ASA IPSec Client VPN Subnet Mask

Unanswered Question
Oct 2nd, 2009

I'm currently testing an ASA 5520 to provide remote access to a network via IPSec. Everything is working fine, and when the clients connect to the ASA via IPSec, they get an IP address assigned from a DHCP server on the inside network. IP address assignment is working fine, but I've noticed that the subnet mask that is displayed when I run 'ipconfig' is incorrect. Instead of showing a subnet mask of, which is what it should be, I am seeing What controls this subnet mask? I would have expected, or maybe even I know the DHCP server is working properly, and VPN clients are working just fine, but I'm curious why the subnet mask is wrong.

For what's worth, the VPN 3000 that this ASA will be replacing is setup with the exact same configuration, and when I IPSec into the VPN3000, I see the proper subnet mask.

Does anyone know why the subnet mask would be showing up incorrectly? Even though it is technically working, I'm concerned that maybe I may have overlooked something.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Yudong Wu Fri, 10/02/2009 - 17:08

No sure if it is a bug.

Can you do a packet capture on DHCP server to see what dhcp request and offer packet looks like?

sbader48220 Fri, 10/02/2009 - 17:45

I'm not able to get a packet capture on the DHCP server right now as it is a production domain controller, and I'd need to go through our change control process to install software on it.

I may be able to setup a quick lab at home sometime tomorrow to try an reproduce the issue. In the meantime, is there any debug I can run on the ASA itself to see the DHCP packets?



sbader48220 Fri, 10/02/2009 - 20:38

Okay, I just spent some time looking at this in much more detail. I was mistaken, when DHCP is used, the subnet mask is correct.

The problem I am having though is when using a framed-ip address sent by the RADIUS server. In this situation, my username has a framed IP address of, and the correct subnet mask is However, when I connect, I'm getting a subnet mask of The RADIUS server is MS IAS, and for AnyConnect, I'm actually using LDAP authentication into AD with an ldap attribute map to pull the static IP address from AD.

Neither the RADIUS server nor AD have the subnet mask. Our VPN 3000 for some reason knows the proper subnet mask, but the ASA does not. The ASA has an interface on this subnet, so it should know the mask, but it looks like it is defaulting to a classless mask.

Is there any way to fix this?

I appreciate all of the help, and apologize for the initial confusion.



Yudong Wu Sun, 10/04/2009 - 22:28

I am not familiar with this setting.

It looks like client just picked class A subnet for 10.x.x.x network.

What's your ASA version?

cfnisupport Mon, 10/05/2009 - 05:36

The version is 8.2(1)1. I'm going to open a TAC case today and see what they say.

I'll let you know.




This Discussion