Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA IPSec Client VPN Subnet Mask

I'm currently testing an ASA 5520 to provide remote access to a network via IPSec. Everything is working fine, and when the clients connect to the ASA via IPSec, they get an IP address assigned from a DHCP server on the inside network. IP address assignment is working fine, but I've noticed that the subnet mask that is displayed when I run 'ipconfig' is incorrect. Instead of showing a subnet mask of 255.255.0.0, which is what it should be, I am seeing 255.0.0.0. What controls this subnet mask? I would have expected 255.255.0.0, or maybe even 255.255.255.255. I know the DHCP server is working properly, and VPN clients are working just fine, but I'm curious why the subnet mask is wrong.

For what's worth, the VPN 3000 that this ASA will be replacing is setup with the exact same configuration, and when I IPSec into the VPN3000, I see the proper subnet mask.

Does anyone know why the subnet mask would be showing up incorrectly? Even though it is technically working, I'm concerned that maybe I may have overlooked something.

Thanks,

-Steve

6 REPLIES

Re: ASA IPSec Client VPN Subnet Mask

No sure if it is a bug.

Can you do a packet capture on DHCP server to see what dhcp request and offer packet looks like?

New Member

Re: ASA IPSec Client VPN Subnet Mask

I'm not able to get a packet capture on the DHCP server right now as it is a production domain controller, and I'd need to go through our change control process to install software on it.

I may be able to setup a quick lab at home sometime tomorrow to try an reproduce the issue. In the meantime, is there any debug I can run on the ASA itself to see the DHCP packets?

Thanks,

-Steve

Re: ASA IPSec Client VPN Subnet Mask

you can do the capture on the interface which is facing to DHCP server.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c1.html#wp2108895

I should have mentioned it before.

New Member

Re: ASA IPSec Client VPN Subnet Mask

Okay, I just spent some time looking at this in much more detail. I was mistaken, when DHCP is used, the subnet mask is correct.

The problem I am having though is when using a framed-ip address sent by the RADIUS server. In this situation, my username has a framed IP address of 10.250.50.50, and the correct subnet mask is 255.255.0.0. However, when I connect, I'm getting a subnet mask of 255.0.0.0. The RADIUS server is MS IAS, and for AnyConnect, I'm actually using LDAP authentication into AD with an ldap attribute map to pull the static IP address from AD.

Neither the RADIUS server nor AD have the subnet mask. Our VPN 3000 for some reason knows the proper subnet mask, but the ASA does not. The ASA has an interface on this subnet, so it should know the mask, but it looks like it is defaulting to a classless mask.

Is there any way to fix this?

I appreciate all of the help, and apologize for the initial confusion.

Thanks,

-Steve

Re: ASA IPSec Client VPN Subnet Mask

I am not familiar with this setting.

It looks like client just picked class A subnet for 10.x.x.x network.

What's your ASA version?

New Member

Re: ASA IPSec Client VPN Subnet Mask

The version is 8.2(1)1. I'm going to open a TAC case today and see what they say.

I'll let you know.

Thanks,

-Steve

352
Views
4
Helpful
6
Replies