Cisco ASA 5500 and the Hunt for the Lost Gateway

patrick.ogenstad — Wed, 14 Nov 2007 21:43:17 +0000

Don’t get me wrong, I love my little ASA 5505 especially with the Security plus license enabling me to have 20 VLANs. As they say a house with less than ten VLANs is like a body without a soul. However I’ve had some issues with the little fellow. As I’ve mentioned earlier there was an issue where my ISP wasn’t following the RFC for DHCP to the result that my ASA 5505 couldn’t get a DHCP lease, after talking with Cisco they quickly sent me a patch with a workaround and later published a new version of the ASA software.

Since then I’ve noticed that every once in a while my Internet connection would die. The first times it happened I thought it was just my ADSL connection acting up. However I noticed when running a “show route” from the ASA that I didn’t have a default gateway, making IP communication somewhat hard.

The strange part was that I was able to ping my default gateway, so the link was up.

I noticed that this would happen just after the Cisco ASA was trying to renew it’s dhcp lease. (“show ip address OUTSIDE dhcp lease”)

The strange part was it was so inconsistent it sometimes it could take days before it happened and some days it would happen several times during the day. I was planning on addressing the problem for quite some time but whenever it happened I was always occupied with something more important so I just did a “shutdown” and “no shutdown” on the outside interface and I would have my connection again. Another workaround is to set a static default gateway address, though this wouldn’t remove the problem the down time was much less.

With a static route the Internet connection would die for about 100 seconds instead of having to wait for the next DHCP renewal which in my case is 30 minutes.

In the end I got around to contacting Cisco to report this strange behavior.

Lessons learned; I love Cisco, since the command line is so powerful using a Cisco device lets me figure out what the problem actually is which is great compared to other firewalls you would see in a home network environment.

Another thing I love about Cisco is that they will setup and test this in their lab until they find the problem. Soon after contacting them they confirmed there was a problem. I want all vendors to do that!

The fix is now published on their site so if you’re experiencing this problem you should upgrade to 8.0(3).

Cisco ASA 5505 and DHCP Client Problems

patrick.ogenstad — Wed, 14 Mar 2007 21:54:25 +0000

It’s a shame but my brand new Cisco ASA 5505 has just been sitting on my desk untouched for two weeks. The only think I’ve noticed about it is that it still had the old Cisco logo. Basically I’ve watching it from time to time without having time to play with it.

Finally I had some time to spare and I connected it to my cable modem, I have an ADSL connection with a few DHCP addresses so at first I just connected the device with the default configuration. The intelligent network seemed nowhere in sight and nothing worked.

A DHCP lease was missing in action, I turned on the debugging for the DHCP client and could see that the ASA device was sending out broadcasts but a reply never came. Instead I connected the device to my internal network where the ASA got an address instantly.

I’ve had some trouble in the past with getting an IP address from the ISP when I was using a Cisco 1811 router, if I just used the “ip address dhcp” command on an interface the router would just broadcast requests without getting a reply. What I had to do there was to use “ip address dhcp client-id fastethernet 0”, then I got an address from the ISP.

I tried looking for a similar command on the ASA5505 but I couldn’t find anything. I did however find a page on the Cisco site confirming my suspicions. It said some ISP’s require the client-id field of the DHCPDISCOVER request to be filled.

Hoping for an answer, expecting to be disappointed I called my ISP to see if they required the client identifier to be set to the MAC address. To make a long story short they didn’t have a clue as to what I was talking about. “I’m sorry this is just technical support, we don’t have the answer to that.” Apparently they didn’t even know of anyone in that company who could answer my question. Far too often I end up feeling like a blonde girl at the library when I call support.

I fired up Wireshark to take a look at the packets, and sure enough the client identifier did not contain the MAC address butÂ “Cisco -mac-address interface”, as described in the Cisco document I found.

A packet from my Vista machine show it uses the MAC address in the client identifier field by default:

I connected the Cisco 1811 to my network to see what happens. Without the “client-id fastethernet 0”:

With “client-id fastethernet 0”:

I also checked on a ASA 5510 and it uses the same client identifier as the ASA 5505. I have contacted Cisco about this and they are working on a solution. At least I still have my trusty ol’ PIX 501. For your reference the latest release I’ve tested this on is 7.2(2)14.

Update: This issue has beed fixed since a few weeks, but you had to ask Cisco to get it. Now they have released version 7.2(2).22 where you can define “dhcp-client client-id interface outside” in global configuration mode.

[tags]cisco,asa,networking,dhcp[/tags]

Ogenstad.net

Cisco ASA 5500 and the Hunt for the Lost Gateway

Cisco ASA 5505 and DHCP Client Problems