02-21-2017 08:39 AM
Hello, has anyone implemented Infoblox as dhcp server with ASA. We are trying to setup VPN for remote users in our environment and using infobloxto lease out ips to VPN clients.
As in this case, the ASA is neither sending clients MAC address nor the client identifier to the infoblox during the DHCP lease requests, thus the infoblox is unable to identify the clients uniquely. ASA is sending its own mac address and UID. Is there any work around for this issue. Everytime the same client connects its getting a different ip address from infoblox.
02-21-2017 09:49 AM
The ASA's use DHCP option 82 (relay agent) to identify which subnet to request a lease from as one ASA may be handing out different subnets to different clients.
I believe support for option 82 is on by default on Infoblox. Its part of the ASA config that you have to find to put the correct subnet so that the ASA populates option 82 with the subnet info. I don't have the ASA in front of me to dig out what Cisco calls it at the moment.
02-23-2017 08:47 AM
Thanks for youre reply. We tested the same setup without option 82 with Microsoft server as dhcp and works completely fine.
Not sure if we are missing anything from the Infoblox standpoint.
I think DHCP relay / option 82 convert the DHCP broadcast messages to unicast so that they are allowed over a L3 device which usually drops the broadcast messages.
Also on Infoblox , i checked with support, option 82 is only used when we wants clients statically configured.
02-23-2017 10:20 AM - edited 02-23-2017 10:22 AM
Sorry, I read your question to quickly and got my ASA \ infobox problems and solutions confused.
We had a simular problem, but ours was for the clients that we actually wanted to be static via MAC or UID \ option 61. I just looked and at the DHCP packets from our ASA as a refresher. It is always populating its MAC into the CLIENT MAC address field of DISCOVERs, but it is also putting in a unique option 61 for each client. It it genereates the option 61 from the ASA's MAC the host name of the connecting client, the connection profile and some padding or hash as well.
You probably want to look and see what the ASA is sending in option 61 and what your Infoblox setting is for "Ignoring DHCP Client Identifier". One of those is likely your issue. EIther Infoblox is ignoring it or the ASA isn't populating it correctly. That is the only unique piece of data that Infoblox can look at from the ASA's.
Our problem with Option 61 is that in a ASA HA pair, Option 61 changes for a client depending on which real ASA it conects to as the ASA populates its real mac and not the VIP MAC, so setting a static lease is not possable.
Option 82 is what allows our ASA to tell Infoblox which subnet to pull from. All the DHCP requests come from the same relay agent IP on the ASA, but because the ASA also populates the Option 82 with the subnet info, Infoblox sends back an offer from the correct subnet.
02-23-2017 11:23 AM
Thanks a lot for your quick reponse. I checked and that option is diabled in infoblox for Ignoring DHCP Client Identifier. So do the option 61 needs to be configured on both Infoblox and ASA?
If you dont mind will you be able to share the configs with me.
02-23-2017 11:46 AM
On the Infoblox side you want to make sure you are set to not ignore the client identifer. Here is the snip from the admin guide. The ASA networks on Inofobox are set to accept both the MAC and Client Identifer.
— Accept Client Identifier and MAC Address: Select this check box to instruct the DHCP server to recognize MAC address and client UID of a DHCP client when it requests for a new lease.
— Ignore Client Identifier: By default, this check box is not selected at the Grid level. Select this check box to ignore the client identifier of a DHCP client while placing a request to the DHCP server for a new lease. The DHCP server will only identify the MAC address and ignores the client identifier. DHCP clients requesting leases with different client UIDs receive the same IP address based on the MAC address. The initial default state is inherited from the Grid level. Click Override to modify the inherited setting. To inherit the Grid settings, click Inherit at the member, IPv4 network and range, or shared network level.
— Ignore MAC Address: By default, this check box is not selected at the Grid level. Select this check box to ignore MAC address of a DHCP client while placing a request to the DHCP server for a new lease. To override the value that has been inherited from the Grid, click Override. Click the Add icon, the appliance adds a row to the table. Click the row and enter the MAC address to be ignored. You can also select a check box and click the Delete icon to delete the MAC address. To inherit the Grid settings, click Inherit at the member, IPv4 network and range, or shared network level.
I"m guessing that choosing the "ignore MAC" and listing the ASA's MAC might have some advantage, but that is not the way we are set and it works even though every request from the ASA has the same client MAC (the ASA's) listed.
I'm sorry I can't share the ASA config's. But the Client ID \ option 61 is not a setting that I can find or that I remember changing on the ASA side. The option 82 was the one we fought getting setup correctly on the ASA.
Have you done a packet capture to see if Option 61 is populated in the discovers from the ASA?
02-23-2017 01:16 PM
yes i cannot see it the option 61 in the capture. Also opened a case with cisco and they are telling me option 61 is still a enhancement feature and its not available currently.