Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Wireless Clients can't get DHCP address through ASA relay

Hello! I'm having trouble getting wireless clients an IP address from our Windows server through an ASA dhcp relay. Here's my basic setup:

Wifi client ---> 1042N AP ---> 2960 Switch ---> ASA 5520 ---> Win 2008 DHCP/RADIUS server

  • I have 4 SSIDs on separate VLANs.
  • I can get a DHCP IP on any the AP's native interfaces (if I set it to DHCP) but not on any clients that connect to that SSID assigned to it.
  • The clients authenticate to RADIUS (same server as DHCP) and the AP shows authenticated, but still no DHCP address.
  • Ports 67 & 68 are open on all VLANs on the ASA.
  • The switchport is trunked with a native VLAN.
  • Relaying is setup on the ASA for all of the VLAN interfaces.
  • All the interfaces on the AP have ip helper addresses pointing to the Windows Server.
  • The VLAN interfaces on the switch all have IP helper addresses pointing to the Windows Server.

Help? I'll post configs if anyone needs them.

  • Getting Started with Wireless
8 REPLIES
VIP Purple

Wireless Clients can't get DHCP address through ASA relay

You only need the ip helper on the L3 interface that terminates your Vlan. If the 2960 is not setup for L3 switching you should remove that config from the switch and the AP.

On the ASA you don't need to "open" or allow DHCP in any ACL, if you have that config it won't hurt, but it also won't help.

What could be wrong:

1) the DHCP-relay on the ASA

2) The bridge-group config on the AP

3) The switchports connecting the AP and the ASA.

Post the relevant config and then it should be possible to find out what's going wrong.

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: Wireless Clients can't get DHCP address through ASA relay

Hey Karsten, here are the goods:

AP Config full:

Current configuration : 6819 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname DC-AP1

!

logging buffered 4096 debugging

logging rate-limit console 9

enable secret 5 scrubbed

!

aaa new-model

!

!

aaa group server radius rad_eap

server 192.168.20.10 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

server 192.168.20.10 auth-port 1645 acct-port 1646

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

!

!

dot11 mbssid

dot11 syslog

!

dot11 ssid DC_3

   vlan 195

   authentication open eap eap_methods

   authentication key-management wpa version 2

   mbssid guest-mode

!

dot11 ssid DC_2

   vlan 193

   authentication open eap eap_methods

   authentication key-management wpa version 2

   mbssid guest-mode

!

dot11 ssid DC_3

   vlan 197

   authentication open eap eap_methods

   authentication key-management wpa version 2

   mbssid guest-mode

!

dot11 ssid DC_1

   vlan 191

   authentication open eap eap_methods

   authentication key-management wpa version 2

   mbssid guest-mode

!

!

!

username scrubbed password 7 scrubbed

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

ip helper-address 192.168.20.10

no ip route-cache

!

encryption vlan 191 mode ciphers aes-ccm

!

encryption vlan 193 mode ciphers aes-ccm

!

encryption vlan 195 mode ciphers aes-ccm

!

encryption vlan 197 mode ciphers aes-ccm

!

ssid DC_4

!

ssid DC_2

!

ssid DC_3

!

ssid DC_1

!

antenna gain 0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.191

encapsulation dot1Q 191

no ip route-cache

bridge-group 191

bridge-group 191 subscriber-loop-control

bridge-group 191 block-unknown-source

no bridge-group 191 source-learning

no bridge-group 191 unicast-flooding

bridge-group 191 spanning-disabled

!

interface Dot11Radio0.193

encapsulation dot1Q 193

no ip route-cache

bridge-group 193

bridge-group 193 subscriber-loop-control

bridge-group 193 block-unknown-source

no bridge-group 193 source-learning

no bridge-group 193 unicast-flooding

bridge-group 193 spanning-disabled

!

interface Dot11Radio0.195

encapsulation dot1Q 195

no ip route-cache

bridge-group 195

bridge-group 195 subscriber-loop-control

bridge-group 195 block-unknown-source

no bridge-group 195 source-learning

no bridge-group 195 unicast-flooding

bridge-group 195 spanning-disabled

!

interface Dot11Radio0.197

encapsulation dot1Q 197

no ip route-cache

bridge-group 197

bridge-group 197 subscriber-loop-control

bridge-group 197 block-unknown-source

no bridge-group 197 source-learning

no bridge-group 197 unicast-flooding

bridge-group 197 spanning-disabled

!

interface Dot11Radio1

no ip address

ip helper-address 192.168.20.10

no ip route-cache

!

encryption vlan 191 mode ciphers aes-ccm

!

encryption vlan 193 mode ciphers aes-ccm

!

encryption vlan 195 mode ciphers aes-ccm

!

encryption vlan 197 mode ciphers aes-ccm

!

ssid DC_4

!

ssid DC_2

!

ssid DC_3

!

ssid DC_1

!

antenna gain 0

dfs band 3 block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1.191

encapsulation dot1Q 191

no ip route-cache

bridge-group 191

bridge-group 191 subscriber-loop-control

bridge-group 191 block-unknown-source

no bridge-group 191 source-learning

no bridge-group 191 unicast-flooding

bridge-group 191 spanning-disabled

!

interface Dot11Radio1.193

encapsulation dot1Q 193

no ip route-cache

bridge-group 193

bridge-group 193 subscriber-loop-control

bridge-group 193 block-unknown-source

no bridge-group 193 source-learning

no bridge-group 193 unicast-flooding

bridge-group 193 spanning-disabled

!

interface Dot11Radio1.195

encapsulation dot1Q 195

no ip route-cache

bridge-group 195

bridge-group 195 subscriber-loop-control

bridge-group 195 block-unknown-source

no bridge-group 195 source-learning

no bridge-group 195 unicast-flooding

bridge-group 195 spanning-disabled

!

interface Dot11Radio1.197

encapsulation dot1Q 197

no ip route-cache

bridge-group 197

bridge-group 197 subscriber-loop-control

bridge-group 197 block-unknown-source

no bridge-group 197 source-learning

no bridge-group 197 unicast-flooding

bridge-group 197 spanning-disabled

!

interface GigabitEthernet0

no ip address

ip helper-address 192.168.20.10

no ip route-cache

duplex auto

speed auto

no keepalive

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.191

encapsulation dot1Q 191

no ip route-cache

bridge-group 191

bridge-group 191 block-unknown-source

no bridge-group 191 source-learning

no bridge-group 191 unicast-flooding

bridge-group 191 spanning-disabled

!

interface GigabitEthernet0.193

encapsulation dot1Q 193

no ip route-cache

bridge-group 193

bridge-group 193 block-unknown-source

no bridge-group 193 source-learning

no bridge-group 193 unicast-flooding

bridge-group 193 spanning-disabled

!

interface GigabitEthernet0.195

encapsulation dot1Q 195

no ip route-cache

bridge-group 195

bridge-group 195 block-unknown-source

no bridge-group 195 source-learning

no bridge-group 195 unicast-flooding

bridge-group 195 spanning-disabled

!

interface GigabitEthernet0.197

encapsulation dot1Q 197

no ip route-cache

bridge-group 197

bridge-group 197 block-unknown-source

no bridge-group 197 source-learning

no bridge-group 197 unicast-flooding

bridge-group 197 spanning-disabled

!

interface BVI1

ip address dhcp

no ip route-cache

!

ip default-gateway 192.168.19.33

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

logging history size 100

snmp-server community cisco RO

radius-server attribute 32 include-in-access-req format %h

radius-server host 192.168.20.10 auth-port 1645 acct-port 1646 key 7 083715540D48574115

radius-server vsa send accounting

bridge 1 route ip

!

!

!

line con 0

logging synchronous

line vty 0 4

logging synchronous

transport input all

!

end


Switch Config snippet:

!

interface GigabitEthernet1/0/45

description DC-AP1

switchport trunk native vlan 191

switchport trunk allowed vlan 191,193,195,197

switchport mode trunk

!

interface Vlan191

ip address 192.168.19.34 255.255.255.224

!

interface Vlan193

ip address 192.168.19.98 255.255.255.224

!

interface Vlan195

ip address 192.168.19.162 255.255.255.224

!

interface Vlan197

ip address 192.168.19.226 255.255.255.224

!

ASA Config snippet:

interface GigabitEthernet0/2

nameif DC-TRUNK

security-level 95

no ip address

!

interface GigabitEthernet0/2.191

description Room 1 - Wireless

vlan 191

nameif DC1B

security-level 95

ip address 192.168.19.33 255.255.255.224 standby 192.168.19.34

!

interface GigabitEthernet0/2.193

description Room 2 - Wireless

vlan 193

nameif DC2B

security-level 95

ip address 192.168.19.97 255.255.255.224 standby 192.168.19.98

!

interface GigabitEthernet0/2.195

description Room 3 Wireless

vlan 195

nameif DC3B

security-level 95

ip address 192.168.19.161 255.255.255.224

!

interface GigabitEthernet0/2.197

description Room 4 Wireless

vlan 197

nameif DC4B

security-level 95

ip address 192.168.19.225 255.255.255.224

!

object-group service DM_INLINE_UDP_2 udp

port-object eq 1812

port-object eq 1813

port-object eq radius

port-object eq radius-acct

object-group service DM_INLINE_UDP_4 udp

port-object eq 1812

port-object eq 1813

port-object eq radius

port-object eq radius-acct

object-group service DM_INLINE_UDP_6 udp

port-object eq 1812

port-object eq 1813

port-object eq radius

port-object eq radius-acct

object-group service DM_INLINE_UDP_8 udp

port-object eq 1812

port-object eq 1813

port-object eq radius

port-object eq radius-acct

object-group network DM_INLINE_NETWORK_2

network-object 10.10.0.0 255.255.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

object-group network DM_INLINE_NETWORK_4

network-object 10.10.0.0 255.255.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

object-group network DM_INLINE_NETWORK_6

network-object 10.10.0.0 255.255.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

object-group network DM_INLINE_NETWORK_8

network-object 10.10.0.0 255.255.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

!

access-list DC1B_access_in remark Access to radius service from AP's

access-list DC1B_access_in extended permit udp 192.168.19.32 255.255.255.224 object ctvservices04 object-group DM_INLINE_UDP_10

access-list DC1B_access_in remark Access to radius service from AP's

access-list DC1B_access_in extended permit udp 192.168.19.32 255.255.255.224 object ctvservices03 object-group DM_INLINE_UDP_2

access-list DC1B_access_in remark DHCP

access-list DC1B_access_in extended permit object-group DM_INLINE_SERVICE_2 192.168.19.32 255.255.255.224 object ctvservices03

access-list DC1B_access_in remark Allow wireless to wired communications

access-list DC1B_access_in extended permit ip 192.168.19.32 255.255.255.224 192.168.19.0 255.255.255.224

access-list DC1B_access_in remark Block access to all internal subnets

access-list DC1B_access_in extended deny ip 192.168.19.32 255.255.255.224 object-group DM_INLINE_NETWORK_2

access-list DC1B_access_in extended permit ip any any

access-list DC2B_access_in extended permit udp 192.168.19.96 255.255.255.224 object ctvservices04 object-group DM_INLINE_UDP_12

access-list DC2B_access_in remark Access to radius service from AP's

access-list DC2B_access_in extended permit udp 192.168.19.96 255.255.255.224 object ctvservices03 object-group DM_INLINE_UDP_4

access-list DC2B_access_in remark DHCP

access-list DC2B_access_in extended permit object-group DM_INLINE_SERVICE_4 192.168.19.96 255.255.255.224 object ctvservices03

access-list DC2B_access_in remark Allow wireless to wired communications

access-list DC2B_access_in extended permit ip 192.168.19.96 255.255.255.224 192.168.19.64 255.255.255.224

access-list DC2B_access_in remark Block access to all internal subnets

access-list DC2B_access_in extended deny ip 192.168.19.96 255.255.255.224 object-group DM_INLINE_NETWORK_4

access-list DC2B_access_in extended permit ip any any

access-list DC3B_access_in remark Access to radius service from AP's

access-list DC3B_access_in extended permit udp 192.168.19.160 255.255.255.224 object ctvservices04 object-group DM_INLINE_UDP_14

access-list DC3B_access_in remark Access to radius service from AP's

access-list DC3B_access_in extended permit udp 192.168.19.160 255.255.255.224 object ctvservices03 object-group DM_INLINE_UDP_6

access-list DC3B_access_in remark DHCP

access-list DC3B_access_in extended permit object-group DM_INLINE_SERVICE_6 192.168.19.160 255.255.255.224 object ctvservices03

access-list DC3B_access_in remark Allow wireless to wired communications

access-list DC3B_access_in extended permit ip 192.168.19.160 255.255.255.224 192.168.19.128 255.255.255.224

access-list DC3B_access_in remark Block access to all internal subnets

access-list DC3B_access_in extended deny ip 192.168.19.160 255.255.255.224 object-group DM_INLINE_NETWORK_6

access-list DC3B_access_in extended permit ip any any

access-list DC4B_access_in remark Access to radius service from AP's

access-list DC4B_access_in extended permit udp 192.168.19.224 255.255.255.224 object ctvservices04 object-group DM_INLINE_UDP_16

access-list DC4B_access_in remark Access to radius service from AP's

access-list DC4B_access_in extended permit udp 192.168.19.224 255.255.255.224 object ctvservices03 object-group DM_INLINE_UDP_8

access-list DC4B_access_in remark DHCP

access-list DC4B_access_in extended permit object-group DM_INLINE_SERVICE_8 192.168.19.224 255.255.255.224 object ctvservices03

access-list DC4B_access_in remark Allow wireless to wired communications

access-list DC4B_access_in extended permit ip 192.168.19.224 255.255.255.224 192.168.19.192 255.255.255.224

access-list DC4B_access_in remark Block access to all internal subnets

access-list DC4B_access_in extended deny ip 192.168.19.224 255.255.255.224 object-group DM_INLINE_NETWORK_8

access-list DC4B_access_in extended permit ip any any

access-group DC1B_access_in in interface DC1B

access-group DC1B_access_in in interface DC2B

access-group DC1B_access_in in interface DC3B

access-group DC1B_access_in in interface DC5B

dhcpd dns 192.168.20.10 192.168.75.49 interface management

dhcpd domain blah.com interface management

!

dhcprelay server 192.168.20.10 inside-4  wired

dhcprelay enable DC1A

dhcprelay enable DC1B

dhcprelay enable DC2A

dhcprelay enable DC2B

dhcprelay enable DC3A

dhcprelay enable DC3B

dhcprelay enable DC4A

dhcprelay enable DC4B

dhcprelay timeout 60

dhcprelay information trust-all

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect sip 

!


VIP Purple

Re: Wireless Clients can't get DHCP address through ASA relay

when you do a "show vlan" on the switch, do you see all the vlans that are needed (191,193,195,197)?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: Wireless Clients can't get DHCP address through ASA relay

I do.

DCSW1#show vlan

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Gi1/0/7, Gi1/0/8, Gi1/0/10

                                                Gi1/0/11, Gi1/0/12, Gi1/0/13

                                                Gi1/0/14, Gi1/0/15, Gi1/0/16

                                                Gi1/0/17, Gi1/0/18, Gi1/0/19

                                                Gi1/0/20, Gi1/0/21, Gi1/0/22

                                                Gi1/0/23, Gi1/0/24, Gi1/0/25

                                                Gi1/0/26, Gi1/0/27, Gi1/0/28

                                                Gi1/0/29, Gi1/0/30, Gi1/0/31

                                                Gi1/0/32, Gi1/0/33, Gi1/0/34

                                                Gi1/0/35, Gi1/0/36, Gi1/0/46

                                                Gi1/0/49, Gi1/0/50, Gi1/0/51

                                                Gi1/0/52

65   NETMGMT                 active

103  WIRED                   active

105  WIRELESS                active

106  GUEST                   active

190  CAPDC1A                          active    Gi1/0/1, Gi1/0/2, Gi1/0/3

                                                Gi1/0/4, Gi1/0/5

191  DC1B                          active

192  DC2A                          active    Gi1/0/6

193  DC2B                          active

194  DC3A                          active

195  DC3B                          active

196  DC4A                          active

197  DC4B                          active

222  VOICE                   active

251  PHONES                     active    Gi1/0/9, Gi1/0/37, Gi1/0/38

                                                Gi1/0/39, Gi1/0/40, Gi1/0/41

                                                Gi1/0/42, Gi1/0/43, Gi1/0/44

VIP Purple

Re: Wireless Clients can't get DHCP address through ASA relay

I just realize that some of the IP-adresses on the switch are duplicates to the ones on the ASA. If you don't use the 2960 for routing (it doesn't seem so) it's best to remove all "interface vlan" from the switch and only keep the one you use for management. And remove all ip helpers on the switch and the AP if the relay is running on the ASA.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: Wireless Clients can't get DHCP address through ASA relay

I've removed all switch and AP IP helpers and the VLAN interfaces. When I change the default gateway, on the AP, from the switch interface to the ASA's interface, it goes dark. Do you think this indicative of a routing problem on the ASA?

EDIT: I only removed the VLAN interfaces from the switch, not from the AP :-)

Message was edited by: Kevin Doran

VIP Purple

Re: Wireless Clients can't get DHCP address through ASA relay

If you can work successfully in one VLAN, then the routing from the ASA to the DHCP-server should be fine. On the AP you get your mgmt-IP by DHCP, so you don't need the default-gateway at all. It will be provided by DHCP. Do a "debug dhcprelay event" and "debug dhcprelay packet" on the ASA and try again. You should see that some DHCP-packets gets processed by the ASA.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: Wireless Clients can't get DHCP address through ASA relay

OK, we're getting close, here's the debugging:

DHCPD/RA:  Relay msg received, fip=ANY, fport=67 on DC1B interface

DHCP: Received a BOOTREQUEST from interface 4 (size = 307)

DHCPRA: relay binding found for client cc3a.6124.c7f6.

DHCPRA: setting giaddr to 192.168.19.33.

dhcpd_forward_request: request from cc3a.6124.c7f6 forwarded to 192.168.20.10.

DHCPD/RA: Punt 192.168.20.10/67 --> 192.168.19.33/67 to CP

DHCPD/RA:  Relay msg received, fip=ANY, fport=67 on inside-wired interface

DHCP: Received a BOOTREPLY from relay interface 11 (size = 316, xid = 0x2423c151) at 14:30:37 UTC Tue Nov 26 2013

DHCPRA: relay binding found for client cc3a.6124.c7f6.

DHCPD/RA: creating ARP entry (192.168.19.38, cc3a.6124.c7f6).

DHCPRA: forwarding reply to client cc3a.6124.c7f6.

This message appears over and over until the wifi client gives up. It looks like it's getting an IP (19.38) from the DHCP server, but it's still not getting back to the wireless client.

1229
Views
0
Helpful
8
Replies