[c-nsp] Cisco 3005 VPN Concentrator and DHCP

Craig Gauss GAUCRA at rhahealthcare.org
Fri Feb 25 13:48:33 EST 2005 

Same event log messages with DHCP setup on the 4507.

-----Original Message-----
From: Josh Duffek [mailto:consultantjd16 at ridemetro.org] 
Sent: Friday, February 25, 2005 12:31 PM
To: Craig Gauss
Subject: RE: [c-nsp] Cisco 3005 VPN Concentrator and DHCP

Is the 4507 IOS based?  If so it would be something like this:

ip dhcp pool 0
network 10.10.10.0 255.255.255.0
dns-server 10.10.10.254
default-router 10.10.10.1
domain-name CISCO.COM
netbios-name-server 10.10.10.253 10.10.10.252

(stolen from:
http://www.cisco.com/warp/public/471/dhcp_access.shtml#configs )

Thanks,

josh duffek    network engineer
consultantjd16 at ridemetro.org

> -----Original Message-----
> From: Craig Gauss [mailto:GAUCRA at rhahealthcare.org]
> Sent: Friday, February 25, 2005 12:22 PM
> To: Josh Duffek
> Subject: RE: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
> 
> Stupid question, but how would I go about setting up DHCP on the 4507?
> 
> -----Original Message-----
> From: Josh Duffek [mailto:consultantjd16 at ridemetro.org]
> Sent: Friday, February 25, 2005 12:15 PM
> To: Craig Gauss
> Subject: RE: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
> 
> Yeah that would be cool...cuz that you can definitely debug.  If it 
> doesn't work send the debugs and whatever back to the list and cc:
> cisco-sec at external.cisco.com.  I'm not sure how many people are on
that
> list these days but it might help.
> 
> Thanks,
> 
> josh duffek    network engineer
> consultantjd16 at ridemetro.org
> 
> > -----Original Message-----
> > From: Craig Gauss [mailto:GAUCRA at rhahealthcare.org]
> > Sent: Friday, February 25, 2005 12:10 PM
> > To: Josh Duffek
> > Subject: RE: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
> >
> > I have been looking around on the DHCP server and cant find a thing.
> I
> > was toying with the idea of setting up DHCP on the 4507 core if it
is
> > possible and see if it works with that.
> >
> > -----Original Message-----
> > From: Josh Duffek [mailto:consultantjd16 at ridemetro.org]
> > Sent: Friday, February 25, 2005 12:03 PM
> > To: Craig Gauss; cisco-nsp at puck.nether.net
> > Subject: RE: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
> >
> > Do you have any debugging ability on the DHCP server itself?  If you
> are
> > positive everything is setup right on it I would look at the sniffer

> > traces to see what's up.  But it looks like the cisco stuff is doing

> > what it is supposed to...not 100% sure though.
> >
> > Thanks,
> >
> > josh duffek    network engineer
> > consultantjd16 at ridemetro.org
> >
> > > -----Original Message-----
> > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- 
> > > bounces at puck.nether.net] On Behalf Of Craig Gauss
> > > Sent: Friday, February 25, 2005 11:22 AM
> > > To: cisco-nsp at puck.nether.net
> > > Subject: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
> > >
> > > Not sure if this would be the correct list to send to but I am
stuck
> > on
> > > a problem with our concentrator.
> > >
> > > I inherited the VPN when our Network Technician left to another
job.
> > We
> > > are currently running out of addresses so I am trying to configure
> our
> >
> > > Cisco 3005 to hand out DHCP address from a MS Windows 2003 Server
to
> 
> > > clients of a certain group but am having no luck.
> > >
> > > Address of the Concentrator is 192.168.100.231/24 Address of our 
> > > Windows 2003 DHCP box is 192.168.100.240/24
> > >
> > > The concentrator and Windows 2003 box are hooked directly to our
> core.
> > >
> > > I am trying to get the Concentrator to hand out Addresses from the
> > > 192.168.190.0/24 scope on our Windows 2k3 box.
> > >
> > > We have VLANs implemented and the W2k3 box is handing out
addresses
> > with
> > > no problems to them.
> > >
> > > VLAN 100 contains the concentrator and our Windows servers:
> > > interface Vlan100
> > >  description Servers and Network Equipment  ip address
> 192.168.100.230
> >
> > > 255.255.255.0  ip helper-address 192.168.100.240  ip pim 
> > > sparse-dense-mode
> > >
> > > I setup VLAN 190 for the VPN Clients, not sure if it is necessary
or
> > > not:
> > > interface Vlan190
> > >  description VPN Users
> > >  ip address 192.168.190.230 255.255.255.0  ip helper-address 
> > > 192.168.100.240
> > >
> > > I have setup the following on the VPN Concentrator:
> > >
> > > Configuration - System - Servers - DHCP
> > >   ip: 192.168.100.240
> > >   port: 67
> > >
> > > Configuration - System - IP Routing - Static Routes
> > >   192.168.190.0/255.255.255.0 -> 192.168.100.230
> > >
> > > Configuration - System - IP Routing - DHCP Parameters
> > >   Enabled
> > >   Lease timeout: 120
> > >   Listen Port: 67
> > >   Timeout Period: 10
> > >
> > > Configuration - Policy Management - Traffic Management - Network
> List
> > >   Name: Test
> > >   Network List: 192.168.0.0/0.0.255.255
> > >
> > > Configuration - Policy Management - Traffic Management - Assign
> Rules
> > to
> > > Filters
> > >   Filter Name: TestDHCP
> > >   DHCP In
> > >   DHCP Out
> > >   Testing In (Includes Test Network List Incoming)
> > >   Testing Out (Includes Test Network List Outgoing)
> > >
> > > Configuration - User Management - Groups
> > >   Name: testgroup
> > >   Filter: TestDHCP
> > >   DHCP Network Scope: 192.168.190.0
> > >
> > > Configuration - User Management - Users
> > >   Name: testuser
> > >   Group: testgroup
> > >   Filter: TestDHCP
> > >
> > > Concentrator software revision: vpn3005-4.1.7.C-k9.bin
> > >
> > >
> > >
> > >
> > > When I try logging on with the test user I get the following in
the
> > > Event Log:
> > >
> > > 41070 02/25/2005 11:18:34.630 SEV=5 IKEDBG/64 RPT=839 IKE Peer 
> > > included IKE fragmentation capability flags:
> > > Main Mode:        True
> > > Aggressive Mode:  False
> > >
> > > 41072 02/25/2005 11:18:35.830 SEV=4 IKE/52 RPT=684 Group
[testgroup]
> 
> > > User [testuser] User (testuser) authenticated.
> > >
> > > 41073 02/25/2005 11:18:36.280 SEV=5 IKE/184 RPT=682 Group
> [testgroup]
> > > User [testuser] Client Type: WinNT Client Application Version:
> > > 4.6.01.0019
> > >
> > > 41075 02/25/2005 11:18:36.280 SEV=9 DHCPDBG/1 RPT=284 DHCP task:
API
> 
> > > REQUEST event, msg 0xfde300
> > >
> > > 41076 02/25/2005 11:18:36.280 SEV=9 DHCPDBG/38 RPT=792 DHCP
obtained
> 
> > > first server 192.168.100.240 port 67 (xid 1408317617)
> > >
> > > 41077 02/25/2005 11:18:36.280 SEV=8 DHCPDBG/46 RPT=796 DHCP
sending
> > > DISCOVER to server 192.168.100.240 port 67 (xid
> > 1408317617)
> > >
> > > 41078 02/25/2005 11:18:39.220 SEV=9 DHCPDBG/16 RPT=392 DHCP task:
> > > Periodic timer expired (ticks 499)
> > >
> > > 41079 02/25/2005 11:18:39.220 SEV=9 DHCPDBG/29 RPT=392 DHCP poll 
> > > timeouts routine entered
> > >
> > > 41080 02/25/2005 11:18:39.220 SEV=9 DHCPDBG/30 RPT=392 DHCP poll
> > > stats: callbacks 0, active CBs 0, total CBs 1
> > >
> > > 41081 02/25/2005 11:18:46.280 SEV=9 DHCPDBG/15 RPT=817 DHCP task:
> > > Timeout type 5, msg 0xfde300
> > >
> > > 41082 02/25/2005 11:18:46.280 SEV=3 DHCPDBG/39 RPT=374 DHCP
discover
> > > timeout: no response from polled servers (xid
> > 1408317617)
> > >
> > > 41083 02/25/2005 11:18:46.280 SEV=9 DHCPDBG/28 RPT=4359 DHCP
restart
> 
> > > servers routine entered
> > >
> > > 41084 02/25/2005 11:18:46.280 SEV=9 DHCPDBG/28 RPT=4360 DHCP
restart
> 
> > > servers routine entered
> > >
> > > 41085 02/25/2005 11:18:46.280 SEV=5 IKE/132 RPT=43 Group
[testgroup]
> 
> > > User [testuser] Cannot obtain an IP address for remote peer -
FAILED
> > >
> > > 41087 02/25/2005 11:18:46.280 SEV=5 IKE/194 RPT=584 Group
> [testgroup]
> > > User [testuser] Sending IKE Delete With Reason message: No Reason 
> > > Provided.
> > >
> > > 41089 02/25/2005 11:18:46.290 SEV=8 DHCPDBG/42 RPT=282 DHCP
failure
> > > response sent to caller (data 0xfb0394, xid 1408317617)
> > >
> > > 41090 02/25/2005 11:18:46.290 SEV=9 DHCPDBG/15 RPT=818 DHCP task:
> > > Timeout type 0, msg 0xfde300
> > >
> > > 41091 02/25/2005 11:18:46.290 SEV=6 DHCP/30 RPT=28 Unexpected FSM 
> > > event 18/state 0 for DHCP:7617: lease --.--.--.--, xid
> > > 1408317617
> > >
> > > 41092 02/25/2005 11:18:46.290 SEV=9 DHCPDBG/6 RPT=284 DHCP task:
> DONE
> > > event, msg 0xfde300
> > >
> > >
> > >
> > > On the client side I get: Secure VPN Connection terminated by
Peer.
> > > Reason 427:: Unknown Error Occurred at Peer.
> > >
> > >
> > > Anyone have any ideas on this one?
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list