Skip to content

GitLab

Open
Created by Gunnar Haslinger@gunnar

Cisco ASA / AnyConnect VPN using ISC DHCPD - reassign IP-Address-leases to same VPN-Clients

Scenario:

  • Cisco AnyConnect VPN-Clients
  • Cisco ASA Appliance as DHCP-Client for the VPN-Clients
  • ISC DHCPD as DHCP-Server for the Cisco ASA

We like to have a lease-time of e.g. 8 days. A client connecting today should get the same IP as it got yesterday. Our idea is to provide an IP-lease-Pool big enough to have pseudo-static Client-IP-Addresses. The address the client gets on it's first connect should be the same it gets the following days/months.

Currently VPN-Clients are not assigned the same IP-Address, because:

  • Cisco ASA is acting as DHCP-Client for the VPN-Clients
  • The Client-MAC of all VPN-Clients is the same (the ASA MAC)

The Client-UID (Client identifier) sent by the ASA is a combined-string of "cisco-$MAC-$Hostname$Counter-inside".

  • For example: cisco-0050.5680.4b04-ClientA4567-inside

  • The Prefix "cisco" + MAC-Address of the Cisco-ASA is always the same: cisco-0050.5680.4b04

  • The Hostname (e.g. "ClientA") is the real (unique) Hostname of our Client-Machines

  • The counter counts up on every connection.

  • Suffix "-inside" is always the same

  • If "ClientA" disconnects and connects again it will be like cisco-0050.5680.4b04-ClientA4568-inside (the last digits count up)

  • There seem to be no way to configure the Cisco ASA to not count up the Client-UIDs last digits on each connection

  • We tried to use Option "ignore-client-uids true;" to reassign the same IP-Address - but this does not work, because without UID only the MAC-Address is used to re-assign the IP-Address, but all Clients have the same (Cisco ASA) MAC-Address.

Are there any suggestions?

  • If there is no solution for this scenario, we are interested to implement an new ISC DHCPd Option "hostname-as-uid true;" to create the possibility to address this scenario.

  • This option "hostname-as-uid true;" could be used like the existing "ignore-client-uids true;" Option, but instead of not saving the Client-UID we would override the received Client-UID with the received hostname-option.

  • All functionality like storing the uid to the lease-file, checking if there is a lease for the client with the given Client-UID etc... will be done with the "replaced uid" (= Hostname) instead of the real received Client-UID.

  • Are there any other suggestions or comments on this?

  • Is there interest to accept a merge request if we implement such a feature?

Edited by Gunnar Haslinger