Hi Piotr, I actually had found that thread earlier : ) I'm at a loss for a few reasons
1) I have a route for the address assigned via dhcp-network-scope pointing to my DHCP server on the 3550 switch inside 2) I have a route for the DHCP server and can ping it 3) The ASA never even sends the DHCPREQUEST packet, so it is not an issue of there not being a return route from the switch to the giaddr address 4) The 3550 switch acting as the DHCP server default routes to the ASA anyways, so it should have a return route 5) I literally cannot add another interface to my ASA with an IP address in the DHCP pool subnet. Why? It is a 5505 with base license and I have used all 3 SVI interfaces already. So, even IF the ASA actually sent the DHCPREQUEST packet (which it doesn't) it would use a giaddr address in that packet of an IP address that it does not and can never have. Thus, even if my routing is correct from the switch back to the ASA, I don't think this would ever work. OK I can accept that. What I don't understand is why the ASA just completely fails to even send the DHCPREQUEST in the first place. On Wed, Mar 7, 2012 at 6:54 PM, Piotr Matusiak <[email protected]> wrote: > Hi Joe, > > I had a similar discussion with Kings last year about EzVPN Server on the > router. Take a look at archived post, perhaps it will be useful: > > http://www.onlinestudylist.com/archives/ccie_security/2011-September/028025.html > > Regards, > Piotr > > > 2012/3/7 Joe Astorino <[email protected]> >> >> I also tried changing the dhcp-network-scope 10.1.100.0 to a host >> address in the scope of 10.1.100.254 and adding a /32 host route on >> the ASA to this address pointing to the switch, but that still did not >> work. >> >> On Wed, Mar 7, 2012 at 3:04 PM, Joe Astorino <[email protected]> >> wrote: >> > Hello, >> > >> > I am trying to modify an ASA configuration such that remote SSL VPN >> > users receive an IP address from a DHCP server running on a 3550 >> > switch inside instead of from a local pool on the ASA. I want to do >> > that because the 3550 switch itself is a DHCP client that pulls in DNS >> > server addresses from an ISP. I import those DNS settings into my >> > DHCP pools so that I can hand out that DNS information to clients. I >> > have modified my configuration as follows >> > >> > no ip local pool SSLClientPool 10.1.100.50-10.1.100.100 mask >> > 255.255.255.0 >> > no vpn-addr-assign aaa >> > no vpn-addr-assign local >> > vpn-addr-assign dhcp >> > ! >> > tunnel-group SSLClient general-attributes >> > dhcp-server 10.1.19.9 >> > ! >> > group-policy SSLClient attributes >> > no address-pools value SSLClientPool >> > dhcp-network-scope 10.1.100.0 >> > >> > >> > On the switch I have the pool defined >> > >> > ip dhcp pool SSL-VPN >> > import all >> > network 10.1.100.0 255.255.255.0 >> > >> > I see absolutely nothing happening. When the client connects and >> > authenticates I just get the following in the log >> > >> > %ASA-5-737018: IPAA: DHCP request attempt 1 failed >> > %ASA-5-737003: IPAA: DHCP configured, no viable servers found for >> > tunnel-group 'SSLClient' >> > >> > The DHCP server is reachable from the ASA via ping. I have even done >> > a "debug ip packet" tied to an ACL on the L3 switch that looks at any >> > traffic coming from the inside interface of the ASA. It appears the >> > ASA never at any point sends the DHCP request at all. >> > >> > Any ideas? >> > >> > >> > >> > -- >> > Regards, >> > >> > Joe Astorino >> > CCIE #24347 >> > http://astorinonetworks.com >> > >> > "He not busy being born is busy dying" - Dylan >> >> >> >> -- >> Regards, >> >> Joe Astorino >> CCIE #24347 >> http://astorinonetworks.com >> >> "He not busy being born is busy dying" - Dylan >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com > > -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
