Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6579
Views
0
Helpful
8
Replies

ASA 5505 DHCP Outside Interface

grussell00
Level 1
Level 1

‎02-22-2010 11:55 AM - edited ‎03-04-2019 07:35 AM

I have an ASA 5505 configured to get a DHCP'd IP address from the ISP on it's outside interface.  The problem I am seeing is when the ISP  renews their IP address, the ASA 5505 is still holding on to the old IP address information.  I have to either manually renew the IP or reload the ASA.  I have the potential of rolling out hundreds of these devices and I would not like my customers to have to reboot their ASA everytime the ISP's DHCP lease experies.  I am using an easy vpn autoconnecting to an ASA 5520.  Static IP's are not an option on the outside interface of the ASA 5505's.

Labels:
0 Helpful
8 Replies 8

dbass
Level 1
Level 1

‎02-22-2010 12:47 PM

Is the interface going down on the 5505 when the IP changes on the ISP side?  If it is, then a TAC case with Cisco would be in order to find out why the ASA is not acting properly as it should try to get a new IP when the interface comes up.  If not, then I would call the carrier and try to understand how their DHCP works.

Keep in mind that the ASA works differently than a router though, and the security on a FW works differently in regard to IP address, ARP/MAC addresses and the like.

Also keep in mind that you are trying to use a product that was designed for business use with an ISP product that is designed for residential use and they often don't mix.  If this is a "business class" product from the ISP, then I would definitely question why they can't give you static addresses.  The lack of which can be a nightmare when it comes down to remotely managing them.

HTH

0 Helpful

grussell00
Level 1
Level 1
In response to dbass

‎02-22-2010 12:53 PM

I currently have this set up in a lab environment.  I have two seperate ISP connections that I can connect on the outside interface. One is Time Warner the other is Verizon.  I can connect on either connection just fine, but when I go to swap connections on the outside interface the ASA still holds the old IP information and does not automatically renew the IP on the outside interface.  I do see the interface go down and then back up again but it stll retains the old IP.  I can perform a reload or manually renew the IP on the inteface.

0 Helpful

dbass
Level 1
Level 1
In response to grussell00

‎02-22-2010 01:02 PM

Yeah, I had a feeling that was probably the case.  I think it is probably a function of how security on the ASA works in relation to IP address and ARP.  It could be a combination with how the carriers DHCP works and the ASA, and you can test to see if you get anything different by connecting the ASA to two of your own routers and configuring DHCP server on them (or use 2 different interface on the same router with different pools defined).  I think the 800 series ISR router would probably be a better fit with what your trying to do.  I would look at the G2 version of the ISR as you have more security features.

I would put in a TAC case and see if there is anything special you can do on the ASA to try and force it to renew the IP on a link up/down, but I don't think there's anything.

0 Helpful

paolo bevilacqua
Hall of Fame
Hall of Fame
In response to grussell00

‎02-22-2010 01:49 PM

Bug plain and simple.

Interface flap == dhcp renewal.

I hope some newer ASA sw behaves correctly.

0 Helpful

grussell00
Level 1
Level 1
In response to paolo bevilacqua

‎02-22-2010 01:55 PM

I thought it could be an old/bad software bug so I upgraded to 8.2(2). Still same issue. I have seen similiar post on here without answers.

0 Helpful

paolo bevilacqua
Hall of Fame
Hall of Fame
In response to grussell00

‎02-22-2010 02:05 PM

Sometime Cisco justifies PIX/ASA/IPS/whatever behaving unfriendly and unreasonably as "security feature by design". That might be the case even here unfortunately.

0 Helpful

dbass
Level 1
Level 1
In response to grussell00

‎02-22-2010 02:08 PM

Yeah, I don't think it is a "bug" more like a Cisco "feature" ;-)...lol.  To be honest, I'm pretty sure it works like that by design and there isn't a fix because of this.

Like I said, I think you would be best served by a small router like the 800 series ISR.  You will have the same capabilities, plus some additional routing and QoS features that you won't get with the 5505.  The firewall functionality is a little less feature rich because it's a router and not a firewall by nature, but overall I think it would work well.

0 Helpful

abersven
Level 1
Level 1

‎03-12-2013 06:24 AM

Any news on this issue? I have the same problem with 9.1(1). When cable modem flaps the ASA keaps the old address. If I unplug the Cable Modem from the ASA and reconnect it does not renew the DHCP lease but keaps the old address.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card