we recently upgraded our DNS/DHCP servers with newer hardware and more up-to-date version of Linux.
The previous servers were not behind a firewall. The current servers are placed behind our ASA5510 appliance, and we have set up translations and access lists accordingly (please see config).
So we switched to the new servers.. and discovered that a number of our ADSL clients can NOT obtain an IP from the DHCP server behind the firewall, UNLESS: we have them assign their IP address to their PC or router statically; then if they switch back to dynamic IP they can obtain that same IP no problem.
Just to isolate the issue, we put the DHCP server on the outside and the problem went away (of course, we can't leave it on the outside for any extended amounts of time).
When I debugged DHCP relay, I can see that the firewall is passing the requests, and the DHCP server is replying, but the client never gets an IP unless we statically assign it first.
(In other words, "exchange complete" is the part that is missing prior to us having the customer statically assign the IP first).
I was hoping the issue was simply a mistake I made configuring the appliance; but if you think it might be a bug, then I will assume there's nothing wrong with the config (everything else works properly behind the firewall).
We had no choice but to put our DHCP server on the outside and harden the Linux system.
We'll have to leave it like this for now, as we can't afford any more customer downtime.
Therefore, I won't be able to perform packet capture any time soon..
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :