcpd wins XXXXXX interface inside
dhcpd domain XXXXXX interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy3 internal
group-policy GroupPolicy3 attributes
 dns-server value XXXXXX
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-network-list value XXXXXX
 address-pools value VPN_DHCP
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
 vpn-tunnel-protocol IPSec 
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol IPSec 
username XXXXXX password XXXXXX privilege 15
username XXXXXX password XXXXXX
tunnel-group XXXXXX type ipsec-l2l
tunnel-group XXXXXX ipsec-attributes
 pre-shared-key *****
tunnel-group XXXXXX type ipsec-l2l
tunnel-group XXXXXX general-attributes
 default-group-policy GroupPolicy2
tunnel-group XXXXXX ipsec-attributes
 pre-shared-key *****
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
 address-pool VPN_DHCP
 default-group-policy GroupPolicy3
tunnel-group VPN ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
class-map end
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global-policy
 class inspection_default
  inspect dns 
  inspect ftp 
  inspect http 
  inspect icmp 
  inspect icmp error 
!
service-policy global-policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:XXXXXX
: end

Open in new window

Sebastian,

Tried that a couple hours ago but no-go; will try again though.
Also of note, I don't think is a MAC address problem as the ISP still delivers an IP address from their general pool if there is no match on MAC address... it's only to assign static. That we're getting nothing on ASA as far as IP addresses makes me think this is a different matter. To clarify, I plugged in the laptop directly to ISP connection and received an IP address without first changing the MAC address on the laptop, and then changed MAC address and received the one we want; in both scenarios I received an IP address... I receive nothing on ASA.
Try this.

from the CLI type
no dhcp-client client-id interface outside

See if this makes a difference.

Thanks,
S.
Didn't make a difference.
Seeing a lot of DHCP Discover messages from ASA now; and an Inform from ISP end. However, nothing gets past there.
Didn't attach file.
snip.jpg
What are you attaching to? A modem, switch? Try reseting it. We might be looking at an old CAM table entry or even an ARP Cache issue on the far end. Try a hard reset of the device between the ASA and the IP.

We should be seeing DHCP OFFER messages from the DHCP server at the far end.

Thanks,
S.
This is attached to a RF receiver mounted on the house... no internal modem or anything to plug into. There is a power booster going to the antenna and that's about it. We have removed power to this device already.
let try disabling the IP address on the interface with the following commands:

int vlan 2
no ip add

and reenabling it with the following commands:

dhcp client route dist 1
ip add dhcp setroute

Also, when you disable, remove and restore power to the RF antenna.

Thanks,
S>
Performed steps exactly as written; same scenario.
One last command. I know we previously removed it, but we can try again. Also, can you provided me with the entire content of a DHCPDISCOVER Message?

This is the command: dhcp-client client-id interface outside.

Thanks,
S.
I added that about 10 minutes ago; no change.

Thanks for the help though; a tad bit odd!

The full packet is attached; rename extension to .pcapng
DHCP-Discover.jpg
File is damaged. please reupload.

Thanks,
S.
You saved link as, saved, and then renamed to correct extension? You will need Wireshark to open it. Experts-Exchange did not allow the file extension to be uploaded, nor a .zip file containing it.
Your discovers look well formed. I would work with your ISP again. Are you able to confirm that the proper MAC address is that contained in the source of the DHCP DISCOVER message?

Thanks,
S.
Yes, that is the proper MAC address. However, I don't know why it was sending out the :aa instead of :a2 by default (until I set the active MAC to :a2). Is it normal for it to have the source MAC as the int eth0 and not the ext eth0/0?
Well I think we've exhausted all possibilities I can think of. Worked with NetINS for quite a few hours. They turned of MAC authentication, tried a non DHCP-reserved but static IP, etc. Laptop hooked directly into power booster that goes to antenna works just fine, ASA not. We even shipped out a brand new ASA, redid the config from scratch, and have the same results.

No ingress or egress traffic over the outside interface at all.

Any other ideas here?
ASKER CERTIFIED SOLUTION
Avatar of SebastianAbbinanti
SebastianAbbinanti
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Good idea, I'll have to try that on Thursday when the user has returned.

We had the ISP remote into the computer and take a look at the ASA as well.

They stated they couldn't ping the ASA from their gateway device, but capturing packets on the ASA showed that the ASA did receive the ICMP:

Built inbound ICMP connection for faddr Gateway_IP gaddr WAN_IP laddr WANIP
Teardown ICMP connection for faddr Gateway_IP gaddr WAN_IP laddr WANIP
Teardown local-host outside:Gateway_IP duration 0:00:00

They are thinking it's the ASA, and are claiming it's nothing on their end. We've tried two ASA's now, both with fresh configs, and these configs are about the simplest they get.