[c-nsp] Cisco 3005 VPN Concentrator and DHCP
Josh Duffek
consultantjd16 at ridemetro.org
Fri Feb 25 13:54:53 EST 2005
What about "debug dhcp" from the 4500?
Thanks,
josh duffek network engineer
consultantjd16 at ridemetro.org
> -----Original Message-----
> From: Craig Gauss [mailto:GAUCRA at rhahealthcare.org]
> Sent: Friday, February 25, 2005 12:49 PM
> To: Josh Duffek
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
>
> Same event log messages with DHCP setup on the 4507.
>
> -----Original Message-----
> From: Josh Duffek [mailto:consultantjd16 at ridemetro.org]
> Sent: Friday, February 25, 2005 12:31 PM
> To: Craig Gauss
> Subject: RE: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
>
> Is the 4507 IOS based? If so it would be something like this:
>
> ip dhcp pool 0
> network 10.10.10.0 255.255.255.0
> dns-server 10.10.10.254
> default-router 10.10.10.1
> domain-name CISCO.COM
> netbios-name-server 10.10.10.253 10.10.10.252
>
> (stolen from:
> http://www.cisco.com/warp/public/471/dhcp_access.shtml#configs )
>
> Thanks,
>
> josh duffek network engineer
> consultantjd16 at ridemetro.org
>
> > -----Original Message-----
> > From: Craig Gauss [mailto:GAUCRA at rhahealthcare.org]
> > Sent: Friday, February 25, 2005 12:22 PM
> > To: Josh Duffek
> > Subject: RE: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
> >
> > Stupid question, but how would I go about setting up DHCP on the
4507?
> >
> > -----Original Message-----
> > From: Josh Duffek [mailto:consultantjd16 at ridemetro.org]
> > Sent: Friday, February 25, 2005 12:15 PM
> > To: Craig Gauss
> > Subject: RE: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
> >
> > Yeah that would be cool...cuz that you can definitely debug. If it
> > doesn't work send the debugs and whatever back to the list and cc:
> > cisco-sec at external.cisco.com. I'm not sure how many people are on
> that
> > list these days but it might help.
> >
> > Thanks,
> >
> > josh duffek network engineer
> > consultantjd16 at ridemetro.org
> >
> > > -----Original Message-----
> > > From: Craig Gauss [mailto:GAUCRA at rhahealthcare.org]
> > > Sent: Friday, February 25, 2005 12:10 PM
> > > To: Josh Duffek
> > > Subject: RE: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
> > >
> > > I have been looking around on the DHCP server and cant find a
thing.
> > I
> > > was toying with the idea of setting up DHCP on the 4507 core if it
> is
> > > possible and see if it works with that.
> > >
> > > -----Original Message-----
> > > From: Josh Duffek [mailto:consultantjd16 at ridemetro.org]
> > > Sent: Friday, February 25, 2005 12:03 PM
> > > To: Craig Gauss; cisco-nsp at puck.nether.net
> > > Subject: RE: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
> > >
> > > Do you have any debugging ability on the DHCP server itself? If
you
> > are
> > > positive everything is setup right on it I would look at the
sniffer
>
> > > traces to see what's up. But it looks like the cisco stuff is
doing
>
> > > what it is supposed to...not 100% sure though.
> > >
> > > Thanks,
> > >
> > > josh duffek network engineer
> > > consultantjd16 at ridemetro.org
> > >
> > > > -----Original Message-----
> > > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > > > bounces at puck.nether.net] On Behalf Of Craig Gauss
> > > > Sent: Friday, February 25, 2005 11:22 AM
> > > > To: cisco-nsp at puck.nether.net
> > > > Subject: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
> > > >
> > > > Not sure if this would be the correct list to send to but I am
> stuck
> > > on
> > > > a problem with our concentrator.
> > > >
> > > > I inherited the VPN when our Network Technician left to another
> job.
> > > We
> > > > are currently running out of addresses so I am trying to
configure
> > our
> > >
> > > > Cisco 3005 to hand out DHCP address from a MS Windows 2003
Server
> to
> >
> > > > clients of a certain group but am having no luck.
> > > >
> > > > Address of the Concentrator is 192.168.100.231/24 Address of our
> > > > Windows 2003 DHCP box is 192.168.100.240/24
> > > >
> > > > The concentrator and Windows 2003 box are hooked directly to our
> > core.
> > > >
> > > > I am trying to get the Concentrator to hand out Addresses from
the
> > > > 192.168.190.0/24 scope on our Windows 2k3 box.
> > > >
> > > > We have VLANs implemented and the W2k3 box is handing out
> addresses
> > > with
> > > > no problems to them.
> > > >
> > > > VLAN 100 contains the concentrator and our Windows servers:
> > > > interface Vlan100
> > > > description Servers and Network Equipment ip address
> > 192.168.100.230
> > >
> > > > 255.255.255.0 ip helper-address 192.168.100.240 ip pim
> > > > sparse-dense-mode
> > > >
> > > > I setup VLAN 190 for the VPN Clients, not sure if it is
necessary
> or
> > > > not:
> > > > interface Vlan190
> > > > description VPN Users
> > > > ip address 192.168.190.230 255.255.255.0 ip helper-address
> > > > 192.168.100.240
> > > >
> > > > I have setup the following on the VPN Concentrator:
> > > >
> > > > Configuration - System - Servers - DHCP
> > > > ip: 192.168.100.240
> > > > port: 67
> > > >
> > > > Configuration - System - IP Routing - Static Routes
> > > > 192.168.190.0/255.255.255.0 -> 192.168.100.230
> > > >
> > > > Configuration - System - IP Routing - DHCP Parameters
> > > > Enabled
> > > > Lease timeout: 120
> > > > Listen Port: 67
> > > > Timeout Period: 10
> > > >
> > > > Configuration - Policy Management - Traffic Management - Network
> > List
> > > > Name: Test
> > > > Network List: 192.168.0.0/0.0.255.255
> > > >
> > > > Configuration - Policy Management - Traffic Management - Assign
> > Rules
> > > to
> > > > Filters
> > > > Filter Name: TestDHCP
> > > > DHCP In
> > > > DHCP Out
> > > > Testing In (Includes Test Network List Incoming)
> > > > Testing Out (Includes Test Network List Outgoing)
> > > >
> > > > Configuration - User Management - Groups
> > > > Name: testgroup
> > > > Filter: TestDHCP
> > > > DHCP Network Scope: 192.168.190.0
> > > >
> > > > Configuration - User Management - Users
> > > > Name: testuser
> > > > Group: testgroup
> > > > Filter: TestDHCP
> > > >
> > > > Concentrator software revision: vpn3005-4.1.7.C-k9.bin
> > > >
> > > >
> > > >
> > > >
> > > > When I try logging on with the test user I get the following in
> the
> > > > Event Log:
> > > >
> > > > 41070 02/25/2005 11:18:34.630 SEV=5 IKEDBG/64 RPT=839 IKE Peer
> > > > included IKE fragmentation capability flags:
> > > > Main Mode: True
> > > > Aggressive Mode: False
> > > >
> > > > 41072 02/25/2005 11:18:35.830 SEV=4 IKE/52 RPT=684 Group
> [testgroup]
> >
> > > > User [testuser] User (testuser) authenticated.
> > > >
> > > > 41073 02/25/2005 11:18:36.280 SEV=5 IKE/184 RPT=682 Group
> > [testgroup]
> > > > User [testuser] Client Type: WinNT Client Application Version:
> > > > 4.6.01.0019
> > > >
> > > > 41075 02/25/2005 11:18:36.280 SEV=9 DHCPDBG/1 RPT=284 DHCP task:
> API
> >
> > > > REQUEST event, msg 0xfde300
> > > >
> > > > 41076 02/25/2005 11:18:36.280 SEV=9 DHCPDBG/38 RPT=792 DHCP
> obtained
> >
> > > > first server 192.168.100.240 port 67 (xid 1408317617)
> > > >
> > > > 41077 02/25/2005 11:18:36.280 SEV=8 DHCPDBG/46 RPT=796 DHCP
> sending
> > > > DISCOVER to server 192.168.100.240 port 67 (xid
> > > 1408317617)
> > > >
> > > > 41078 02/25/2005 11:18:39.220 SEV=9 DHCPDBG/16 RPT=392 DHCP
task:
> > > > Periodic timer expired (ticks 499)
> > > >
> > > > 41079 02/25/2005 11:18:39.220 SEV=9 DHCPDBG/29 RPT=392 DHCP poll
> > > > timeouts routine entered
> > > >
> > > > 41080 02/25/2005 11:18:39.220 SEV=9 DHCPDBG/30 RPT=392 DHCP poll
> > > > stats: callbacks 0, active CBs 0, total CBs 1
> > > >
> > > > 41081 02/25/2005 11:18:46.280 SEV=9 DHCPDBG/15 RPT=817 DHCP
task:
> > > > Timeout type 5, msg 0xfde300
> > > >
> > > > 41082 02/25/2005 11:18:46.280 SEV=3 DHCPDBG/39 RPT=374 DHCP
> discover
> > > > timeout: no response from polled servers (xid
> > > 1408317617)
> > > >
> > > > 41083 02/25/2005 11:18:46.280 SEV=9 DHCPDBG/28 RPT=4359 DHCP
> restart
> >
> > > > servers routine entered
> > > >
> > > > 41084 02/25/2005 11:18:46.280 SEV=9 DHCPDBG/28 RPT=4360 DHCP
> restart
> >
> > > > servers routine entered
> > > >
> > > > 41085 02/25/2005 11:18:46.280 SEV=5 IKE/132 RPT=43 Group
> [testgroup]
> >
> > > > User [testuser] Cannot obtain an IP address for remote peer -
> FAILED
> > > >
> > > > 41087 02/25/2005 11:18:46.280 SEV=5 IKE/194 RPT=584 Group
> > [testgroup]
> > > > User [testuser] Sending IKE Delete With Reason message: No
Reason
> > > > Provided.
> > > >
> > > > 41089 02/25/2005 11:18:46.290 SEV=8 DHCPDBG/42 RPT=282 DHCP
> failure
> > > > response sent to caller (data 0xfb0394, xid 1408317617)
> > > >
> > > > 41090 02/25/2005 11:18:46.290 SEV=9 DHCPDBG/15 RPT=818 DHCP
task:
> > > > Timeout type 0, msg 0xfde300
> > > >
> > > > 41091 02/25/2005 11:18:46.290 SEV=6 DHCP/30 RPT=28 Unexpected
FSM
> > > > event 18/state 0 for DHCP:7617: lease --.--.--.--, xid
> > > > 1408317617
> > > >
> > > > 41092 02/25/2005 11:18:46.290 SEV=9 DHCPDBG/6 RPT=284 DHCP task:
> > DONE
> > > > event, msg 0xfde300
> > > >
> > > >
> > > >
> > > > On the client side I get: Secure VPN Connection terminated by
> Peer.
> > > > Reason 427:: Unknown Error Occurred at Peer.
> > > >
> > > >
> > > > Anyone have any ideas on this one?
> > > >
> > > > _______________________________________________
> > > > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list