It’s a shame but my brand new Cisco ASA 5505 has just been sitting on my desk untouched for two weeks. The only think I’ve noticed about it is that it still had the old Cisco logo. Basically I’ve watching it from time to time without having time to play with it.
Finally I had some time to spare and I connected it to my cable modem, I have an ADSL connection with a few DHCP addresses so at first I just connected the device with the default configuration. The intelligent network seemed nowhere in sight and nothing worked.
A DHCP lease was missing in action, I turned on the debugging for the DHCP client and could see that the ASA device was sending out broadcasts but a reply never came. Instead I connected the device to my internal network where the ASA got an address instantly.
I’ve had some trouble in the past with getting an IP address from the ISP when I was using a Cisco 1811 router, if I just used the “ip address dhcp” command on an interface the router would just broadcast requests without getting a reply. What I had to do there was to use “ip address dhcp client-id fastethernet 0”, then I got an address from the ISP.
I tried looking for a similar command on the ASA5505 but I couldn’t find anything. I did however find a page on the Cisco site confirming my suspicions. It said some ISP’s require the client-id field of the DHCPDISCOVER request to be filled.
Hoping for an answer, expecting to be disappointed I called my ISP to see if they required the client identifier to be set to the MAC address. To make a long story short they didn’t have a clue as to what I was talking about. “I’m sorry this is just technical support, we don’t have the answer to that.” Apparently they didn’t even know of anyone in that company who could answer my question. Far too often I end up feeling like a blonde girl at the library when I call support.
I fired up Wireshark to take a look at the packets, and sure enough the client identifier did not contain the MAC address but “Cisco -mac-address interface”, as described in the Cisco document I found.
Â
A packet from my Vista machine show it uses the MAC address in the client identifier field by default:
I connected the Cisco 1811 to my network to see what happens. Without the “client-id fastethernet 0”:
With “client-id fastethernet 0”:
I also checked on a ASA 5510 and it uses the same client identifier as the ASA 5505. I have contacted Cisco about this and they are working on a solution. At least I still have my trusty ol’ PIX 501. For your reference the latest release I’ve tested this on is 7.2(2)14.
Update: This issue has beed fixed since a few weeks, but you had to ask Cisco to get it. Now they have released version 7.2(2).22 where you can define “dhcp-client client-id interface outside” in global configuration mode.
[tags]cisco,asa,networking,dhcp[/tags]
hackez says
Hello, I wanted to know more information about the cisco 1811. Will be able to do DHCP from VZ FiOS? Also does it have port security? I just got one for $560 off ebay. I only touched 2600’s at school while still doing my CCNA.
Patrick Ogenstad says
You shouldn’t have any problems using a 1811 to your purposes, if VZ FiOS has any problems with DHCP you can just use the command
ip address dhcp client-id fastethernet 0
Check out this page for some brief information of the security features of the 1800 series: http://www.cisco.com/application/pdf/en/us/guest/products/ps5854/c1650/cdccont_0900aecd80169b0a.pdf
Ralph says
This post saved me 2 days of frustration and replacing a unit that I did not have to in the first place. Thank you for the tip “ip address dhcp client-id fastethernet 0″
Patrick Ogenstad says
Hi Ralph,
No problem, glad to hear that it worked out for you!
James T says
I am looking at buying one of these and DHCP is something I’m concerned about. Now that you’ve had some time with it, does the 5500 make act as a good DHCP server for your LAN?
Patrick Ogenstad says
James: I never had any problems with the DHCP server in the ASA, it was the DHCP client. The problem was really that my ISP wasn’t following the RFC for DHCP. I’m using a Cisco ASA 5505 as a DHCP server for my home network, in a corporate environment I usually use a Windows Server acting as DHCP. However the ASA 5500 should probably suit your needs when it comes to DHCP. Regardless of you DHCP requirements it’s a great firewall.
ERic says
Problem I’ve had with the 5505 is that when hooked to DSL and the ADSL set to bridging and the 5505 using a static IP it won’t communicate with anything. When I set the modem(DSL) with a static IP and set the 5505 to use DHCP on the outside interface, bang it works like a champ. Don’t know why it won’t communicate in static mode like the VPN 3002 clients do. Any help or pointers would be appreciated.
Eric
Steve says
I’m having a similar problem. I have a verizon dsl modem set to bridged mode and a ASA 5505. Whenever the dsl modem gets rebooted, I have to click on “renew dhcp lease” in ASDM on the ASA. Once I renew dhcp then internet is back up. How come the ASA doesnt renew itself whenever the modem reboots? The ASA is running ver. 7.2 (3).