I upgraded three ASAs (1 5505 and two 5510) to 8.4(4)3 and on all three ASAs which were providing DHCP services to connected networks stopped working. Users could not get DHCP addresses from the ASAs running 188.8.131.52.
I did packet captures from the desktop, basically I see the DHCP requests leaving the desktop, but no replies from the ASA.
I downgraded the ASA to 8.4(4)1 and DHCP immediately starting working again.
I rolled back to 184.108.40.206. DHCP failed again. Downgraded the ASA to 220.127.116.11, then DHCP started working again.
I had a similar problem with VPN clients not receiving an IP address from DHCP after upgrading from 8.4(2) to 8.4(5). I went back and forth with TAC for a few weeks and we narrowed it down to an identity NAT (nat exemption) statement for the VPN clients that required the route-lookup option to be checked.
After having changed the internal gateway equipment, the DHCP requests emitted by the ASA remain to the removed gateway interface MAC address whereas the ASA makes ARP requests and gets the new GW interface MAC address correctly.
We are having the excact same problem on version 8.3(2)4.
The ASA's are connected to a gateway cluster. When a fail over occurs in the cluster, all arp tables are updated on the ASA's. DHCP requests from vpn clients to an internal DHCP server, are still being sent to the mac address of the old gateway interface, even though the arp tables has been updated with the new mac address.
It seems that the dhcp realy/proxy function is using old cashed information instead of the arp table.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :