Maybe try using the global commands no vpn-addr-assign local no vpn-addr-assign aaa vpn-addr-assign dhcp
And under tunnel-group COMPANY-TUNNEL-GROUP general-attributes Add: default-group-policy COMPANY-REMOTE-ACCESS Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruno Filipe Sent: Wednesday, November 05, 2008 10:37 AM To: [email protected] Subject: [c-nsp] IPSec Remote Access VPN getting Addresses from the DHCP Hi there,... Can u guys help me understand why the dhcp is not providing addressing information to the VPN Clients...If I use a local pool, I can connect and get addressing info Here's my config: asa# wr t : Saved : ASA Version 7.0(7) ! hostname asa domain-name domain.co.ao enable password shhhhhhhhhhhhhhhhhhh encrypted names dns-guard ! interface Ethernet0/0 description 100BASETX to LAN Switch nameif inside security-level 100 ip address 192.168.91.254 255.255.255.0 ! interface Ethernet0/1 description 100BASETX link to Alvarion BMAX-CPE-ODU (INTERNET) nameif outside security-level 0 ip address xxx.xxx.xx.xxx 255.255.255.252 ! interface Ethernet0/2 description FOR FUTURE USE nameif dmz security-level 5 ip address xxx.xxx.xx.xxx 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd shhhhhhhhhhhhhhhh encrypted ftp mode passive access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq smtp access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq pop3 access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq https access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq 3389 pager lines 24 logging timestamp logging buffer-size 16384 logging buffered critical logging trap debugging logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 mtu management 1500 ip local pool COMPANY-LOCAL-POOL 192.168.91.230-192.168.91.240 asdm image disk0:/asdm-507.bin no asdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 10 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface smtp 192.168.91.112 smtp netmask 255.255.255.255 static (inside,outside) tcp interface pop3 192.168.91.112 pop3 netmask 255.255.255.255 static (inside,outside) tcp interface https 192.168.91.112 https netmask 255.255.255.255 static (inside,outside) tcp interface 3389 192.168.91.112 3389 netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 196.216.54.229 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec webvpn password-storage disable ip-comp enable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none webvpn functions url-entry port-forward-name value Application Access group-policy COMPANY-REMOTE-ACCESS internal group-policy COMPANY-REMOTE-ACCESS attributes dhcp-network-scope 192.168.91.150 webvpn username some.name password EB4ztYh0SYsdhnHI encrypted aaa authentication ssh console LOCAL aaa authentication enable console LOCAL http server enable http 192.168.91.0 255.255.255.0 inside http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set COMPANY-TRANSFORM-SET esp-3des esp-md5-hmac crypto dynamic-map COMPANY-DYNAMIC-MAP 10 set transform-set GENIUS-TRANSFORM-SET crypto map COMPANY-CRYPTO-MAP 65535 ipsec-isakmp dynamic GENIUS-DYNAMIC-MAP crypto map COMPANY-CRYPTO-MAP interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 tunnel-group COMPANY-TUNNEL-GROUP type ipsec-ra tunnel-group COMPANY-TUNNEL-GROUP general-attributes dhcp-server 192.168.91.254 tunnel-group COMPANY-TUNNEL-GROUP ipsec-attributes pre-shared-key * telnet timeout 5 ssh xxx.xxx.xx.x 255.255.255.0 outside ssh timeout 30 ssh version 2 console timeout 0 dhcpd address 192.168.91.150-192.168.91.240 inside dhcpd dns xxx.xxx.xx.xx xxx.xxx.xx.xx dhcpd lease 3600 dhcpd ping_timeout 50 dhcpd domain genius.co.ao dhcpd enable inside ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global Cryptochecksum:d60a247e16f4bf6dd36da42b71aa1440 : end [OK] asa# DEBUG OUTPUT OUTPUT OMMITTED :: asa# debug crypto isakmp 127 asa# terminal monitor Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Received unknown transaction mode attribute: 28684 Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for Application Version! Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Client Type: WinNT Client Application Version: 5.0.04.0300 Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for FWTYPE! Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for DHCP hostname for DDNS is: ispdomain! Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for UDP Port! Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for Local LAN Include! Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, IKE received response of type [VALID (but no address supplied)] to a request from the IP address utility Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Cannot obtain an IP address for remote peer Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, IKE TM V6 FSM error history (struct &0x39c1900) <state>, <event>: TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent Nov 05 07:59:15 [IKEv1 DEBUG]: Group = GENIUS-TUNNEL-GROUP, Username = some.usera, IP = xxx.xxx.xx.xx, IKE AM Responder FSM error history (struct &0x3ac4060) <state>, <event>: AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, IKE SA AM:835707d8 terminating: flags 0x0945c001, refcnt 0, tuncnt 0 :: :: OUTPUT OMMITTED :: :: Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, sending delete/delete with reason message Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, constructing blank hash payload Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, constructing IKE delete payload Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, constructing qm hash payload Nov 05 07:59:15 [IKEv1]: IP = xxx.xxx.xx.xx, IKE_DECODE SENDING Message (msgid=52532842) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80 Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx,Removing peer from peer table failed, no match! Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Error: Unable to remove PeerTblEntry _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
