05-29-2007 12:07 AM - edited 02-21-2020 03:04 PM
Hi
I've updated our firewall (a pix 525) from 7.04 to the latest release and after that the DHCP via VPN seems to fail. Before the clients got their addresses form two internal servers via a dhcp-server statment under the tunnel-group.
After the upgrade it work fine for a while but after a couple of days it stopped leasing addresses. I temporarily solved the problem by setting up a local pool in the pix. What do I have to do to get the servers working again. Do I have to configure DHCP relay?
Best regards
Tommy
05-29-2007 09:03 AM
Tommy,
Before you upgraded the PIX to version 7.0.4 did you have DHCP relay enabled.
Questions:
a. When you say DHCP via VPN - Is the Site to Site (Lan to Lan) tunnels or Remote access VPN client connections.
b. When it fails, are you able to ping the DHCP server at that time?
c. Does the DHCP server have any lease available at the time the failure happens
d. Did you run any DHCP debugs on the PIX firewall to see if there was any error messages?
Let me know.
Cheers
Gilbert
05-29-2007 09:36 AM
Hi Gilbert
I've been through the old config but couldn't find any dhcprelay enable.
And then the answers:
a. It's RA
b. Yes, I can ping them from the firewall
c. Yes, the have. In the DHCP server I get a message about "bad address"
d. Nope, haven't done that. Tried to write debug dhcp and tab but couldn't find any commands. Was a bit short of time though.
Do I need to enable dhcprelay to be able to get an address from the server? How do one normally set it up? Usually I just use the internal DHCP.
/Tommy
05-29-2007 10:04 AM
Tommy-
For the VPN clients, its the normal DHCP server. You do not need to set up the DHCP relay for the vPN client connections.
When this happens, would it be possible to put a sniffer trace between the ASA and the DHCP server. See where it fails?
Let me know.
Cheers
Gilbert
05-29-2007 10:43 PM
It should be, I'll give it a try. As I understand it, the following config should be enough to enable the DHCP:
group-policy VPN_IL attributes
dhcp-network-scope 192.168.11.0
tunnel-group VPN_IL general-attributes
dhcp-server 192.168.10.38
dhcp-server 192.168.10.21
The same servers acts as radius for the VPN RA.
/Tommy
05-30-2007 05:38 AM
Tommy
Also the command "vpn-addr-assign dhcp" should be configured globally.
Apart from that, the other commands looks good.
Cheers
Gilbert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: