06-11-2008 05:52 AM - edited 02-21-2020 02:03 AM
Hi,
On my Asa(with asdm)i configured the DHCP server in the managment tab to allow dynamic Ip assignment for my lan devices (on the inside interface). I tried to allow Ip assignement via my Lan DHCP server for my VPN SSL client located on a remote site but it didn't work (they mount the tunnel on the outside interface of the Asa). I would have liked to know if someone could advise me to do so. When i checked the DHCP box in the different connection profiles my client still didn't receive any address. Are there anything i need to allow to perform this action. I hope someone can help.
PS: Here is the message i get when i start the Cisco anyconnect client:
"An error was received from the secure gateway in response to the vpn negociation request. Please contact your network administrator. The following message was received from the remote VPN device: No assigned Address"
Best regards.
06-17-2008 12:03 PM
The error message indicates that the ASA returned an HTTP error to the client when the client attempted to establish an SSL connection.
06-17-2008 01:14 PM
I understand this To. But deeper, it means that my Lan DHCP server can't deliver IP address to my VPN SSL client. I don't understand why!! As long as you check the "DHCP" box it should work, but at the moment it doesn't. Can you help me?
Best Regards,
06-18-2008 05:12 AM
Can you post output of webvpn debugs?
Regards
Farrukh
06-18-2008 06:27 AM
Here is a copy of syslog entries which best describe what is happening:
"Device completed SSL handshake with client outside: X.X.X.X:XXXX"
"TunnelGroup
The SSL connection starts without problems, but as soon as i need to be assigned an ip address, it doesn't work. The odd thing is that in both profile the DHCP box is checked.
Can someone help?
Best regards
06-18-2008 06:31 AM
Can you post the webvpn related CLI configuration?
Regards
Farrukh
06-18-2008 06:45 AM
Hi, here is what you asked me for:
"
webvpn
enable inside
enable outside
csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg
svc image disk0:/anyconnect-win-2.2.0128-k9.pkg 3
svc enable
cache
max-object-size 5000
group-policy DfltGrpPolicy attributes
dns-server value X.X.X.X
dhcp-network-scope X.X.X.X
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
default-domain value XXXXXX
intercept-dhcp 255.255.255.XXX enable
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
url-list value Lan_Applications
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc ask enable default webvpn
customization value DfltCustomization
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (outside) LOCAL
dhcp-server XXX.XXX.XXX.XXX
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (outside) LOCAL
dhcp-server XXX.XXX.XXX.XXX
authorization-required
Best Regards,
Jeyriku
06-18-2008 11:29 AM
Do you have the following in your configuration:
"vpn-addr-assign dhcp"
Note: DHCP assignment is disabled by default
Regards
Farrukh
06-18-2008 12:41 PM
Hi,
Many thanks for your response
No it doesn't appear but it should as i already typed it before
But the following appear:
"no vpn-addr-assign aaa
no vpn-addr-assign local"
Do you have an idea why it doesn't appear?
Best regards,
06-18-2008 05:49 PM
No that is ok, it means AAA and LOCAL are now disabled, and DHCP is enabled.
Can you post more aggressive debugs?
Regads
Farrukh
06-18-2008 11:55 PM
Hi,
Can you tell me what i need to do? What do you mean by "more agressive"?
kind Regards,
06-19-2008 12:03 AM
I meant more detailed/verbose debugs, please attach the output of the following:
debug dhcpd event
debug dhcprelay event
debug webvpn tunnel
debug webvpn svc
debug webvpn html
Regards
Farrukh
06-19-2008 12:08 AM
Ok,
I do that for you and will keep you updated.
Many thanks for your help.
Regards,
06-19-2008 12:47 AM
06-19-2008 01:50 AM
The issue seems to be your DHCP server, check the DHCP server IP /scope once again. Also any logs on the DHCP server end.
7|Jun 19 2008 10:00:10|711001: Validating address: 0.0.0.0
7|Jun 19 2008 10:00:10|711001: CSTP state = WAIT_FOR_ADDRESS
7|Jun 19 2008 10:00:10|711001: webvpn_cstp_accept_address: 0.0.0.0/0.0.0.0
7|Jun 19 2008 10:00:10|711001: webvpn_cstp_accept_address: no address?!?
7|Jun 19 2008 10:00:10|711001: CSTP state = HAVE_AD
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide