We have a customer with a Cisco ASA, their remote users are using dhcp server that is there locally on the subnet they should arrive. We have also configured a local pool if their pool does not respond.
The problem at the moment is that they are getting the pool on the Cisco ASA and not the one delivered by their DHCP, i had the customer check the DHCP server and it seems ok to them. Also the address seems correct in the group policies, now i'm thinking that maybe their DHCP server is not responding fast enough and that ASA has a short timeout somewhere.
Does anyone know if that timeout (if there is any) can be configured on the Cisco ASA, i have requested the customer to disable "Conflict Detection" on de windows DHCP server, because i'm thinking that the server will ping the address he will give before he gives it and that could be a sign towards ASA that it takes to long and he takes an address from the local pool.
The remote users should receive the DHCP from the local DHCP server. This is via DHCP proxy if i'm not mistaken?
What we are seeing if users are connecting, the customer DHCP is not responding or not fast enough and the remote users are getting an IP from the local pool. If i remove the local pool (in asa) then it will not connect.
what you mean by local dhcp server? you mean they have the local dhcp server @ the remote end itself or they have the dhcp server @ other end....
let say site 1 and site 2..... site 1 users should get the dhcp address from the site2 dhcp server that is what your requirement... instead they are getting dhcp from the site1 asa itself..... right???
You need to have the DHCP relay configured, if you want to get the DHCP via VPN tunnel then
dhcprelay server <DHCP Server IP Address> outsidedhcprelay enable insidedhcprelay setroute inside
dhcprelay timeout 60
and crypto ACL's pointing like the below.
Remote site end:
access-list crypto_acl extended permit ip host <asa outside ip> host <dhcp server ip>
access-list crypto_acl extended permit ip host <asa inside ip> host <dhcp server ip>
Hub Site end:
access-list crypto_acl extended permit ip host <dhcp server ip> host <asa outside ip>
access-list crypto_acl extended permit ip host <dhcp server ip> host <asa inside ip>
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :