Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
557
Views
0
Helpful
5
Replies

Obtain DHCP from remote server via VPN

Eyas
Level 1
Level 1

‎05-29-2007 12:07 AM - edited ‎02-21-2020 03:04 PM

Hi

I've updated our firewall (a pix 525) from 7.04 to the latest release and after that the DHCP via VPN seems to fail. Before the clients got their addresses form two internal servers via a dhcp-server statment under the tunnel-group.

After the upgrade it work fine for a while but after a couple of days it stopped leasing addresses. I temporarily solved the problem by setting up a local pool in the pix. What do I have to do to get the servers working again. Do I have to configure DHCP relay?

Best regards

Tommy

Labels:
0 Helpful
5 Replies 5

ggilbert
Cisco Employee
Cisco Employee

‎05-29-2007 09:03 AM

Tommy,

Before you upgraded the PIX to version 7.0.4 did you have DHCP relay enabled.

Questions:

a. When you say DHCP via VPN - Is the Site to Site (Lan to Lan) tunnels or Remote access VPN client connections.

b. When it fails, are you able to ping the DHCP server at that time?

c. Does the DHCP server have any lease available at the time the failure happens

d. Did you run any DHCP debugs on the PIX firewall to see if there was any error messages?

Let me know.

Cheers

Gilbert

0 Helpful

Eyas
Level 1
Level 1
In response to ggilbert

‎05-29-2007 09:36 AM

Hi Gilbert

I've been through the old config but couldn't find any dhcprelay enable.

And then the answers:

a. It's RA

b. Yes, I can ping them from the firewall

c. Yes, the have. In the DHCP server I get a message about "bad address"

d. Nope, haven't done that. Tried to write debug dhcp and tab but couldn't find any commands. Was a bit short of time though.

Do I need to enable dhcprelay to be able to get an address from the server? How do one normally set it up? Usually I just use the internal DHCP.

/Tommy

0 Helpful

ggilbert
Cisco Employee
Cisco Employee
In response to Eyas

‎05-29-2007 10:04 AM

Tommy-

For the VPN clients, its the normal DHCP server. You do not need to set up the DHCP relay for the vPN client connections.

When this happens, would it be possible to put a sniffer trace between the ASA and the DHCP server. See where it fails?

Let me know.

Cheers

Gilbert

0 Helpful

Eyas
Level 1
Level 1
In response to ggilbert

‎05-29-2007 10:43 PM

It should be, I'll give it a try. As I understand it, the following config should be enough to enable the DHCP:

group-policy VPN_IL attributes

dhcp-network-scope 192.168.11.0

tunnel-group VPN_IL general-attributes

dhcp-server 192.168.10.38

dhcp-server 192.168.10.21

The same servers acts as radius for the VPN RA.

/Tommy

0 Helpful

ggilbert
Cisco Employee
Cisco Employee
In response to Eyas

‎05-30-2007 05:38 AM

Tommy

Also the command "vpn-addr-assign dhcp" should be configured globally.

Apart from that, the other commands looks good.

Cheers

Gilbert

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents