Learn How We Can Help You Keep Teleworkers Protected During the COVID-19 Crisis

DNS DHCP IPAM

Reply
Highlighted

Dhcp to VPN clients from Cisco ASA

Guru
Posts: 73
8652     0

Hi all


While migrating our Cisco ASA Vpn's from MS Dhcp to Infoblox things go haywire. The ASA act's as some kind of Dhcp-proxy, and sends it's own mac-adress to the Blox (but the right Pc name), Hence the Blox keeps lending the same IP address (based on Mac) to all VPN clients running through the ASA Firewall. The weird thing is, that the same setup works like a charm on Microsoft Dhcp (here leases are handed out correctly) with exactly the same ASA-setup. Any advice on how to get this to work? (Case is opened at our provider, who does'nt seem to have a clue on this, and i expect it to be relayed to Infoblox themselves).

 

/Vejling

Highlighted

Re: Dhcp to VPN clients from Cisco ASA

Expert
Posts: 235
8652     0

We have the ASAs perform the DHCP function so I can't offer a direct comparison.  But what you describe sounds like the regular DHCP-relay function, the same as any router would perform.  The ASA would enter its own address as the giaddr and the MAC should be that of the client.

 

Compare your ASA config and operation to what's described in great detail here.

Highlighted

Re: Dhcp to VPN clients from Cisco ASA

Expert
Posts: 260
8652     0

This sounds similar to problems I used to have with VitalQIP and VPN concentrators. It used to only look at the MAC address and would try and assign the same IP address each time. Finally they released a version that could handle DHCP option 61 "client-id" which fixed the problem. The VPN concentrator used its own MAC address for the chaddr field, but put the clients MAC address into option 61, so when VitalQIP was able to interpret this it could offer out a unique address to each client. I suspect the same thing is happening, but I must admit I thought Infoblox was already option 61 aware, so either the ASA is not populating it correctly or Infoblox is not processing it.

 

Are there any settings in ASA to tell it to use option 61?

 

Good luck!

 

Paul

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Highlighted

Re: Dhcp to VPN clients from Cisco ASA

Guru
Posts: 73
8653     0

I managed to solve this today. Under global Dhcp settings / advanced, "ignore client UID" was enabled. I hope Infoblox, will tell customers with a similar problem, to look into those settings int the future.

 

Highlighted

Re: Dhcp to VPN clients from Cisco ASA

Expert
Posts: 260
8653     0

Ah, I did wonder about that setting but it's not normally enabled by default so someone must have enabled it at some point in the past. Question is, why did they set it? Where they trying to fix another problem or were they just 'playing'? :-)

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Highlighted

Re: Dhcp to VPN clients from Cisco ASA

Authority
Posts: 19
8653     0
Highlighted

Re: Dhcp to VPN clients from Cisco ASA

Techie
Posts: 5
8653     0

Hi, We are experiencing the similar kind of issues with ASA and infoblox.

 

Infoblox keeps lending different ip address for the same client everytime it reconnects to the vpn, as ASA is acting as a proxy and sending its own mac address and UID to infoblox. We have already enabled client UID under the options and that didnt help to resolve the issue.

 

Is there any other workaround for this or any options you might have used to make this work. Thanks

Highlighted

Re: Dhcp to VPN clients from Cisco ASA

Community Manager
Community Manager
Posts: 357
8653     0

@soniachadha20 wrote:

Hi, We are experiencing the similar kind of issues with ASA and infoblox.

 

Infoblox keeps lending different ip address for the same client everytime it reconnects to the vpn, as ASA is acting as a proxy and sending its own mac address and UID to infoblox. We have already enabled client UID under the options and that didnt help to resolve the issue.

 

Is there any other workaround for this or any options you might have used to make this work. Thanks


If your ASA is passing its own MAC and UID in DHCP requests that it is forwarding, the DHCP server will not have a way of identifying uniqueness amongst clients.

 

To try and identify a solution, it would be useful to run a Traffic Capture on the DHCP server while having a client request a lease. Next, open a case with Infoblox Support and provide them with this capture, a Support Bundle with current logs from the DHCP server, along with the MAC addresses and UID's for both the ASA and client. With this data, they can review exactly what is being passed back and forth and they may be able to help provide you with a solution you can set from the DHCP server side, if one is possible.

Showing results for 
Search instead for 
Do you mean 

Recommended for You