I remember, there is some kind of bug. If I remember correctly, changing the image version worked for me.
With regards Kings On Thu, Mar 8, 2012 at 5:47 AM, Joe Astorino <[email protected]> wrote: > Hi Piotr, > > I actually had found that thread earlier : ) I'm at a loss for a few reasons > > 1) I have a route for the address assigned via dhcp-network-scope > pointing to my DHCP server on the 3550 switch inside > 2) I have a route for the DHCP server and can ping it > 3) The ASA never even sends the DHCPREQUEST packet, so it is not an > issue of there not being a return route from the switch to the giaddr > address > 4) The 3550 switch acting as the DHCP server default routes to the ASA > anyways, so it should have a return route > 5) I literally cannot add another interface to my ASA with an IP > address in the DHCP pool subnet. Why? It is a 5505 with base license > and I have used all 3 SVI interfaces already. > > So, even IF the ASA actually sent the DHCPREQUEST packet (which it > doesn't) it would use a giaddr address in that packet of an IP address > that it does not and can never have. Thus, even if my routing is > correct from the switch back to the ASA, I don't think this would ever > work. > > OK I can accept that. What I don't understand is why the ASA just > completely fails to even send the DHCPREQUEST in the first place. > > On Wed, Mar 7, 2012 at 6:54 PM, Piotr Matusiak <[email protected]> wrote: >> Hi Joe, >> >> I had a similar discussion with Kings last year about EzVPN Server on the >> router. Take a look at archived post, perhaps it will be useful: >> >> http://www.onlinestudylist.com/archives/ccie_security/2011-September/028025.html >> >> Regards, >> Piotr >> >> >> 2012/3/7 Joe Astorino <[email protected]> >>> >>> I also tried changing the dhcp-network-scope 10.1.100.0 to a host >>> address in the scope of 10.1.100.254 and adding a /32 host route on >>> the ASA to this address pointing to the switch, but that still did not >>> work. >>> >>> On Wed, Mar 7, 2012 at 3:04 PM, Joe Astorino <[email protected]> >>> wrote: >>> > Hello, >>> > >>> > I am trying to modify an ASA configuration such that remote SSL VPN >>> > users receive an IP address from a DHCP server running on a 3550 >>> > switch inside instead of from a local pool on the ASA. I want to do >>> > that because the 3550 switch itself is a DHCP client that pulls in DNS >>> > server addresses from an ISP. I import those DNS settings into my >>> > DHCP pools so that I can hand out that DNS information to clients. I >>> > have modified my configuration as follows >>> > >>> > no ip local pool SSLClientPool 10.1.100.50-10.1.100.100 mask >>> > 255.255.255.0 >>> > no vpn-addr-assign aaa >>> > no vpn-addr-assign local >>> > vpn-addr-assign dhcp >>> > ! >>> > tunnel-group SSLClient general-attributes >>> > dhcp-server 10.1.19.9 >>> > ! >>> > group-policy SSLClient attributes >>> > no address-pools value SSLClientPool >>> > dhcp-network-scope 10.1.100.0 >>> > >>> > >>> > On the switch I have the pool defined >>> > >>> > ip dhcp pool SSL-VPN >>> > import all >>> > network 10.1.100.0 255.255.255.0 >>> > >>> > I see absolutely nothing happening. When the client connects and >>> > authenticates I just get the following in the log >>> > >>> > %ASA-5-737018: IPAA: DHCP request attempt 1 failed >>> > %ASA-5-737003: IPAA: DHCP configured, no viable servers found for >>> > tunnel-group 'SSLClient' >>> > >>> > The DHCP server is reachable from the ASA via ping. I have even done >>> > a "debug ip packet" tied to an ACL on the L3 switch that looks at any >>> > traffic coming from the inside interface of the ASA. It appears the >>> > ASA never at any point sends the DHCP request at all. >>> > >>> > Any ideas? >>> > >>> > >>> > >>> > -- >>> > Regards, >>> > >>> > Joe Astorino >>> > CCIE #24347 >>> > http://astorinonetworks.com >>> > >>> > "He not busy being born is busy dying" - Dylan >>> >>> >>> >>> -- >>> Regards, >>> >>> Joe Astorino >>> CCIE #24347 >>> http://astorinonetworks.com >>> >>> "He not busy being born is busy dying" - Dylan >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >> >> > > > > -- > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
