I have an ASA 5505 configured to get a DHCP'd IP address from the ISP on it's outside interface. The problem I am seeing is when the ISP renews their IP address, the ASA 5505 is still holding on to the old IP address information. I have to either manually renew the IP or reload the ASA. I have the potential of rolling out hundreds of these devices and I would not like my customers to have to reboot their ASA everytime the ISP's DHCP lease experies. I am using an easy vpn autoconnecting to an ASA 5520. Static IP's are not an option on the outside interface of the ASA 5505's.
Is the interface going down on the 5505 when the IP changes on the ISP side? If it is, then a TAC case with Cisco would be in order to find out why the ASA is not acting properly as it should try to get a new IP when the interface comes up. If not, then I would call the carrier and try to understand how their DHCP works.
Keep in mind that the ASA works differently than a router though, and the security on a FW works differently in regard to IP address, ARP/MAC addresses and the like.
Also keep in mind that you are trying to use a product that was designed for business use with an ISP product that is designed for residential use and they often don't mix. If this is a "business class" product from the ISP, then I would definitely question why they can't give you static addresses. The lack of which can be a nightmare when it comes down to remotely managing them.
I currently have this set up in a lab environment. I have two seperate ISP connections that I can connect on the outside interface. One is Time Warner the other is Verizon. I can connect on either connection just fine, but when I go to swap connections on the outside interface the ASA still holds the old IP information and does not automatically renew the IP on the outside interface. I do see the interface go down and then back up again but it stll retains the old IP. I can perform a reload or manually renew the IP on the inteface.
Yeah, I had a feeling that was probably the case. I think it is probably a function of how security on the ASA works in relation to IP address and ARP. It could be a combination with how the carriers DHCP works and the ASA, and you can test to see if you get anything different by connecting the ASA to two of your own routers and configuring DHCP server on them (or use 2 different interface on the same router with different pools defined). I think the 800 series ISR router would probably be a better fit with what your trying to do. I would look at the G2 version of the ISR as you have more security features.
I would put in a TAC case and see if there is anything special you can do on the ASA to try and force it to renew the IP on a link up/down, but I don't think there's anything.
Yeah, I don't think it is a "bug" more like a Cisco "feature" ;-)...lol. To be honest, I'm pretty sure it works like that by design and there isn't a fix because of this.
Like I said, I think you would be best served by a small router like the 800 series ISR. You will have the same capabilities, plus some additional routing and QoS features that you won't get with the 5505. The firewall functionality is a little less feature rich because it's a router and not a firewall by nature, but overall I think it would work well.
Any news on this issue? I have the same problem with 9.1(1). When cable modem flaps the ASA keaps the old address. If I unplug the Cable Modem from the ASA and reconnect it does not renew the DHCP lease but keaps the old address.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...