Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Remote IPsec VPN DHCP-Server IP assignment problem?

Dear all expert,

i have configure a remote access ipsec vpn in asa5510 and it is working fine when i configure local dhcp address pool assignment. but not working in dhcp-server

below is my configuration

tunnel-group test type remote-access
tunnel-group test general-attributes
default-group-policy test
dhcp-server 10.1.1.200
tunnel-group test ipsec-attributes
pre-shared-key *

group-policy test internal
group-policy test attributes
dhcp-network-scope 192.168.135.0
ipsec-udp enable
ipsec-udp-port 10000

---snapshot Ping test to DHCP-Server 10.1.1.200----

ciscoasa# ping 10.1.1.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

the DHCP server is working when i assign ip address to the LAN network.

22 REPLIES
Cisco Employee

Re: Remote IPsec VPN DHCP-Server IP assignment problem?

Please also check if you have the following configured:

vpn-addr-assign dhcp

New Member

Re: Remote IPsec VPN DHCP-Server IP assignment problem?

already done.

ciscoasa# sh run all vpn-addr-assign
no vpn-addr-assign aaa
vpn-addr-assign dhcp
no vpn-addr-assign local

but still not working. error message as below

%ASA-7-737001: IPAA: Received message 'UTL_IP_[IKE_]ADDR_REQ'
%ASA-5-737018: IPAA: DHCP request attempt 1 failed
%ASA-5-737003: IPAA: DHCP configured, no viable servers found for tunnel-group 'GoldCoinVPN'
%ASA-4-737012: IPAA: Address assignment failed
%ASA-7-715042: Group = GoldCoinVPN, Username = test, IP = 120.138.83.233, IKE received response of type [] to a request from the IP address utility
%ASA-3-713132: Group = GoldCoinVPN, Username = test, IP = 120.138.83.233, Cannot obtain an IP address for remote peer

Cisco Employee

Re: Remote IPsec VPN DHCP-Server IP assignment problem?

Seems like you are trying to connect from "GoldCoinVPN" tunnel-group, however, your DHCP is configured under "test" tunnel-group.

New Member

Re: Remote IPsec VPN DHCP-Server IP assignment problem?

sorry, test tunnel-group was just my simulation only.

my production configuration is as below.

tunnel-group GoldCoinVPN type remote-access
tunnel-group GoldCoinVPN general-attributes
default-group-policy GoldCoinVPN
dhcp-server 10.1.1.200
tunnel-group GoldCoinVPN ipsec-attributes
pre-shared-key *

group-policy GoldCoinVPN internal
group-policy GoldCoinVPN attributes
dhcp-network-scope 192.168.135.0
ipsec-udp enable
ipsec-udp-port 10000

i was trying to configure the dhcprelay, but seems not working also.

Cisco Employee

Re: Remote IPsec VPN DHCP-Server IP assignment problem?

Thanks, please also confirm that there is DHCP scope of 192.168.135.0 configured on the DHCP server.

New Member

Re: Remote IPsec VPN DHCP-Server IP assignment problem?

below is my dhcp configuration.

New Member

Re: Remote IPsec VPN DHCP-Server IP assignment problem?

I have similar problem. Not solved so far...

vpn-addr-assign dhcp
no vpn-addr-assign aaa
no vpn-addr-assign local

group-policy test-group internal
group-policy test-group attributes
dhcp-network-scope 192.168.100.0

tunnel-group test type remote-access
tunnel-group test general-attributes
authentication-server-group vpn
default-group-policy test-group
dhcp-server 192.168.0.2
tunnel-group test ipsec-attributes
pre-shared-key *

When debugging, I get the followin message

%ASA-7-737001: IPAA: Received message 'UTL_IP_[IKE_]ADDR_REQ'
%ASA-6-737017: IPAA: DHCP request attempt 1 succeeded
%ASA-6-737005: IPAA: DHCP configured, request succeeded for tunnel-group 'test'
%ASA-6-302016: Teardown UDP connection 127 for outside:XX.XX.XX.103/3044 to identity:XX.XX.XX.104/500 duration 0:02:20 bytes 2283
%ASA-7-737001: IPAA: Received message 'UTL_IP_DHCP_INVALID_ADDR'

On the switch 192.168.0.2, I have the following config

ip dhcp pool VPN-test
   network 192.168.100.0 255.255.255.0
   dns-server 10.1.1.1 10.1.1.2
   domain-name vpn.ca

And it assigns addresses when requested, but the ASA does not accept them...

Switch#sh ip dhcp binding
IP address       Client-ID/              Lease expiration        Type
                 Hardware address
192.168.100.5    00FF.FFFF.0000.0038.    May 10 2010 02:57 PM    Automatic

New Member

Re: Remote IPsec VPN DHCP-Server IP assignment problem?

Hi wbarboza,

i'm not really understand. can i say that,

1.) when you configure dhcp-server setting in your asa and your dhcp-server actually is a cisco switches, then your vpn client able to get the ip address?

2.) when you configure dhcp-server setting in your asa and your dhcp-server acutally is a DHCP server, then is not working?

because i found that your case is abit different from mine, because your debug is showing your dhcp-server is found and attempt successfully.

%ASA-6-737017: IPAA: DHCP request attempt 1 succeeded

but mine is, DHCP-Server is not viable. even i try to turn on the Wireshark in the DHCP-Server, i found no any dhcp request msg to the server also. i'm suspecting the dhcp-server setting is not really function or bugs might be (but i haven't log the TAC case yet). just used ip local address pool as alternative solution.

New Member

Re: Remote IPsec VPN DHCP-Server IP assignment problem?

1) The ASA does NOT forward the IP address received from the switch to the VPN Client. It requests successfully, but it does NOT receive successfull.

2) That's it, it is NOT working so far...

New Member

Re: Remote IPsec VPN DHCP-Server IP assignment problem?

hi wbarboza,

Have you ever tried configure ip-local pool in the asa. btw it should work. i'm just quite wondering how come your dhcp-server attempt is successful. is it possible you to post your full config?

New Member

Re: Remote IPsec VPN DHCP-Server IP assignment problem?

The problem was a lack of a route to the IP address configured in the DHCP range back to the ASA. In spite of the fact that the switch was directly configured, the default gateway was not the ASA, as it used to redistribute the routes over EIGRP.

When I put a static route in the switch pointing to the ASA, it worked right away...

ip route 192.168.100.0 255.255.255.0 192.168.0.1

In my case, the inside IP address was 192.168.0.1/24 and the scope address was 192.168.100.0/24

New Member

Remote IPsec VPN DHCP-Server IP assignment problem?

It's working after adding the static route in the core switch pointing to the ASA and

issue this command no vpn-addr-assign local to force the ASA to get the IP address from the DHCP server.

Make sure vpn-addr-assign dhcp is enable.

New Member

Re: Remote IPsec VPN DHCP-Server IP assignment problem?

Not trying to take over your post, but I'm having the same issue. The only difference is that I'm authentecating with an internal RADIUS server which works, but I cannot get my internal DHCP server to assign an IP. I keep getting the same message that you were getting:

IPAA: Received message 'UTL_IP_[IKE_]ADDR_REQ'
IPAA: DHCP request attempt 1 succeeded
IPAA: DHCP configured, request succeeded for tunnel-group 'test'

IPAA: Received message 'UTL_IP_DHCP_INVALID_ADDR'
Group = test, Username = testuser, IP = 166.137.139.82, IKE received response of type [] to a request from the IP address utility

Group = test, Username = testuser, IP = 166.137.139.82, Cannot obtain an IP address for remote peer

Here is my config:

interface Ethernet0/0
description Public interface
nameif outside
security-level 0
ip address x.x.x.130 255.255.255.0
ospf cost 10

interface Ethernet0/1
description Internal interface
nameif inside
security-level 100
ip address 10.10.0.1 255.255.255.0
ospf cost 10

aaa-server Radius protocol radius
interim-accounting-update
aaa-server Radius (inside) host RADIUS1
key *
radius-common-pw *
aaa-server Radius (inside) host RADIUS2
key *
radius-common-pw *


group-policy test internal
group-policy test attributes
dns-server value 10.10.0.11 10.10.0.12
dhcp-network-scope 10.10.0.0
vpn-tunnel-protocol IPSec
address-pools none

tunnel-group test type remote-access
tunnel-group test general-attributes
authentication-server-group Radius
accounting-server-group Radius
default-group-policy test
dhcp-server 10.10.0.11
tunnel-group test ipsec-attributes
pre-shared-key *
tunnel-group test ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy

New Member

Re: Remote IPsec VPN DHCP-Server IP assignment problem?

I am currently testing this using my iPhone but get the same result when I use the Cisco VPN client on my laptop. Attached is the full syslog copy of my connection attempt.

New Member

Re: Remote IPsec VPN DHCP-Server IP assignment problem?

Your mistake is here

dhcp-network-scope 10.10.0.0

You must use a valid IP address and not the network address. Try, for example.

dhcp-network-scope 10.10.0.254

After, make sure your internal routing sends packets to this address back to the ASA IP address (like if it were a loopback address).

New Member

Re: Remote IPsec VPN DHCP-Server IP assignment problem?

Tried that but it no worky.

The network I'm trying to connect to is 10.10.0.0 255.255.248.0, so I put in 10.10.7.254 255.255.255.255 as a route back to my ASA and then changed 10.10.7.254 as the network scope. My default route is 0.0.0.0 0.0.0.0 to my ASA, so I really shouldn't have to put the 10.10.7.254 route in right?

New Member

Re: Remote IPsec VPN DHCP-Server IP assignment problem?

I recommend you to do a packet capture to check if the packets are reaching

the ASA... Then you can check with Wireshark what is going on..

New Member

Re: Remote IPsec VPN DHCP-Server IP assignment problem?

Wireshark shows me that I'm making DHCP Discoveries on port 67 to my internal DHCP server but I never receive a response from the DHCP server.

New Member

Re: Remote IPsec VPN DHCP-Server IP assignment problem?

Alright, finally got it. I had to put the DHCP Scope as my router IP and it was then able to relay back to my ASA.

Thanks for the help wbarboza!

New Member

@wbarboza Actually you can

@wbarboza

 Actually you can still use the network address. We just upgraded to 9.16 on our ASA and we are using the network address for the DHCP network scope and it still works.

New Member

Remote IPsec VPN DHCP-Server IP assignment problem?

Can you clarify this statement:

I had to put the DHCP Scope as my router IP and it was  then able to relay back to my ASA.

I have an ASA inside interface, ex. 10.10.10.1 /29

My client DHCP scope, ex.  10.200.10.51   to 10.200.10.254

DHCP Network defined:  10.200.10.0 /24

I see the request go from the ASA to the DHCP server.  I see the DHCP server reply to the inside ASA interface, 10.10.10.1 (mac), but it fails.

New Member

Re: Remote IPsec VPN DHCP-Server IP assignment problem?

I am just going to add this here for others, for me my problem was solved by removing an erroneous dhcp relay configuration from the firewall which pointed to a decommissioned server.

11342
Views
5
Helpful
22
Replies
CreatePlease to create content