Ogenstad.net

Security Stories and Help with Network Documentation

Once upon a time this used to be my blog. For current updates head over to Networklore.

About / Stories / Contact

  • GitHub
  • LinkedIn
  • RSS
  • Twitter

Powered by Genesis

Cisco ASA 5505 and DHCP Client Problems

March 14, 2007 by patrick.ogenstad 9 Comments

It’s a shame but my brand new Cisco ASA 5505 has just been sitting on my desk untouched for two weeks. The only think I’ve noticed about it is that it still had the old Cisco logo. Basically I’ve watching it from time to time without having time to play with it.

Finally I had some time to spare and I connected it to my cable modem, I have an ADSL connection with a few DHCP addresses so at first I just connected the device with the default configuration. The intelligent network seemed nowhere in sight and nothing worked.

A DHCP lease was missing in action, I turned on the debugging for the DHCP client and could see that the ASA device was sending out broadcasts but a reply never came. Instead I connected the device to my internal network where the ASA got an address instantly.

I’ve had some trouble in the past with getting an IP address from the ISP when I was using a Cisco 1811 router, if I just used the “ip address dhcp” command on an interface the router would just broadcast requests without getting a reply. What I had to do there was to use “ip address dhcp client-id fastethernet 0”, then I got an address from the ISP.

I tried looking for a similar command on the ASA5505 but I couldn’t find anything. I did however find a page on the Cisco site confirming my suspicions. It said some ISP’s require the client-id field of the DHCPDISCOVER request to be filled.

Hoping for an answer, expecting to be disappointed I called my ISP to see if they required the client identifier to be set to the MAC address. To make a long story short they didn’t have a clue as to what I was talking about. “I’m sorry this is just technical support, we don’t have the answer to that.” Apparently they didn’t even know of anyone in that company who could answer my question. Far too often I end up feeling like a blonde girl at the library when I call support.

I fired up Wireshark to take a look at the packets, and sure enough the client identifier did not contain the MAC address but  “Cisco -mac-address interface”, as described in the Cisco document I found.

 DHCPDISCOVER from ASA 5505

A packet from my Vista machine show it uses the MAC address in the client identifier field by default:

Vista DHCPDISCOVER Packet

I connected the Cisco 1811 to my network to see what happens. Without the “client-id fastethernet 0”:

Cisco 1811 without client-id

With “client-id fastethernet 0”:

Cisco 1811 DHCPDISCOVER with client-id

I also checked on a ASA 5510 and it uses the same client identifier as the ASA 5505. I have contacted Cisco about this and they are working on a solution. At least I still have my trusty ol’ PIX 501. For your reference the latest release I’ve tested this on is 7.2(2)14.

Update: This issue has beed fixed since a few weeks, but you had to ask Cisco to get it. Now they have released version 7.2(2).22 where you can define “dhcp-client client-id interface outside” in global configuration mode.

[tags]cisco,asa,networking,dhcp[/tags]

Filed Under: Networking

Comments

  1. hackez says

    August 26, 2007 at 9:58 pm

    Hello, I wanted to know more information about the cisco 1811. Will be able to do DHCP from VZ FiOS? Also does it have port security? I just got one for $560 off ebay. I only touched 2600’s at school while still doing my CCNA.

  2. Patrick Ogenstad says

    September 3, 2007 at 7:51 pm

    You shouldn’t have any problems using a 1811 to your purposes, if VZ FiOS has any problems with DHCP you can just use the command

    ip address dhcp client-id fastethernet 0

    Check out this page for some brief information of the security features of the 1800 series: http://www.cisco.com/application/pdf/en/us/guest/products/ps5854/c1650/cdccont_0900aecd80169b0a.pdf

  3. Ralph says

    September 28, 2007 at 7:01 pm

    This post saved me 2 days of frustration and replacing a unit that I did not have to in the first place. Thank you for the tip “ip address dhcp client-id fastethernet 0″

  4. Patrick Ogenstad says

    September 29, 2007 at 9:03 pm

    Hi Ralph,

    No problem, glad to hear that it worked out for you!

  5. James T says

    November 12, 2007 at 3:46 am

    I am looking at buying one of these and DHCP is something I’m concerned about. Now that you’ve had some time with it, does the 5500 make act as a good DHCP server for your LAN?

  6. Patrick Ogenstad says

    November 12, 2007 at 8:30 am

    James: I never had any problems with the DHCP server in the ASA, it was the DHCP client. The problem was really that my ISP wasn’t following the RFC for DHCP. I’m using a Cisco ASA 5505 as a DHCP server for my home network, in a corporate environment I usually use a Windows Server acting as DHCP. However the ASA 5500 should probably suit your needs when it comes to DHCP. Regardless of you DHCP requirements it’s a great firewall.

  7. ERic says

    September 9, 2008 at 2:26 am

    Problem I’ve had with the 5505 is that when hooked to DSL and the ADSL set to bridging and the 5505 using a static IP it won’t communicate with anything. When I set the modem(DSL) with a static IP and set the 5505 to use DHCP on the outside interface, bang it works like a champ. Don’t know why it won’t communicate in static mode like the VPN 3002 clients do. Any help or pointers would be appreciated.

    Eric

  8. Steve says

    November 18, 2008 at 1:53 am

    I’m having a similar problem. I have a verizon dsl modem set to bridged mode and a ASA 5505. Whenever the dsl modem gets rebooted, I have to click on “renew dhcp lease” in ASDM on the ASA. Once I renew dhcp then internet is back up. How come the ASA doesnt renew itself whenever the modem reboots? The ASA is running ver. 7.2 (3).

Trackbacks

  1. Cisco ASA 5500 and the Hunt for the Lost Gateway - Networking says:
    November 14, 2007 at 10:43 pm

    […] my ISP wasn’t following the RFC for DHCP to the result that my ASA 5505 couldn’t get a DHCP lease, after talking with Cisco they quickly sent me a patch with a workaround and later published a new […]

Leave a Reply Cancel reply

You must be logged in to post a comment.