[c-nsp] Cisco 3005 VPN Concentrator and DHCP

Josh Duffek consultantjd16 at ridemetro.org
Fri Feb 25 13:02:51 EST 2005 

Do you have any debugging ability on the DHCP server itself?  If you are
positive everything is setup right on it I would look at the sniffer
traces to see what's up.  But it looks like the cisco stuff is doing
what it is supposed to...not 100% sure though.

Thanks,

josh duffek    network engineer
consultantjd16 at ridemetro.org

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Craig Gauss
> Sent: Friday, February 25, 2005 11:22 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
> 
> Not sure if this would be the correct list to send to but I am stuck
on
> a problem with our concentrator.
> 
> I inherited the VPN when our Network Technician left to another job.
We
> are currently running out of addresses so I am trying to configure our
> Cisco 3005 to hand out DHCP address from a MS Windows 2003 Server to
> clients of a certain group but am having no luck.
> 
> Address of the Concentrator is 192.168.100.231/24
> Address of our Windows 2003 DHCP box is 192.168.100.240/24
> 
> The concentrator and Windows 2003 box are hooked directly to our core.
> 
> I am trying to get the Concentrator to hand out Addresses from the
> 192.168.190.0/24 scope on our Windows 2k3 box.
> 
> We have VLANs implemented and the W2k3 box is handing out addresses
with
> no problems to them.
> 
> VLAN 100 contains the concentrator and our Windows servers:
> interface Vlan100
>  description Servers and Network Equipment
>  ip address 192.168.100.230 255.255.255.0
>  ip helper-address 192.168.100.240
>  ip pim sparse-dense-mode
> 
> I setup VLAN 190 for the VPN Clients, not sure if it is necessary or
> not:
> interface Vlan190
>  description VPN Users
>  ip address 192.168.190.230 255.255.255.0
>  ip helper-address 192.168.100.240
> 
> I have setup the following on the VPN Concentrator:
> 
> Configuration - System - Servers - DHCP
>   ip: 192.168.100.240
>   port: 67
> 
> Configuration - System - IP Routing - Static Routes
>   192.168.190.0/255.255.255.0 -> 192.168.100.230
> 
> Configuration - System - IP Routing - DHCP Parameters
>   Enabled
>   Lease timeout: 120
>   Listen Port: 67
>   Timeout Period: 10
> 
> Configuration - Policy Management - Traffic Management - Network List
>   Name: Test
>   Network List: 192.168.0.0/0.0.255.255
> 
> Configuration - Policy Management - Traffic Management - Assign Rules
to
> Filters
>   Filter Name: TestDHCP
>   DHCP In
>   DHCP Out
>   Testing In (Includes Test Network List Incoming)
>   Testing Out (Includes Test Network List Outgoing)
> 
> Configuration - User Management - Groups
>   Name: testgroup
>   Filter: TestDHCP
>   DHCP Network Scope: 192.168.190.0
> 
> Configuration - User Management - Users
>   Name: testuser
>   Group: testgroup
>   Filter: TestDHCP
> 
> Concentrator software revision: vpn3005-4.1.7.C-k9.bin
> 
> 
> 
> 
> When I try logging on with the test user I get the following in the
> Event Log:
> 
> 41070 02/25/2005 11:18:34.630 SEV=5 IKEDBG/64 RPT=839
> IKE Peer included IKE fragmentation capability flags:
> Main Mode:        True
> Aggressive Mode:  False
> 
> 41072 02/25/2005 11:18:35.830 SEV=4 IKE/52 RPT=684
> Group [testgroup] User [testuser]
> User (testuser) authenticated.
> 
> 41073 02/25/2005 11:18:36.280 SEV=5 IKE/184 RPT=682
> Group [testgroup] User [testuser]
> Client Type: WinNT
> Client Application Version: 4.6.01.0019
> 
> 41075 02/25/2005 11:18:36.280 SEV=9 DHCPDBG/1 RPT=284
> DHCP task: API REQUEST event, msg 0xfde300
> 
> 41076 02/25/2005 11:18:36.280 SEV=9 DHCPDBG/38 RPT=792
> DHCP obtained first server 192.168.100.240 port 67 (xid 1408317617)
> 
> 41077 02/25/2005 11:18:36.280 SEV=8 DHCPDBG/46 RPT=796
> DHCP sending DISCOVER to server 192.168.100.240 port 67 (xid
1408317617)
> 
> 41078 02/25/2005 11:18:39.220 SEV=9 DHCPDBG/16 RPT=392
> DHCP task: Periodic timer expired (ticks 499)
> 
> 41079 02/25/2005 11:18:39.220 SEV=9 DHCPDBG/29 RPT=392
> DHCP poll timeouts routine entered
> 
> 41080 02/25/2005 11:18:39.220 SEV=9 DHCPDBG/30 RPT=392
> DHCP poll stats: callbacks 0, active CBs 0, total CBs 1
> 
> 41081 02/25/2005 11:18:46.280 SEV=9 DHCPDBG/15 RPT=817
> DHCP task: Timeout type 5, msg 0xfde300
> 
> 41082 02/25/2005 11:18:46.280 SEV=3 DHCPDBG/39 RPT=374
> DHCP discover timeout: no response from polled servers (xid
1408317617)
> 
> 41083 02/25/2005 11:18:46.280 SEV=9 DHCPDBG/28 RPT=4359
> DHCP restart servers routine entered
> 
> 41084 02/25/2005 11:18:46.280 SEV=9 DHCPDBG/28 RPT=4360
> DHCP restart servers routine entered
> 
> 41085 02/25/2005 11:18:46.280 SEV=5 IKE/132 RPT=43
> Group [testgroup] User [testuser]
> Cannot obtain an IP address for remote peer - FAILED
> 
> 41087 02/25/2005 11:18:46.280 SEV=5 IKE/194 RPT=584
> Group [testgroup] User [testuser]
> Sending IKE Delete With Reason message: No Reason Provided.
> 
> 41089 02/25/2005 11:18:46.290 SEV=8 DHCPDBG/42 RPT=282
> DHCP failure response sent to caller (data 0xfb0394, xid 1408317617)
> 
> 41090 02/25/2005 11:18:46.290 SEV=9 DHCPDBG/15 RPT=818
> DHCP task: Timeout type 0, msg 0xfde300
> 
> 41091 02/25/2005 11:18:46.290 SEV=6 DHCP/30 RPT=28
> Unexpected FSM event 18/state 0 for DHCP:7617: lease --.--.--.--, xid
> 1408317617
> 
> 41092 02/25/2005 11:18:46.290 SEV=9 DHCPDBG/6 RPT=284
> DHCP task: DONE event, msg 0xfde300
> 
> 
> 
> On the client side I get: Secure VPN Connection terminated by Peer.
> Reason 427:: Unknown Error Occurred at Peer.
> 
> 
> Anyone have any ideas on this one?
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list