Hello, I am trying to modify an ASA configuration such that remote SSL VPN users receive an IP address from a DHCP server running on a 3550 switch inside instead of from a local pool on the ASA. I want to do that because the 3550 switch itself is a DHCP client that pulls in DNS server addresses from an ISP. I import those DNS settings into my DHCP pools so that I can hand out that DNS information to clients. I have modified my configuration as follows
no ip local pool SSLClientPool 10.1.100.50-10.1.100.100 mask 255.255.255.0 no vpn-addr-assign aaa no vpn-addr-assign local vpn-addr-assign dhcp ! tunnel-group SSLClient general-attributes dhcp-server 10.1.19.9 ! group-policy SSLClient attributes no address-pools value SSLClientPool dhcp-network-scope 10.1.100.0 On the switch I have the pool defined ip dhcp pool SSL-VPN import all network 10.1.100.0 255.255.255.0 I see absolutely nothing happening. When the client connects and authenticates I just get the following in the log %ASA-5-737018: IPAA: DHCP request attempt 1 failed %ASA-5-737003: IPAA: DHCP configured, no viable servers found for tunnel-group 'SSLClient' The DHCP server is reachable from the ASA via ping. I have even done a "debug ip packet" tied to an ACL on the L3 switch that looks at any traffic coming from the inside interface of the ASA. It appears the ASA never at any point sends the DHCP request at all. Any ideas? -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
