Solved: Re: Anyconnect uses windows DHCP servers, but with incorrect subnet mask

ronnieshih · ‎02-08-2018

I have the Anyconnect vpn profile configured to use 2 internal windows DHCP servers as the IP address assignment server. I can VPN in and get IP just fine, the subnet network address is 10.180.160.0/24. However, looks like Cisco ASA is using RFC 1918 to assign the subnet mask as 255.0.0.0 . I need it either assign the correct subnet mask or pull the correct subnet mask from the DHCP server. I'm not going to use a pool on the ASA as I've centralized all DHCP setup to 2 servers.

thanks!

ronnieshih · ‎02-19-2018

A quick update on this. ASA IOS software was updated from 9.1.7(6) to 9.1.7(23), to fix a vulnerability in Cisco Anyconnect HTTPS protocol, but it actually fixed this DHCP issue. So old as hills ASA actually works.

View solution in original post

Karsten Iwen · ‎02-08-2018

Not sure why it's working like that in your setup, but that's not general behavior. I use it in a similar way, and I get my 10.a.b.c address with a /25 netmask, as it is configured on the DHCP-server.

What is your config and environment?

ronnieshih · ‎02-08-2018

2 Windows 2012 R2 DHCP servers. Obviously a windows machine inside always gets the 255.255.255.0 subnet mask, but not the case when users connect via VPN. Mask of 255.0.0.0 is always handed out. ASA 5510 is on v9.1(7), relatively new. Unless there is a fix somehow, after v9.1(7), then please let me know.

relevant section of the ASA config here, nothing special....

tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
authentication-server-group RADIUS LOCAL
default-group-policy AnyConnect
dhcp-server 10.180.160.61
dhcp-server 10.180.160.62
password-management password-expire-in-days 3
tunnel-group AnyConnect webvpn-attributes
radius-reject-message
group-alias AnyConnect enable

Karsten Iwen · ‎02-08-2018

Both the ASA and the ASA software is old as the hills ... For the software you should anyhow upgrade to the newest interims-release because of the newest critical vulnerability.

How is the group-policy configured where you select the right DHCP-pool?

ronnieshih · ‎02-08-2018

haha, not my call to upgrade right away or not to the new line of ASA, customer's money is always tight. $35k for a firewall or a company car? hmm...

relevant section of the group policy. I don't think it's relevant, because no DHCP option is specified here.

group-policy AnyConnect attributes
dns-server value 10.180.160.61 10.180.160.62
vpn-idle-timeout 30
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value REMOTE-CISCOVPN_splitTunnelAcl_1
default-domain value royal.local

Karsten Iwen · ‎02-08-2018

try the following:

group-policy AnyConnect attributes
 dhcp-network-scope 10.180.160.0

The 10.180.160.0 ist the scope on the DHCP-server that you want to use.

ronnieshih · ‎02-08-2018

I actually already tried that, and vpn connectivity fails during IP assignment, made the problem worse. any other ideas?

Karsten Iwen · ‎02-08-2018

I would continue troubleshooting on the server why no addresses are assigned when the scope is defined.

ronnieshih · ‎02-19-2018

A quick update on this. ASA IOS software was updated from 9.1.7(6) to 9.1.7(23), to fix a vulnerability in Cisco Anyconnect HTTPS protocol, but it actually fixed this DHCP issue. So old as hills ASA actually works.