[c-nsp] Cisco 3005 VPN Concentrator and DHCP
Craig Gauss
GAUCRA at rhahealthcare.org
Thu Mar 24 12:03:56 EST 2005
Well I finally got a call back from TAC last night. From what they told
me is that the Concentrator needs to be on the same segment as the range
I am trying to use. Why they have the DHCP scope option in the group
setup makes no sense to me then.
-----Original Message-----
From: Josh Duffek [mailto:consultantjd16 at ridemetro.org]
Sent: Friday, February 25, 2005 1:34 PM
To: Craig Gauss
Cc: cisco-nsp at puck.nether.net; cisco-sec at external.cisco.com
Subject: RE: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
Wacky. Well it basically looks like it's working...atleast to me :)
Gonna add in the cisco security to list to see if anyone there can chime
in...I never was good at those concentrators.
Thanks,
josh duffek network engineer
consultantjd16 at ridemetro.org
> -----Original Message-----
> From: Craig Gauss [mailto:GAUCRA at rhahealthcare.org]
> Sent: Friday, February 25, 2005 1:31 PM
> To: Josh Duffek
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
>
> Feb 25 19:29:25.544: DHCPD: DHCPDISCOVER received from client
> 0000.03a0.8825.2800.28c1.c253.f138.b800 through relay 192.168.190.0.
> Feb 25 19:29:27.544: DHCPD: assigned IP address 192.168.190.5 to
client
> 0000.03a0.8825.2800.28c1.c253.f138.b800.
> Feb 25 19:29:27.544: DHCPD: Sending DHCPOFFER to client
> 0000.03a0.8825.2800.28c1.c253.f138.b800 (192.168.190.5).
> Feb 25 19:29:27.544: DHCPD: unicasting BOOTREPLY for client
> 0003.a088.2527 to relay 192.168.190.0.
>
>
> Still getting the same message in the event log on the Concentrator
and
> the same message at the client
>
> -----Original Message-----
> From: Josh Duffek [mailto:consultantjd16 at ridemetro.org]
> Sent: Friday, February 25, 2005 12:55 PM
> To: Craig Gauss
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
>
> What about "debug dhcp" from the 4500?
>
> Thanks,
>
> josh duffek network engineer
> consultantjd16 at ridemetro.org
>
> > -----Original Message-----
> > From: Craig Gauss [mailto:GAUCRA at rhahealthcare.org]
> > Sent: Friday, February 25, 2005 12:49 PM
> > To: Josh Duffek
> > Cc: cisco-nsp at puck.nether.net
> > Subject: RE: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
> >
> > Same event log messages with DHCP setup on the 4507.
> >
> > -----Original Message-----
> > From: Josh Duffek [mailto:consultantjd16 at ridemetro.org]
> > Sent: Friday, February 25, 2005 12:31 PM
> > To: Craig Gauss
> > Subject: RE: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
> >
> > Is the 4507 IOS based? If so it would be something like this:
> >
> > ip dhcp pool 0
> > network 10.10.10.0 255.255.255.0
> > dns-server 10.10.10.254
> > default-router 10.10.10.1
> > domain-name CISCO.COM
> > netbios-name-server 10.10.10.253 10.10.10.252
> >
> > (stolen from:
> > http://www.cisco.com/warp/public/471/dhcp_access.shtml#configs )
> >
> > Thanks,
> >
> > josh duffek network engineer
> > consultantjd16 at ridemetro.org
> >
> > > -----Original Message-----
> > > From: Craig Gauss [mailto:GAUCRA at rhahealthcare.org]
> > > Sent: Friday, February 25, 2005 12:22 PM
> > > To: Josh Duffek
> > > Subject: RE: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
> > >
> > > Stupid question, but how would I go about setting up DHCP on the
> 4507?
> > >
> > > -----Original Message-----
> > > From: Josh Duffek [mailto:consultantjd16 at ridemetro.org]
> > > Sent: Friday, February 25, 2005 12:15 PM
> > > To: Craig Gauss
> > > Subject: RE: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
> > >
> > > Yeah that would be cool...cuz that you can definitely debug. If
it
> > > doesn't work send the debugs and whatever back to the list and cc:
> > > cisco-sec at external.cisco.com. I'm not sure how many people are on
> > that
> > > list these days but it might help.
> > >
> > > Thanks,
> > >
> > > josh duffek network engineer
> > > consultantjd16 at ridemetro.org
> > >
> > > > -----Original Message-----
> > > > From: Craig Gauss [mailto:GAUCRA at rhahealthcare.org]
> > > > Sent: Friday, February 25, 2005 12:10 PM
> > > > To: Josh Duffek
> > > > Subject: RE: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
> > > >
> > > > I have been looking around on the DHCP server and cant find a
> thing.
> > > I
> > > > was toying with the idea of setting up DHCP on the 4507 core if
it
> > is
> > > > possible and see if it works with that.
> > > >
> > > > -----Original Message-----
> > > > From: Josh Duffek [mailto:consultantjd16 at ridemetro.org]
> > > > Sent: Friday, February 25, 2005 12:03 PM
> > > > To: Craig Gauss; cisco-nsp at puck.nether.net
> > > > Subject: RE: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
> > > >
> > > > Do you have any debugging ability on the DHCP server itself? If
> you
> > > are
> > > > positive everything is setup right on it I would look at the
> sniffer
> >
> > > > traces to see what's up. But it looks like the cisco stuff is
> doing
> >
> > > > what it is supposed to...not 100% sure though.
> > > >
> > > > Thanks,
> > > >
> > > > josh duffek network engineer
> > > > consultantjd16 at ridemetro.org
> > > >
> > > > > -----Original Message-----
> > > > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > > > > bounces at puck.nether.net] On Behalf Of Craig Gauss
> > > > > Sent: Friday, February 25, 2005 11:22 AM
> > > > > To: cisco-nsp at puck.nether.net
> > > > > Subject: [c-nsp] Cisco 3005 VPN Concentrator and DHCP
> > > > >
> > > > > Not sure if this would be the correct list to send to but I am
> > stuck
> > > > on
> > > > > a problem with our concentrator.
> > > > >
> > > > > I inherited the VPN when our Network Technician left to
another
> > job.
> > > > We
> > > > > are currently running out of addresses so I am trying to
> configure
> > > our
> > > >
> > > > > Cisco 3005 to hand out DHCP address from a MS Windows 2003
> Server
> > to
> > >
> > > > > clients of a certain group but am having no luck.
> > > > >
> > > > > Address of the Concentrator is 192.168.100.231/24 Address of
our
>
> > > > > Windows 2003 DHCP box is 192.168.100.240/24
> > > > >
> > > > > The concentrator and Windows 2003 box are hooked directly to
our
> > > core.
> > > > >
> > > > > I am trying to get the Concentrator to hand out Addresses from
> the
> > > > > 192.168.190.0/24 scope on our Windows 2k3 box.
> > > > >
> > > > > We have VLANs implemented and the W2k3 box is handing out
> > addresses
> > > > with
> > > > > no problems to them.
> > > > >
> > > > > VLAN 100 contains the concentrator and our Windows servers:
> > > > > interface Vlan100
> > > > > description Servers and Network Equipment ip address
> > > 192.168.100.230
> > > >
> > > > > 255.255.255.0 ip helper-address 192.168.100.240 ip pim
> > > > > sparse-dense-mode
> > > > >
> > > > > I setup VLAN 190 for the VPN Clients, not sure if it is
> necessary
> > or
> > > > > not:
> > > > > interface Vlan190
> > > > > description VPN Users
> > > > > ip address 192.168.190.230 255.255.255.0 ip helper-address
> > > > > 192.168.100.240
> > > > >
> > > > > I have setup the following on the VPN Concentrator:
> > > > >
> > > > > Configuration - System - Servers - DHCP
> > > > > ip: 192.168.100.240
> > > > > port: 67
> > > > >
> > > > > Configuration - System - IP Routing - Static Routes
> > > > > 192.168.190.0/255.255.255.0 -> 192.168.100.230
> > > > >
> > > > > Configuration - System - IP Routing - DHCP Parameters
> > > > > Enabled
> > > > > Lease timeout: 120
> > > > > Listen Port: 67
> > > > > Timeout Period: 10
> > > > >
> > > > > Configuration - Policy Management - Traffic Management -
Network
> > > List
> > > > > Name: Test
> > > > > Network List: 192.168.0.0/0.0.255.255
> > > > >
> > > > > Configuration - Policy Management - Traffic Management -
Assign
> > > Rules
> > > > to
> > > > > Filters
> > > > > Filter Name: TestDHCP
> > > > > DHCP In
> > > > > DHCP Out
> > > > > Testing In (Includes Test Network List Incoming)
> > > > > Testing Out (Includes Test Network List Outgoing)
> > > > >
> > > > > Configuration - User Management - Groups
> > > > > Name: testgroup
> > > > > Filter: TestDHCP
> > > > > DHCP Network Scope: 192.168.190.0
> > > > >
> > > > > Configuration - User Management - Users
> > > > > Name: testuser
> > > > > Group: testgroup
> > > > > Filter: TestDHCP
> > > > >
> > > > > Concentrator software revision: vpn3005-4.1.7.C-k9.bin
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > When I try logging on with the test user I get the following
in
> > the
> > > > > Event Log:
> > > > >
> > > > > 41070 02/25/2005 11:18:34.630 SEV=5 IKEDBG/64 RPT=839 IKE Peer
> > > > > included IKE fragmentation capability flags:
> > > > > Main Mode: True
> > > > > Aggressive Mode: False
> > > > >
> > > > > 41072 02/25/2005 11:18:35.830 SEV=4 IKE/52 RPT=684 Group
> > [testgroup]
> > >
> > > > > User [testuser] User (testuser) authenticated.
> > > > >
> > > > > 41073 02/25/2005 11:18:36.280 SEV=5 IKE/184 RPT=682 Group
> > > [testgroup]
> > > > > User [testuser] Client Type: WinNT Client Application Version:
> > > > > 4.6.01.0019
> > > > >
> > > > > 41075 02/25/2005 11:18:36.280 SEV=9 DHCPDBG/1 RPT=284 DHCP
task:
> > API
> > >
> > > > > REQUEST event, msg 0xfde300
> > > > >
> > > > > 41076 02/25/2005 11:18:36.280 SEV=9 DHCPDBG/38 RPT=792 DHCP
> > obtained
> > >
> > > > > first server 192.168.100.240 port 67 (xid 1408317617)
> > > > >
> > > > > 41077 02/25/2005 11:18:36.280 SEV=8 DHCPDBG/46 RPT=796 DHCP
> > sending
> > > > > DISCOVER to server 192.168.100.240 port 67 (xid
> > > > 1408317617)
> > > > >
> > > > > 41078 02/25/2005 11:18:39.220 SEV=9 DHCPDBG/16 RPT=392 DHCP
> task:
> > > > > Periodic timer expired (ticks 499)
> > > > >
> > > > > 41079 02/25/2005 11:18:39.220 SEV=9 DHCPDBG/29 RPT=392 DHCP
poll
>
> > > > > timeouts routine entered
> > > > >
> > > > > 41080 02/25/2005 11:18:39.220 SEV=9 DHCPDBG/30 RPT=392 DHCP
poll
> > > > > stats: callbacks 0, active CBs 0, total CBs 1
> > > > >
> > > > > 41081 02/25/2005 11:18:46.280 SEV=9 DHCPDBG/15 RPT=817 DHCP
> task:
> > > > > Timeout type 5, msg 0xfde300
> > > > >
> > > > > 41082 02/25/2005 11:18:46.280 SEV=3 DHCPDBG/39 RPT=374 DHCP
> > discover
> > > > > timeout: no response from polled servers (xid
> > > > 1408317617)
> > > > >
> > > > > 41083 02/25/2005 11:18:46.280 SEV=9 DHCPDBG/28 RPT=4359 DHCP
> > restart
> > >
> > > > > servers routine entered
> > > > >
> > > > > 41084 02/25/2005 11:18:46.280 SEV=9 DHCPDBG/28 RPT=4360 DHCP
> > restart
> > >
> > > > > servers routine entered
> > > > >
> > > > > 41085 02/25/2005 11:18:46.280 SEV=5 IKE/132 RPT=43 Group
> > [testgroup]
> > >
> > > > > User [testuser] Cannot obtain an IP address for remote peer -
> > FAILED
> > > > >
> > > > > 41087 02/25/2005 11:18:46.280 SEV=5 IKE/194 RPT=584 Group
> > > [testgroup]
> > > > > User [testuser] Sending IKE Delete With Reason message: No
> Reason
> > > > > Provided.
> > > > >
> > > > > 41089 02/25/2005 11:18:46.290 SEV=8 DHCPDBG/42 RPT=282 DHCP
> > failure
> > > > > response sent to caller (data 0xfb0394, xid 1408317617)
> > > > >
> > > > > 41090 02/25/2005 11:18:46.290 SEV=9 DHCPDBG/15 RPT=818 DHCP
> task:
> > > > > Timeout type 0, msg 0xfde300
> > > > >
> > > > > 41091 02/25/2005 11:18:46.290 SEV=6 DHCP/30 RPT=28 Unexpected
> FSM
> > > > > event 18/state 0 for DHCP:7617: lease --.--.--.--, xid
> > > > > 1408317617
> > > > >
> > > > > 41092 02/25/2005 11:18:46.290 SEV=9 DHCPDBG/6 RPT=284 DHCP
task:
> > > DONE
> > > > > event, msg 0xfde300
> > > > >
> > > > >
> > > > >
> > > > > On the client side I get: Secure VPN Connection terminated by
> > Peer.
> > > > > Reason 427:: Unknown Error Occurred at Peer.
> > > > >
> > > > >
> > > > > Anyone have any ideas on this one?
> > > > >
> > > > > _______________________________________________
> > > > > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list