[c-nsp] Cisco 3005 VPN Concentrator and DHCP

Craig Gauss GAUCRA at rhahealthcare.org
Fri Feb 25 12:21:41 EST 2005 

Not sure if this would be the correct list to send to but I am stuck on
a problem with our concentrator.

I inherited the VPN when our Network Technician left to another job.  We
are currently running out of addresses so I am trying to configure our
Cisco 3005 to hand out DHCP address from a MS Windows 2003 Server to
clients of a certain group but am having no luck.  

Address of the Concentrator is 192.168.100.231/24
Address of our Windows 2003 DHCP box is 192.168.100.240/24

The concentrator and Windows 2003 box are hooked directly to our core.

I am trying to get the Concentrator to hand out Addresses from the
192.168.190.0/24 scope on our Windows 2k3 box.

We have VLANs implemented and the W2k3 box is handing out addresses with
no problems to them.  

VLAN 100 contains the concentrator and our Windows servers:
interface Vlan100
 description Servers and Network Equipment
 ip address 192.168.100.230 255.255.255.0
 ip helper-address 192.168.100.240
 ip pim sparse-dense-mode

I setup VLAN 190 for the VPN Clients, not sure if it is necessary or
not:
interface Vlan190
 description VPN Users
 ip address 192.168.190.230 255.255.255.0
 ip helper-address 192.168.100.240

I have setup the following on the VPN Concentrator:

Configuration - System - Servers - DHCP
  ip: 192.168.100.240 
  port: 67

Configuration - System - IP Routing - Static Routes
  192.168.190.0/255.255.255.0 -> 192.168.100.230

Configuration - System - IP Routing - DHCP Parameters
  Enabled
  Lease timeout: 120
  Listen Port: 67
  Timeout Period: 10

Configuration - Policy Management - Traffic Management - Network List
  Name: Test 
  Network List: 192.168.0.0/0.0.255.255

Configuration - Policy Management - Traffic Management - Assign Rules to
Filters
  Filter Name: TestDHCP
  DHCP In
  DHCP Out
  Testing In (Includes Test Network List Incoming) 
  Testing Out (Includes Test Network List Outgoing)

Configuration - User Management - Groups
  Name: testgroup
  Filter: TestDHCP
  DHCP Network Scope: 192.168.190.0

Configuration - User Management - Users
  Name: testuser
  Group: testgroup
  Filter: TestDHCP

Concentrator software revision: vpn3005-4.1.7.C-k9.bin




When I try logging on with the test user I get the following in the
Event Log:

41070 02/25/2005 11:18:34.630 SEV=5 IKEDBG/64 RPT=839  
IKE Peer included IKE fragmentation capability flags:
Main Mode:        True
Aggressive Mode:  False
 
41072 02/25/2005 11:18:35.830 SEV=4 IKE/52 RPT=684 
Group [testgroup] User [testuser]
User (testuser) authenticated.
 
41073 02/25/2005 11:18:36.280 SEV=5 IKE/184 RPT=682 
Group [testgroup] User [testuser]
Client Type: WinNT
Client Application Version: 4.6.01.0019
 
41075 02/25/2005 11:18:36.280 SEV=9 DHCPDBG/1 RPT=284 
DHCP task: API REQUEST event, msg 0xfde300
 
41076 02/25/2005 11:18:36.280 SEV=9 DHCPDBG/38 RPT=792 
DHCP obtained first server 192.168.100.240 port 67 (xid 1408317617)
 
41077 02/25/2005 11:18:36.280 SEV=8 DHCPDBG/46 RPT=796 
DHCP sending DISCOVER to server 192.168.100.240 port 67 (xid 1408317617)
 
41078 02/25/2005 11:18:39.220 SEV=9 DHCPDBG/16 RPT=392 
DHCP task: Periodic timer expired (ticks 499)
 
41079 02/25/2005 11:18:39.220 SEV=9 DHCPDBG/29 RPT=392 
DHCP poll timeouts routine entered
 
41080 02/25/2005 11:18:39.220 SEV=9 DHCPDBG/30 RPT=392 
DHCP poll stats: callbacks 0, active CBs 0, total CBs 1
 
41081 02/25/2005 11:18:46.280 SEV=9 DHCPDBG/15 RPT=817 
DHCP task: Timeout type 5, msg 0xfde300
 
41082 02/25/2005 11:18:46.280 SEV=3 DHCPDBG/39 RPT=374 
DHCP discover timeout: no response from polled servers (xid 1408317617)
 
41083 02/25/2005 11:18:46.280 SEV=9 DHCPDBG/28 RPT=4359 
DHCP restart servers routine entered
 
41084 02/25/2005 11:18:46.280 SEV=9 DHCPDBG/28 RPT=4360 
DHCP restart servers routine entered
 
41085 02/25/2005 11:18:46.280 SEV=5 IKE/132 RPT=43 
Group [testgroup] User [testuser]
Cannot obtain an IP address for remote peer - FAILED
 
41087 02/25/2005 11:18:46.280 SEV=5 IKE/194 RPT=584 
Group [testgroup] User [testuser]
Sending IKE Delete With Reason message: No Reason Provided.
 
41089 02/25/2005 11:18:46.290 SEV=8 DHCPDBG/42 RPT=282 
DHCP failure response sent to caller (data 0xfb0394, xid 1408317617)
 
41090 02/25/2005 11:18:46.290 SEV=9 DHCPDBG/15 RPT=818 
DHCP task: Timeout type 0, msg 0xfde300
 
41091 02/25/2005 11:18:46.290 SEV=6 DHCP/30 RPT=28 
Unexpected FSM event 18/state 0 for DHCP:7617: lease --.--.--.--, xid
1408317617
 
41092 02/25/2005 11:18:46.290 SEV=9 DHCPDBG/6 RPT=284 
DHCP task: DONE event, msg 0xfde300



On the client side I get: Secure VPN Connection terminated by Peer.
Reason 427:: Unknown Error Occurred at Peer.


Anyone have any ideas on this one?

More information about the cisco-nsp mailing list